Does WP Posts Carousel have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Posts Carousel have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Posts Carousel compatible with WordPress 6.7.5?

According to WordPress.org data, WP Posts Carousel 1.3.13 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is WP Posts Carousel updated?

WP Posts Carousel was last updated on May 15, 2025. Frequent updates are generally a positive security signal.

What is WP Posts Carousel's security score?

WP Posts Carousel has a WP-Safety security score of 94/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Posts Carousel Security & Risk Analysis

wordpress.org/plugins/wp-posts-carousel

WP Posts Carousel is a widget and a shortcode generator to displays posts or custom post types in Owl Carousel.

3K active installs v1.3.13 PHP + WP 3.6+ Updated May 15, 2025

carouselcustom-carouselowl-carouselposts-carousel

A · Safe

CVEs total5

Unpatched0

Last CVEMay 29, 2025

Plugin page Download

Safety Verdict

Is WP Posts Carousel Safe to Use in 2026?

Generally Safe

Score 94/100

WP Posts Carousel has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: May 29, 2025Updated 10mo ago

Risk Assessment

The wp-posts-carousel plugin, version 1.3.13, exhibits a mixed security posture. While it demonstrates good practices in terms of SQL query sanitation and a high percentage of properly escaped outputs, several concerning indicators are present. The presence of the `unserialize` function, a known vector for deserialization vulnerabilities, is a significant red flag. Furthermore, the plugin has a notable history of five known CVEs, with one high and four medium severity vulnerabilities, indicating a pattern of past security weaknesses. Common vulnerability types include deserialization and Cross-site Scripting, which align with the identified use of `unserialize`.

The static analysis reveals a relatively small attack surface with only two entry points, but one of these entry points, an AJAX handler, lacks authentication checks. This unprotected entry point, combined with the potential for deserialization via `unserialize`, presents a critical risk. The absence of nonce checks on the AJAX handler further exacerbates this risk, making it more susceptible to unauthorized actions or exploitation.

In conclusion, despite efforts in SQL security and output escaping, the plugin's vulnerability history and specific code signals, particularly the unprotected AJAX handler and the use of `unserialize`, present a substantial risk. The past trend of multiple high and medium severity vulnerabilities suggests a need for diligent security auditing and patching. Users should exercise caution when deploying this plugin.

Key Concerns

Unprotected AJAX handler
Use of unserialize function
High severity unpatched CVE
Medium severity unpatched CVEs (4)
Missing nonce checks on AJAX
Low output escaping percentage

Vulnerabilities

WP Posts Carousel Security Vulnerabilities

CVEs by Year

5 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

5 total CVEs

CVE-2025-39358high · 8.8Deserialization of Untrusted Data

WP Posts Carousel <= 1.3.12 - Authenticated (Contributor+) PHP Object Injection

May 29, 2025 Patched in 1.3.13 (5d)

CVE-2025-39573medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Posts Carousel <= 1.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 16, 2025 Patched in 1.3.11 (7d)

CVE-2025-31094medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Posts Carousel <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 28, 2025 Patched in 1.3.9 (6d)

CVE-2025-30920medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Posts Carousel <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 27, 2025 Patched in 1.3.8 (8d)

CVE-2025-1491medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Posts Carousel <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via auto_play_timeout Parameter

Mar 1, 2025 Patched in 1.3.8 (1d)

