WP-Safety

WP Coder – Insert & Manage Code Snippets Security & Risk Analysis

wordpress.org/plugins/wp-coder

Snippets made simple — easily insert and manage custom PHP, CSS, JS & HTML without coding in theme files.

10K active installs v4.5 PHP 7.4+ WP 5.4+ Updated Feb 14, 2026
codecode-snippetsshortcodesnippets
95
A · Safe
CVEs total5
Unpatched0
Last CVEJan 31, 2025
Plugin page Download
Safety Verdict

Is WP Coder – Insert & Manage Code Snippets Safe to Use in 2026?

Generally Safe

Score 95/100

WP Coder – Insert & Manage Code Snippets has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jan 31, 2025Updated 1mo ago
Risk Assessment

The wp-coder plugin v4.5 exhibits a mixed security posture. On the positive side, it demonstrates good practices in SQL query handling with 82% prepared statements and a high rate of output escaping (95%). The absence of dangerous functions, external HTTP requests, and bundled libraries are also strengths. However, significant concerns arise from its attack surface and taint analysis. The plugin exposes two REST API routes without permission callbacks, making them vulnerable to unauthorized access and manipulation. Additionally, the taint analysis reveals one high-severity flow with unsanitized paths, indicating a potential vulnerability that could lead to code execution or data compromise if exploited.

The plugin's vulnerability history is a major red flag, with five known CVEs, including three high-severity and two medium-severity vulnerabilities. The common types of past vulnerabilities (CSRF, XSS, SQL Injection) suggest a pattern of input validation and authorization flaws. While there are currently no unpatched CVEs, the history of numerous, often high-severity, vulnerabilities points to systemic issues in the development or review process. The recent vulnerability in early 2025, although now patched, reinforces the ongoing need for vigilance.

In conclusion, while wp-coder v4.5 has strengths in its handling of SQL and output, the presence of unprotected entry points and a concerning history of vulnerabilities, particularly the high-severity taint flow, warrant a cautious approach. The plugin's attack surface needs to be carefully managed, and the development team should prioritize addressing the root causes of past vulnerabilities to improve its overall security.

Key Concerns

  • REST API routes without permission callbacks
  • High severity taint flow found
  • History of 3 high severity CVEs
  • History of 2 medium severity CVEs
  • Unsanitized paths in taint flows
Vulnerabilities
5

WP Coder – Insert & Manage Code Snippets Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
2

5 total CVEs

CVE-2025-24699medium · 6.1Cross-Site Request Forgery (CSRF)

WP Coder – Code Snippets + HTML, CSS, JS and PHP Injection <= 3.6.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Jan 31, 2025 Patched in 3.6.1 (22d)
CVE-2024-2578medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Coder <= 3.5 - Authenticated (Editor+) Stored Cross-Site Scripting

Mar 18, 2024 Patched in 3.5.1 (5d)
CVE-2023-0895high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

WP Coder – add custom html, css and js code <= 2.5.3 - Authenticated (Admin+) SQL Injection

Feb 17, 2023 Patched in 2.5.4 (340d)
CVE-2022-2388high · 8.8Cross-Site Request Forgery (CSRF)

WP Coder <= 2.5.2 - Cross-Site Request Forgery

Jul 26, 2022 Patched in 2.5.3 (546d)
CVE-2021-25053high · 8.8Cross-Site Request Forgery (CSRF)

WP Coder <= 2.5.1 - Remote File Inclusion leading to Remote Code Execution via Cross-Site Request Forgery

Dec 5, 2021 Patched in 2.5.2 (779d)
Code Analysis
Analyzed Mar 16, 2026

WP Coder – Insert & Manage Code Snippets Code Analysis

Dangerous Functions
0
Raw SQL Queries
6
28 prepared
Unescaped Output
19
363 escaped
Nonce Checks
10
Capability Checks
21
File Operations
12
External Requests
0
Bundled Libraries
0

SQL Query Safety

82% prepared34 total queries

Output Escaping

95% escaped382 total outputs
Data Flows
11 unsanitized

Data Flow Analysis

20 flows11 with unsanitized paths
menu (classes\Dashboard\DashboardInitializer.php:60)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

WP Coder – Insert & Manage Code Snippets Attack Surface

Entry Points3
Unprotected2

REST API Routes 2

POST/wp-json/wpcoder/v1/previewclasses\Block\WPCoder_Block.php:64
POST/wp-json/wpcoder/v1/attributesclasses\Block\WPCoder_Block.php:70

