WP-Safety

WP My Favourites Security & Risk Analysis

wordpress.org/plugins/wp-my-favourites

Choose your favourite posts, pages, comments, media and reorder them to display anywhere on your website.

0 active installs v1.1.0 PHP + WP 3.0.1+ Updated Sep 25, 2017
commentsfavouritesmediapoststheme-development
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP My Favourites Safe to Use in 2026?

Generally Safe

Score 85/100

WP My Favourites has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago
Risk Assessment

The "wp-my-favourites" v1.1.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates a commitment to secure database practices by using prepared statements for all SQL queries and has no recorded vulnerabilities or CVEs. This suggests a generally well-maintained codebase in terms of these aspects. However, significant concerns arise from its attack surface. The plugin exposes 13 AJAX handlers without any authentication or capability checks, creating a large entry point for potential attacks. Furthermore, a critical finding is that 100% of its 26 output operations are not properly escaped. This, combined with the taint analysis revealing 2 flows with unsanitized paths, strongly indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities that could be exploited through the unprotected AJAX endpoints.

Key Concerns

  • 13 AJAX handlers without auth checks
  • 0% output escaping
  • 2 flows with unsanitized paths
  • No nonce checks
  • No capability checks
Vulnerabilities
None known

WP My Favourites Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

WP My Favourites Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
26
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
2

Bundled Libraries

DataTablesSelect2

Output Escaping

0% escaped26 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
wp_myfavourites_reorder_favourites (includes\class-wp-myfavourites-ajax.php:768)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
13 unprotected

WP My Favourites Attack Surface

Entry Points16
Unprotected13

AJAX Handlers 13

authwp_ajax_get_postsincludes\class-wp-myfavourites.php:177
authwp_ajax_mark_favourite_postincludes\class-wp-myfavourites.php:178
authwp_ajax_get_favourite_postsincludes\class-wp-myfavourites.php:179
authwp_ajax_get_commentsincludes\class-wp-myfavourites.php:181
authwp_ajax_mark_favourite_commentincludes\class-wp-myfavourites.php:182
authwp_ajax_get_favourite_commentsincludes\class-wp-myfavourites.php:183
authwp_ajax_get_mediaincludes\class-wp-myfavourites.php:185
authwp_ajax_mark_favourite_mediaincludes\class-wp-myfavourites.php:186
authwp_ajax_get_favourite_mediaincludes\class-wp-myfavourites.php:187
authwp_ajax_reorder_favouritesincludes\class-wp-myfavourites.php:189
authwp_ajax_save_posts_settingsincludes\class-wp-myfavourites.php:193
authwp_ajax_save_comments_settingsincludes\class-wp-myfavourites.php:194
authwp_ajax_save_media_settingsincludes\class-wp-myfavourites.php:195

Shortcodes 3

[show-favourite-posts] includes\class-wp-myfavourites.php:214
[show-favourite-comments] includes\class-wp-myfavourites.php:215
[show-favourite-media] includes\class-wp-myfavourites.php:216
WordPress Hooks 9
actionplugins_loadedincludes\class-wp-myfavourites.php:151
actionadmin_enqueue_scriptsincludes\class-wp-myfavourites.php:166
actionadmin_enqueue_scriptsincludes\class-wp-myfavourites.php:167
actionadmin_menuincludes\class-wp-myfavourites.php:168
actiontransition_post_statusincludes\class-wp-myfavourites.php:170
actiontransition_comment_statusincludes\class-wp-myfavourites.php:171
actiondelete_attachmentincludes\class-wp-myfavourites.php:172
actionwp_enqueue_scriptsincludes\class-wp-myfavourites.php:210
actionwp_enqueue_scriptsincludes\class-wp-myfavourites.php:211
Maintenance & Trust

WP My Favourites Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28
Last updatedSep 25, 2017
PHP min version
Downloads1K

Community Trust

Rating100/100
Number of ratings1
Active installs0
Alternatives

WP My Favourites Alternatives

Moving Contents

Moving Contents

moving-contents

A
100

Supports the transfer of Contents between servers.

70 No CVEs
Smart Bulk Delete & Content Cleaner for WordPress

Smart Bulk Delete & Content Cleaner for WordPress

smart-bulk-content-remover

A
100

Safely bulk delete posts, pages, media, and comments with flexible filters and a clean interface.

60 No CVEs
No Page Comment

No Page Comment

no-page-comment

A
99

An admin interface to control the default comment and trackback settings on new posts, pages and custom post types.

10K 2 CVEs
Bulk Datetime Change

Bulk Datetime Change

bulk-datetime-change

A
100

Bulk change date/time for posts.

7K 1 CVE
No External Links

No External Links

mihdan-no-external-links

A
98

Convert external links into internal links, site wide or post/page specific. Add NoFollow, Click logging, and more...

6K 2 CVEs
Developer Profile

WP My Favourites Developer Profile

Neelkanth Kaushik

1 plugin · 0 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP My Favourites

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-my-favourites/css/wp-myfavourites-admin.css/wp-content/plugins/wp-my-favourites/css/dataTables.bootstrap.min.css/wp-content/plugins/wp-my-favourites/css/rowReorder.dataTables.min.css/wp-content/plugins/wp-my-favourites/css/jqueryui/jquery-ui.min.css/wp-content/plugins/wp-my-favourites/js/wp-myfavourites-admin.js/wp-content/plugins/wp-my-favourites/js/dataTables.bootstrap.min.js/wp-content/plugins/wp-my-favourites/js/dataTables.min.js/wp-content/plugins/wp-my-favourites/js/jquery.dataTables.min.js+3 more
Script Paths
js/wp-myfavourites-admin.jsjs/dataTables.bootstrap.min.jsjs/dataTables.min.jsjs/jquery.dataTables.min.jsjs/jquery.validate.jsjs/jquery-ui.min.js+1 more
Version Parameters
/wp-content/plugins/wp-my-favourites/css/wp-myfavourites-admin.css?ver=/wp-content/plugins/wp-my-favourites/css/dataTables.bootstrap.min.css?ver=/wp-content/plugins/wp-my-favourites/css/rowReorder.dataTables.min.css?ver=/wp-content/plugins/wp-my-favourites/css/jqueryui/jquery-ui.min.css?ver=/wp-content/plugins/wp-my-favourites/js/wp-myfavourites-admin.js?ver=/wp-content/plugins/wp-my-favourites/js/dataTables.bootstrap.min.js?ver=/wp-content/plugins/wp-my-favourites/js/dataTables.min.js?ver=/wp-content/plugins/wp-my-favourites/js/jquery.dataTables.min.js?ver=/wp-content/plugins/wp-my-favourites/js/jquery.validate.js?ver=/wp-content/plugins/wp-my-favourites/js/jquery-ui.min.js?ver=/wp-content/plugins/wp-my-favourites/js/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-my-favouriteswp-myfavourites-admin-wrap
Data Attributes
data-wpmf-post-typedata-wpmf-post-id
JS Globals
wp_my_favourites_ajax_object
FAQ

Frequently Asked Questions about WP My Favourites