WP-Safety

WP Plugin Info Card Security & Risk Analysis

wordpress.org/plugins/wp-plugin-info-card

Plugin Info Card displays plugins & themes data in beautiful cards using WP APIs. Custom plugins, EDD, and GitHub Info Cards are supported.

600 active installs v6.3.0 PHP + WP 6.5+ Updated Feb 5, 2026
cardcardseddgithubgrid
95
A · Safe
CVEs total4
Unpatched0
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is WP Plugin Info Card Safe to Use in 2026?

Generally Safe

Score 95/100

WP Plugin Info Card has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Feb 17, 2026Updated 1mo ago
Risk Assessment

The wp-plugin-info-card v6.3.0 plugin exhibits a mixed security posture. While it demonstrates good practices in output escaping and nonce checks, with a low number of dangerous functions and no critical taint flows, there are notable areas of concern. The significant attack surface, with 10 unprotected entry points across AJAX handlers and REST API routes, presents a considerable risk. Furthermore, the vulnerability history reveals a pattern of medium severity issues, specifically Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), indicating a recurring tendency for input validation and access control weaknesses. Although there are no currently unpatched vulnerabilities, the historical prevalence of these specific types of issues suggests a need for ongoing vigilance and more robust security measures. The presence of external HTTP requests also warrants attention, as they can be vectors for further exploitation if not handled securely.

While the plugin scores well on several security metrics, such as a high percentage of properly escaped outputs and the absence of dangerous functions, the unprotected entry points are a significant concern. The 10 unprotected AJAX handlers and REST API routes, combined with the historical medium severity vulnerabilities in CSRF and XSS, highlight potential avenues for unauthorized actions and information disclosure. The plugin's strengths lie in its generally good output sanitization and the presence of nonce checks. However, the inherent risk associated with an unauthenticated attack surface, coupled with past vulnerability trends, means this plugin should be treated with caution and potentially undergo further manual security review. The relatively low percentage of prepared SQL statements is also a minor concern that could be improved.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API routes
  • Medium severity CVE history (CSRF, XSS)
  • SQL queries without prepared statements
  • External HTTP requests
Vulnerabilities
4

WP Plugin Info Card Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
2 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2026-2023medium · 4.3Cross-Site Request Forgery (CSRF)

WP Plugin Info Card <= 6.2.0 - Cross-Site Request Forgery to Arbitrary Custom Plugin Entry Creation

Feb 17, 2026 Patched in 6.3.0 (1d)
CVE-2025-5116medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Plugin Info Card <= 5.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via containerid Parameter

Jun 2, 2025 Patched in 5.4.0 (1d)
CVE-2025-31835medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Plugin Info Card <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 1, 2025 Patched in 5.3.1 (23d)
WF-691c0f3b-b723-4310-b4df-ed3e1db9d548-wp-plugin-info-cardmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Plugin Info Card < 2.3.7 - Cross-Site Scripting

Mar 4, 2015 Patched in 2.3.7 (3247d)
Code Analysis
Analyzed Mar 16, 2026

WP Plugin Info Card Code Analysis

Dangerous Functions
0
Raw SQL Queries
5
2 prepared
Unescaped Output
34
932 escaped
Nonce Checks
31
Capability Checks
42
File Operations
1
External Requests
9
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

29% prepared7 total queries

Output Escaping

96% escaped966 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
<EDD> (php\EDD.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