Shortcodes 1

[WP-Coder] includes\class-wowp-public.php:19
WordPress Hooks 116
actionadmin_initclasses\Admin\AdminActions.php:15
filterplugin_action_linksclasses\Admin\AdminInitializer.php:14
filteradmin_footer_textclasses\Admin\AdminInitializer.php:15
actionadmin_menuclasses\Admin\AdminInitializer.php:16
actionadmin_enqueue_scriptsclasses\Admin\AdminInitializer.php:17
actionadmin_noticesclasses\Admin\AdminNotices.php:12
actionadmin_enqueue_scriptsclasses\Block\WPCoder_Block.php:10
actioninitclasses\Block\WPCoder_Block.php:11
actionrest_api_initclasses\Block\WPCoder_Block.php:12
filterscript_loader_tagclasses\Publisher\EnqueueScript.php:25
actioninitclasses\Publisher\PHPIncludes.php:12
actionadmin_noticesclasses\Publisher\PHPIncludes.php:13
actionadmin_menuincludes\class-wow-company.php:27
actionadmin_enqueue_scriptsincludes\class-wow-company.php:28
filteradmin_footer_textincludes\class-wow-company.php:29
actionadmin_initincludes\class-wowp-dashboard.php:21
actionwp_footerincludes\class-wowp-public.php:22
actionplugins_loadedincludes\safe-mode.php:10
filterhome_urlincludes\safe-mode.php:23
filteradmin_urlincludes\safe-mode.php:24
filtersite_urlincludes\safe-mode.php:25
actionadmin_footerincludes\safe-mode.php:27
actionadmin_noticesincludes\safe-mode.php:29
actionwpcoder_admin_noticesincludes\safe-mode.php:30
filterwp_revisions_to_keepincludes\snippets\class-snippet-changed.php:16
actionlogin_headincludes\snippets\class-snippet-changed.php:20
filterlogin_headerurlincludes\snippets\class-snippet-changed.php:24
filterlogin_redirectincludes\snippets\class-snippet-changed.php:28
filterlogout_redirectincludes\snippets\class-snippet-changed.php:32
filterembed_defaultsincludes\snippets\class-snippet-changed.php:36
filterthe_content_more_linkincludes\snippets\class-snippet-changed.php:40
filterauth_cookie_expirationincludes\snippets\class-snippet-changed.php:44
filtergutenberg_can_edit_postincludes\snippets\class-snippet-disabled.php:17
filteruse_block_editor_for_postincludes\snippets\class-snippet-disabled.php:18
actionwp_enqueue_scriptsincludes\snippets\class-snippet-disabled.php:22
filtergutenberg_use_widgets_block_editorincludes\snippets\class-snippet-disabled.php:28
filteruse_widgets_block_editorincludes\snippets\class-snippet-disabled.php:30
filterthe_generatorincludes\snippets\class-snippet-disabled.php:34
filterxmlrpc_enabledincludes\snippets\class-snippet-disabled.php:38
filtershow_admin_barincludes\snippets\class-snippet-disabled.php:42
filterauto_update_coreincludes\snippets\class-snippet-disabled.php:47
filterauto_update_pluginincludes\snippets\class-snippet-disabled.php:49
filterauto_update_themeincludes\snippets\class-snippet-disabled.php:51
filterauto_core_update_send_emailincludes\snippets\class-snippet-disabled.php:56
filterauto_plugin_update_send_emailincludes\snippets\class-snippet-disabled.php:58
filterauto_theme_update_send_emailincludes\snippets\class-snippet-disabled.php:60
actiontemplate_redirectincludes\snippets\class-snippet-disabled.php:64
filterrest_authentication_errorsincludes\snippets\class-snippet-disabled.php:68
actionadmin_initincludes\snippets\class-snippet-disabled.php:72
filtercomments_openincludes\snippets\class-snippet-disabled.php:74
filterpings_openincludes\snippets\class-snippet-disabled.php:75
filtercomments_arrayincludes\snippets\class-snippet-disabled.php:78
actionadmin_menuincludes\snippets\class-snippet-disabled.php:80
actionadmin_bar_menuincludes\snippets\class-snippet-disabled.php:84
actioninitincludes\snippets\class-snippet-disabled.php:90
actioninitincludes\snippets\class-snippet-disabled.php:96
filterscreen_options_show_screenincludes\snippets\class-snippet-disabled.php:100
actionadmin_initincludes\snippets\class-snippet-disabled.php:104
actiondo_feed_rdfincludes\snippets\class-snippet-disabled.php:111
actiondo_feed_rssincludes\snippets\class-snippet-disabled.php:112