Code Analysis

Analyzed Mar 16, 2026

WP Posts Carousel Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

384 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$instance['custom_breakpoints'] = unserialize($instance['custom_breakpoints']);carousel-widget.class.php:74

unserialize$data = @unserialize( $params ) ;includes\utils.class.php:157

unserialize$breakpoints = unserialize( $params );includes\utils.class.php:163

Output Escaping

88% escaped438 total outputs

Attack Surface

1 unprotected

WP Posts Carousel Attack Surface

Entry Points2

Unprotected1

AJAX Handlers 1

authwp_ajax_wp_posts_carousel_shortcode_generatorwp-posts-carousel.php:79

Shortcodes 1

[wp_posts_carousel] shortcode-decode.class.php:24

WordPress Hooks 14

actionwidgets_initcarousel-widget.class.php:392

filterposts_fieldsincludes\wp-posts-carousel-popular-posts-query.class.php:23

filterposts_orderbyincludes\wp-posts-carousel-popular-posts-query.class.php:24

actioninitwp-posts-carousel.php:30

actioninitwp-posts-carousel.php:66

actionadmin_initwp-posts-carousel.php:67

actionadmin_menuwp-posts-carousel.php:68

actionadmin_headwp-posts-carousel.php:69

actionadmin_headwp-posts-carousel.php:70

actionadmin_enqueue_scriptswp-posts-carousel.php:75

actionwp_enqueue_scriptswp-posts-carousel.php:91

actionwp_headwp-posts-carousel.php:92

filtermce_external_pluginswp-posts-carousel.php:183

filtermce_buttonswp-posts-carousel.php:184

Maintenance & Trust

WP Posts Carousel Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMay 15, 2025

PHP min version

Downloads96K

Community Trust

Rating92/100

Number of ratings27

Active installs3K

Alternatives

WP Posts Carousel Alternatives

Post Grid

post-grid

Post Grid is a powerful WordPress plugin for creating customizable post grid layouts with advanced query options, allowing users to display posts dyna …

30K 2 unpatched

Responsive Owl Carousel for Elementor

responsive-owl-carousel-elementor

A highly customizable, powerful & responsive carousel plugin for Elementor page builder that is based on the Owl Carousel jQuery plugin.

7K 1 CVE

Carousel Horizontal Posts Content Slider

carousel-horizontal-posts-content-slider

A simple posts content slider, product, images, videos, related posts, custom post type carousel plugin for WordPress.

2K 1 unpatched

Custom Post Carousels with Owl

dd-post-carousel

Easily add post carousels to your website. Works with any custom post type or regular posts. Controls allow for insertion of multiple carousels on a s …

2K 2 CVEs

Trending/Popular Post Slider and Widget

wp-trending-post-slider-and-widget

100

A quick, easy way to add Popular/Trending posts slider, grid block and widget. Also work with Gutenberg shortcode block.

2K 1 CVE

Developer Profile

WP Posts Carousel Developer Profile

teastudio.pl

2 plugins · 3K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

5 days

View full developer profile

Detection Fingerprints

How We Detect WP Posts Carousel

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-posts-carousel/css/wp-posts-carousel.css/wp-content/plugins/wp-posts-carousel/owl.carousel/assets/owl.carousel.css/wp-content/plugins/wp-posts-carousel/owl.carousel/owl.carousel.js/wp-content/plugins/wp-posts-carousel/owl.carousel/jquery.mousewheel.min.js/wp-content/plugins/wp-posts-carousel/js/wp-posts-carousel.js

Script Paths

/wp-content/plugins/wp-posts-carousel/js/plugin-4.0.js/wp-content/plugins/wp-posts-carousel/js/plugin-3.9.js/wp-content/plugins/wp-posts-carousel/js/plugin-3.6.js

Version Parameters

wp-posts-carousel/css/wp-posts-carousel.css?ver=wp-posts-carousel/owl.carousel/assets/owl.carousel.css?ver=wp-posts-carousel/owl.carousel/owl.carousel.js?ver=wp-posts-carousel/owl.carousel/jquery.mousewheel.min.js?ver=wp-posts-carousel/js/wp-posts-carousel.js?ver=

HTML / DOM Fingerprints

CSS Classes

wp-posts-carousel-wrapwp-posts-carousel-content

HTML Comments

WP Posts Carousel

Data Attributes

data-carousel-id

JS Globals

wp_posts_carousel_url

Shortcode Output

[posts_carousel]

FAQ