WP Plugin Info Card Attack Surface

Entry Points50
Unprotected10

AJAX Handlers 31

authwp_ajax_wppic_save_optionsphp\Admin\Init.php:33
authwp_ajax_wppic_reset_optionsphp\Admin\Init.php:34
authwp_ajax_wppic_clear_cachephp\Admin\Init.php:35
authwp_ajax_wppic_clear_cache_optionsphp\Admin\Init.php:36
authwp_ajax_wppic_check_pluginphp\Admin\Init.php:37
authwp_ajax_wppic_check_plugin_slugphp\Admin\Init.php:38
authwp_ajax_wppic_check_themephp\Admin\Init.php:39
authwp_ajax_wppic_get_sample_pluginphp\Admin\Init.php:40
authwp_ajax_wppic_save_custom_pluginphp\Admin\Init.php:43
authwp_ajax_wppic_delete_custom_pluginphp\Admin\Init.php:44
authwp_ajax_wppic_get_custom_pluginsphp\Admin\Init.php:45
authwp_ajax_wppic_get_custom_plugin_dataphp\Admin\Init.php:46
authwp_ajax_wppic_export_custom_pluginphp\Admin\Init.php:47
authwp_ajax_wppic_get_custom_plugin_advanced_optionsphp\Admin\Init.php:48
authwp_ajax_wppic_save_custom_plugin_advanced_optionsphp\Admin\Init.php:49
authwp_ajax_wppic_detach_custom_plugin_from_restphp\Admin\Init.php:50
authwp_ajax_wppic_delete_pluginphp\Admin\Init.php:51
authwp_ajax_wppic_get_custom-plugin-cards_optionsphp\Admin\Tabs\Custom_Plugin.php:35
authwp_ajax_wppic_get_edd_optionsphp\Admin\Tabs\EDD.php:37
authwp_ajax_wppic_get_github_info_cards_optionsphp\Admin\Tabs\GitHub_Info_Cards.php:35
authwp_ajax_wppic_authenticate_with_githubphp\Admin\Tabs\GitHub_Info_Cards.php:36
authwp_ajax_wppic_revoke_github_tokenphp\Admin\Tabs\GitHub_Info_Cards.php:37
authwp_ajax_wppic_get_home_optionsphp\Admin\Tabs\Main.php:35
authwp_ajax_wppic_widget_renderphp\Admin.php:26
authwp_ajax_wppic_load_screenshot_presetsphp\Blocks.php:29
authwp_ajax_wppic_save_screenshot_presetsphp\Blocks.php:32
authwp_ajax_wppic_override_screenshot_presetphp\Blocks.php:35
authwp_ajax_wppic_edit_screenshot_presetphp\Blocks.php:38
authwp_ajax_wppic_delete_screenshot_presetphp\Blocks.php:41
authwp_ajax_async_wppic_shortcode_contentphp\Shortcodes.php:32
noprivwp_ajax_async_wppic_shortcode_contentphp\Shortcodes.php:33

REST API Routes 13

POST/wp-json/wppic/v1custom-plugins/importphp\Import_Export.php:54
POST/wp-json/wppic/v1custom-plugins/import-from-restphp\Import_Export.php:65
POST/wp-json/wppic/v1custom-plugins/import-from-rest/refreshphp\Import_Export.php:76
GET/wp-json/wppic/v1plugins/(?P<slug>[-_a-zA-Z0-9]+)/(?P<passcode>[-_a-zA-Z0-9]+)php\Import_Export.php:91
GET/wp-json/wppic/v1/get_htmlphp\Shortcodes.php:232
GET/wp-json/wppic/v2/get_dataphp\Shortcodes.php:241
GET/wp-json/wppic/v1/get_queryphp\Shortcodes.php:250
GET/wp-json/wppic/v2/get_queryphp\Shortcodes.php:259
GET/wp-json/wppic/v2/get_site_pluginsphp\Shortcodes.php:268
GET/wp-json/wppic/v2/get_github_dataphp\Shortcodes.php:278
POST/wp-json/wppic/v2/get_github_card_htmlphp\Shortcodes.php:307
GET/wp-json/wppic/v2/get_profile_dataphp\Shortcodes.php:498
POST/wp-json/wppic/v2/get_profile_badges_htmlphp\Shortcodes.php:511