actiondo_feed_rss2includes\snippets\class-snippet-disabled.php:113
actiondo_feed_atomincludes\snippets\class-snippet-disabled.php:114
actiondo_feed_rss2_commentsincludes\snippets\class-snippet-disabled.php:115
actiondo_feed_atom_commentsincludes\snippets\class-snippet-disabled.php:116
actionparse_queryincludes\snippets\class-snippet-disabled.php:122
actionwidgets_initincludes\snippets\class-snippet-disabled.php:133
filterget_search_formincludes\snippets\class-snippet-disabled.php:138
actioninitincludes\snippets\class-snippet-disabled.php:140
actionadmin_bar_menuincludes\snippets\class-snippet-disabled.php:150
filterlogin_display_language_dropdownincludes\snippets\class-snippet-disabled.php:156
filtercomment_form_default_fieldsincludes\snippets\class-snippet-disabled.php:164
actionpre_pingincludes\snippets\class-snippet-disabled.php:168
actioninitincludes\snippets\class-snippet-disabled.php:176
filterwp_lazy_loading_enabledincludes\snippets\class-snippet-disabled.php:180
filterxmlrpc_methodsincludes\snippets\class-snippet-disabled.php:192
filterpre_comment_contentincludes\snippets\class-snippet-disabled.php:200
filterembed_oembed_discoverincludes\snippets\class-snippet-disabled.php:209
filtertiny_mce_pluginsincludes\snippets\class-snippet-disabled.php:216
filterrewrite_rules_arrayincludes\snippets\class-snippet-disabled.php:220
filtertiny_mce_pluginsincludes\snippets\class-snippet-disabled.php:271
filterwp_resource_hintsincludes\snippets\class-snippet-disabled.php:280
filterpost_row_actionsincludes\snippets\class-snippet-enabled.php:16
filterpage_row_actionsincludes\snippets\class-snippet-enabled.php:17
actionadmin_action_wpcoder_duplicate_postincludes\snippets\class-snippet-enabled.php:18
actionadmin_noticesincludes\snippets\class-snippet-enabled.php:19
filterupload_mimesincludes\snippets\class-snippet-enabled.php:23
filterwp_check_filetype_and_extincludes\snippets\class-snippet-enabled.php:24
actionafter_setup_themeincludes\snippets\class-snippet-enabled.php:28
filterwidget_textincludes\snippets\class-snippet-enabled.php:34
filterthe_excerpt_rssincludes\snippets\class-snippet-enabled.php:38
filterthe_content_feedincludes\snippets\class-snippet-enabled.php:39
filterbody_classincludes\snippets\class-snippet-enabled.php:43
filtersanitize_file_nameincludes\snippets\class-snippet-enabled.php:47
filterpre_get_avatar_dataincludes\snippets\class-snippet-enabled.php:51
filterthe_contentincludes\snippets\class-snippet-enabled.php:55
actiontemplate_redirectincludes\snippets\class-snippet-enabled.php:59
filterpreprocess_commentincludes\snippets\class-snippet-enabled.php:68
filterwp_content_img_tagincludes\snippets\class-snippet-enabled.php:72
filterpre_comment_contentincludes\snippets\class-snippet-enabled.php:102
filteruse_block_editor_for_postincludes\snippets\class-tool-markdown-editor.php:19
filteruser_can_richeditincludes\snippets\class-tool-markdown-editor.php:24
filterthe_contentincludes\snippets\class-tool-markdown-editor.php:30
actionadmin_enqueue_scriptsincludes\snippets\class-tool-markdown-editor.php:32
actionwp_enqueue_scriptsincludes\snippets\class-tool-markdown-editor.php:34
actiontemplate_redirectincludes\snippets\class-tool-page-info.php:12
actioninitincludes\snippets\class-tool-page-info.php:17
actionadmin_bar_menuincludes\snippets\class-tool-page-info.php:24
actionadmin_bar_menuincludes\snippets\class-tool-theme-switcher.php:7
filterwp_redirectincludes\snippets\class-tool-theme-switcher.php:8
actionwp_headincludes\snippets\class-tools.php:21
actionwp_headincludes\snippets\class-tools.php:25
actionwp_headincludes\snippets\class-tools.php:29
actionwp_body_openincludes\snippets\class-tools.php:30
actionplugins_loadedincludes\snippets\class-tools.php:35
actionadmin_bar_menuincludes\snippets\class-tools.php:36
actionplugins_loadedwp-coder.php:65
Maintenance & Trust

WP Coder – Insert & Manage Code Snippets Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 14, 2026
PHP min version7.4
Downloads369K

Community Trust

Rating98/100
Number of ratings31
Active installs10K
Alternatives

WP Coder – Insert & Manage Code Snippets Alternatives

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

insert-headers-and-footers

A
99

Easily add code snippets in WordPress. Insert header & footer scripts, add PHP code snippets with conditional logic, insert ads pixel code, and more.

3.0M 3 CVEs
Shortcoder — Create Shortcodes for Anything

Shortcoder — Create Shortcodes for Anything

shortcoder

A
98

Create custom "Shortcodes" easily for HTML, JavaScript, CSS code snippets and use the shortcodes within posts, pages & widgets

100K 2 CVEs
Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

insert-php

A
91

Insert PHP, JavaScript, CSS, HTML, ads, and tracking code into WordPress headers, footers, pages, and content using conditional logic, without editing &hellip;

60K 7 CVEs
FluentSnippets – The High-Performance file based Custom Code Snippets Plugin

FluentSnippets – The High-Performance file based Custom Code Snippets Plugin

easy-code-manager

A
99

Add header and footer scripts, PHP Snippets, Custom CSS /JS snippets with advanced conditional logic, and more...

40K 1 CVE
Post Snippets – Custom WordPress Code Snippets Customizer

Post Snippets – Custom WordPress Code Snippets Customizer

post-snippets

A
86

Create WordPress custom snippets shortcodes and reusable content and insert them in into your posts and pages.

20K 5 CVEs
Developer Profile

WP Coder – Insert & Manage Code Snippets Developer Profile

Wow-Company

25 plugins · 98K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
236 days
View full developer profile
Detection Fingerprints

How We Detect WP Coder – Insert & Manage Code Snippets

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-coder/assets/css/admin/dashboard.css/wp-content/plugins/wp-coder/assets/css/admin/layout.css/wp-content/plugins/wp-coder/assets/css/admin/styles.css/wp-content/plugins/wp-coder/assets/css/admin/wowp.css/wp-content/plugins/wp-coder/assets/css/admin/wowp-dashboard.css/wp-content/plugins/wp-coder/assets/js/admin/dashboard.js/wp-content/plugins/wp-coder/assets/js/admin/editor.js/wp-content/plugins/wp-coder/assets/js/admin/settings.js+5 more
Generator Patterns
WP Coder
Version Parameters
/wp-content/plugins/wp-coder/assets/css/admin/dashboard.css?ver=/wp-content/plugins/wp-coder/assets/css/admin/layout.css?ver=/wp-content/plugins/wp-coder/assets/css/admin/styles.css?ver=/wp-content/plugins/wp-coder/assets/css/admin/wowp.css?ver=/wp-content/plugins/wp-coder/assets/css/admin/wowp-dashboard.css?ver=/wp-content/plugins/wp-coder/assets/js/admin/dashboard.js?ver=/wp-content/plugins/wp-coder/assets/js/admin/editor.js?ver=/wp-content/plugins/wp-coder/assets/js/admin/settings.js?ver=/wp-content/plugins/wp-coder/assets/js/admin/wowp.js?ver=/wp-content/plugins/wp-coder/assets/js/admin/wowp-dashboard.js?ver=/wp-content/plugins/wp-coder/assets/js/admin/wowp-editor.js?ver=/wp-content/plugins/wp-coder/assets/js/admin/wowp-settings.js?ver=/wp-content/plugins/wp-coder/assets/js/admin/wowp-tools.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-coder-adminwp-coder-dashboardwp-coder-settingswp-coder-editor
HTML Comments
<!-- WP Coder Pro plugin by WPCoder.pro --><!-- WP Coder Pro plugin -->
Data Attributes
data-wp-coder-iddata-wp-coder-typedata-wp-coder-code-iddata-wp-coder-editor-id
JS Globals
WPCoderAdminwpCoderDashboardwpCoderSettingswpCoderEditorWOWP
Shortcode Output
[wp_code id="[wp_code]<div class="wp-code" data-wp-coder-id="<div class="wp-code">
FAQ

Frequently Asked Questions about WP Coder – Insert & Manage Code Snippets