Shortcodes 6

[wp-pic] php\Shortcodes.php:26
[wp-pic-query] php\Shortcodes.php:27
[wp-pic-site-plugins] php\Shortcodes.php:28
[wp-pic-plugin-screenshots] php\Shortcodes.php:29
[github-info-card] php\Shortcodes.php:30
[wp-pic-badges] php\Shortcodes.php:31
WordPress Hooks 72
filterplugin_row_metafunctions.php:92
filtercron_schedulesfunctions.php:167
actionwppic_daily_cronfunctions.php:172
filterwppic_add_api_parserphp\Add_Plugin.php:21
filterwppic_add_templatephp\Add_Plugin.php:22
filterwppic_add_mce_typephp\Add_Plugin.php:23
filterwppic_add_list_formphp\Add_Plugin.php:24
filterwppic_add_widget_typephp\Add_Plugin.php:25
filterwppic_add_list_valdiationphp\Add_Plugin.php:26
filterwppic_add_widget_itemphp\Add_Plugin.php:27
filterwppic_add_api_parserphp\Add_Theme.php:21
filterwppic_add_templatephp\Add_Theme.php:22
filterwppic_add_mce_typephp\Add_Theme.php:23
filterwppic_add_list_formphp\Add_Theme.php:24
filterwppic_add_widget_typephp\Add_Theme.php:25
filterwppic_add_list_valdiationphp\Add_Theme.php:26
filterwppic_add_widget_itemphp\Add_Theme.php:27
actionadmin_enqueue_scriptsphp\Admin\Init.php:32
filterwppic_admin_tabsphp\Admin\Tabs\Custom_Plugin.php:31
filterwppic_admin_sub_tabsphp\Admin\Tabs\Custom_Plugin.php:32
actionwppic_output_custom-plugin-cardsphp\Admin\Tabs\Custom_Plugin.php:33
actionwppic_admin_enqueue_scripts_custom-plugin-cardsphp\Admin\Tabs\Custom_Plugin.php:34
filterwppic_admin_tabsphp\Admin\Tabs\EDD.php:33
filterwppic_admin_sub_tabsphp\Admin\Tabs\EDD.php:34
actionwppic_output_eddphp\Admin\Tabs\EDD.php:35
actionwppic_admin_enqueue_scripts_eddphp\Admin\Tabs\EDD.php:36
filterwppic_admin_tabsphp\Admin\Tabs\GitHub_Info_Cards.php:31
filterwppic_admin_sub_tabsphp\Admin\Tabs\GitHub_Info_Cards.php:32
actionwppic_output_github-info-cardsphp\Admin\Tabs\GitHub_Info_Cards.php:33
actionwppic_admin_enqueue_scripts_github-info-cardsphp\Admin\Tabs\GitHub_Info_Cards.php:34
filterwppic_admin_tabsphp\Admin\Tabs\Main.php:31
filterwppic_admin_sub_tabsphp\Admin\Tabs\Main.php:32
actionwppic_output_homephp\Admin\Tabs\Main.php:33
actionwppic_admin_enqueue_scripts_homephp\Admin\Tabs\Main.php:34
actionadmin_menuphp\Admin.php:25
actionadmin_enqueue_scriptsphp\Admin.php:27
actionwp_dashboard_setupphp\Admin.php:28
actionenqueue_block_assetsphp\Blocks.php:24
actioninitphp\Blocks.php:25
filterblock_categories_allphp\Blocks.php:26
filterblock_type_metadata_settingsphp\Blocks.php:355
actionwp_footerphp\Blocks.php:405
filterwppic_plugin_infophp\EDD.php:40
actioninitphp\EDD.php:41
actioninitphp\EDD.php:44
actionenqueue_block_editor_assetsphp\EDD.php:51
actionsave_postphp\EDD.php:54
actionsave_postphp\EDD.php:57
filterwppic_data_pre_displayphp\EDD.php:60
actionadd_meta_boxesphp\EDD.php:316
filterwppic_add_api_parserphp\GitHub.php:22
actionrest_api_initphp\Import_Export.php:48
filterwppic_plugin_infophp\Import_Export.php:125
actionwppic_rest_api_update_plugin_dataphp\Import_Export.php:128
actionwp_enqueue_scriptsphp\Shortcodes.php:23
actionwppic_enqueue_scriptsphp\Shortcodes.php:24
actionrest_api_initphp\Shortcodes.php:25
actioninitphp\Shortcodes.php:34
actioninitphp\Shortcodes.php:35
actionwp_footerphp\Shortcodes.php:210
filterwppic_allow_scriptsphp\Shortcodes.php:1071
filterwppic_allow_scriptsphp\Shortcodes.php:1387
filterwppic_allow_scriptsphp\Shortcodes.php:1752
actionwp_footerphp\Shortcodes.php:1894
filtersafe_style_cssphp\Shortcodes.php:2027
filtersafecss_filter_attr_allow_cssphp\Shortcodes.php:2028
actionwp_footerphp\Shortcodes.php:2419
filtermce_external_languagesphp\TinyMCE\Init.php:25
actionadmin_headphp\TinyMCE\Init.php:26
filtermce_external_pluginsphp\TinyMCE\Init.php:53
filtermce_buttonsphp\TinyMCE\Init.php:54
actionplugins_loadedwp-plugin-info-card.php:173

Scheduled Events 2

wppic_daily_cron
wppic_rest_api_update_plugin_data
Maintenance & Trust

WP Plugin Info Card Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 5, 2026
PHP min version
Downloads48K

Community Trust

Rating100/100
Number of ratings23
Active installs600
Alternatives

WP Plugin Info Card Alternatives

Admin Posts Grid

Admin Posts Grid

admin-posts-grid

A
92

Beautiful posts grid on the admin side, many themes available, adjusable layout and more!

50 No CVEs
Payment Plugins for PayPal WooCommerce

Payment Plugins for PayPal WooCommerce

pymntpl-paypal-woocommerce

A
100

Developed exclusively between Payment Plugins and PayPal, PayPal for WooCommerce integrates with PayPal's newest API's.

90K No CVEs
PW WooCommerce Gift Cards

PW WooCommerce Gift Cards

pw-woocommerce-gift-cards

A
100

Sell gift cards to your WooCommerce store, in just a few minutes!

20K No CVEs
Payment Gateway for PayPal on WooCommerce

Payment Gateway for PayPal on WooCommerce

woo-paypal-gateway

A
99

PayPal, Credit/Debit Cards, Google Pay, Apple Pay, Pay Later, Venmo, SEPA, iDEAL, Mercado Pago, Bancontact & more - by an official PayPal Partner

10K 1 CVE
YITH WooCommerce Gift Cards

YITH WooCommerce Gift Cards

yith-woocommerce-gift-cards

A
98

The essential tool for selling gift cards in your store, increasing your conversion rate and attracting new customers.

10K 2 CVEs
Developer Profile

WP Plugin Info Card Developer Profile

Brice Capobianco

3 plugins · 61K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
656 days
View full developer profile
Detection Fingerprints

How We Detect WP Plugin Info Card

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-plugin-info-card/assets/css/animate.min.css/wp-content/plugins/wp-plugin-info-card/assets/css/owl.carousel.min.css/wp-content/plugins/wp-plugin-info-card/assets/css/style.css/wp-content/plugins/wp-plugin-info-card/assets/js/animate.min.js/wp-content/plugins/wp-plugin-info-card/assets/js/owl.carousel.min.js/wp-content/plugins/wp-plugin-info-card/assets/js/script.js/wp-content/plugins/wp-plugin-info-card/assets/js/admin.js/wp-content/plugins/wp-plugin-info-card/assets/js/admin-tabs.js+9 more
Script Paths
/wp-content/plugins/wp-plugin-info-card/assets/js/animate.min.js/wp-content/plugins/wp-plugin-info-card/assets/js/owl.carousel.min.js/wp-content/plugins/wp-plugin-info-card/assets/js/script.js/wp-content/plugins/wp-plugin-info-card/assets/js/admin.js/wp-content/plugins/wp-plugin-info-card/assets/js/admin-tabs.js/wp-content/plugins/wp-plugin-info-card/assets/js/admin-custom-plugin-tab.js+8 more
Version Parameters
wp-plugin-info-card/assets/css/animate.min.css?ver=wp-plugin-info-card/assets/css/owl.carousel.min.css?ver=wp-plugin-info-card/assets/css/style.css?ver=wp-plugin-info-card/assets/js/animate.min.js?ver=wp-plugin-info-card/assets/js/owl.carousel.min.js?ver=wp-plugin-info-card/assets/js/script.js?ver=wp-plugin-info-card/assets/js/admin.js?ver=wp-plugin-info-card/assets/js/admin-tabs.js?ver=wp-plugin-info-card/assets/js/admin-custom-plugin-tab.js?ver=wp-plugin-info-card/assets/js/admin-edd-tab.js?ver=wp-plugin-info-card/assets/js/admin-github-info-cards-tab.js?ver=wp-plugin-info-card/assets/js/admin-import-export.js?ver=wp-plugin-info-card/assets/js/admin-options.js?ver=wp-plugin-info-card/assets/js/admin-tinymce.js?ver=wp-plugin-info-card/assets/js/admin-theme-tab.js?ver=wp-plugin-info-card/assets/js/build/index.js?ver=wp-plugin-info-card/assets/blocks/plugin-info-card/index.js?ver=

HTML / DOM Fingerprints

CSS Classes
wppic-plugin-info-card-wrapperwppic-titlewppic-descriptionwppic-authorwppic-versionwppic-download-linkwppic-ratingwppic-installed+20 more
HTML Comments
<!-- WP Plugin Info Card Start --><!-- WP Plugin Info Card End --><!-- wp-plugin-info-card admin page --><!-- tabs -->+10 more
Data Attributes
data-plugin-slugdata-plugin-urldata-plugin-actiondata-plugin-iddata-plugin-titledata-plugin-author+30 more
JS Globals
wppic_admin_ajax_objectWPPICwppic_tinymce_plugin
REST Endpoints
/wp-json/wp-plugin-info-card/v1/custom-plugins/wp-json/wp-plugin-info-card/v1/custom-plugins/(?P<id>[\d]+)/wp-json/wp-plugin-info-card/v1/settings/wp-json/wp-plugin-info-card/v1/github-cards/wp-json/wp-plugin-info-card/v1/github-cards/(?P<id>[\d]+)/wp-json/wp-plugin-info-card/v1/edd-cards/wp-json/wp-plugin-info-card/v1/edd-cards/(?P<id>[\d]+)
Shortcode Output
[wppic_plugin_info_card][wppic_plugin_info_card slug=[wppic_plugin_info_card id=[wppic_plugin_info_card name=
FAQ

Frequently Asked Questions about WP Plugin Info Card