WP Promoter Security & Risk Analysis

wordpress.org/plugins/wp-promoter

Promote your Offers , Notify your users with eye catchy Promotional methods of wp-promoter. Manage your promotion effectively and by analysing from st …

10 active installs v1.3 PHP + WP 1.0+ Updated Jan 2, 2015
attact-visitorsnotificationpromote-barpromotionpromotion-statistics
41
D · High Risk
CVEs total2
Unpatched2
Last CVEMay 26, 2026
Safety Verdict

Is WP Promoter Safe to Use in 2026?

High Risk

Score 41/100

WP Promoter carries significant security risk with 2 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

2 known CVEs 2 unpatched Last CVE: May 26, 2026Updated 11yr ago
Risk Assessment

Based on the provided static analysis and vulnerability history, the "wp-promoter" v1.3 plugin exhibits a mixed security posture. The absence of any recorded CVEs, coupled with the lack of any identified dangerous functions, file operations, or external HTTP requests, suggests a generally well-behaved codebase concerning common vulnerability vectors. The plugin also demonstrates good practice by exclusively using prepared statements for its SQL queries.

However, a significant concern arises from the complete lack of output escaping. With 29 total outputs analyzed and 0% properly escaped, this represents a critical weakness. This could lead to Cross-Site Scripting (XSS) vulnerabilities, where malicious code could be injected into the user interface. Furthermore, the absence of nonce checks and capability checks, while not directly flagged as an issue due to the lack of entry points, means that if any entry points were to be introduced or discovered in future versions, they would be inherently unprotected. The zero taint flows and zero attack surface entries are positive but offer little reassurance given the output escaping issue.

In conclusion, while "wp-promoter" v1.3 avoids many common pitfalls and has a clean vulnerability history, the universal failure to escape output creates a substantial risk of XSS. This weakness overshadows the otherwise clean code analysis and necessitates immediate attention. The lack of built-in protection for potential entry points is also a latent concern.

Key Concerns

  • No output escaping
Vulnerabilities
2 published

WP Promoter Security Vulnerabilities

CVEs by Year

2 CVEs in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-8906medium · 6.1Cross-Site Request Forgery (CSRF)

WP Promoter <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting via 'popup_width' Parameter

May 26, 2026Unpatched
CVE-2026-9014medium · 5.3Missing Authorization

WP Promoter <= 1.3 - Missing Authorization to Unauthenticated Statistics Reset via wpp-reset_stats AJAX Action

May 26, 2026Unpatched
Version History

WP Promoter Release Timeline

Code Analysis
Analyzed Mar 17, 2026

WP Promoter Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
29
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped29 total outputs
Attack Surface

WP Promoter Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 3
actionwp_enqueue_scriptswp-promoter.php:29
actionwp_footerwp-promoter.php:30
actionadmin_headwp-promoter.php:31
Maintenance & Trust

WP Promoter Maintenance & Trust

Maintenance Signals

WordPress version tested4.0.38
Last updatedJan 2, 2015
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

WP Promoter Developer Profile

rahulbhangale

5 plugins · 30 total installs

68
trust score
Avg Security Score
63/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP Promoter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-promoter/minicolor/jquery.miniColors.css/wp-content/plugins/wp-promoter/minicolor/jquery.miniColors.min.js/wp-content/plugins/wp-promoter/css/custom.css
Script Paths
/wp-content/plugins/wp-promoter/minicolor/jquery.miniColors.min.js

HTML / DOM Fingerprints

CSS Classes
wp-promoter-popupwpp-promo-barwpp-linkwpp-closewpp-popup
JS Globals
wpp_promoter
Shortcode Output
<div class="wpp-promo-bar" id="wpp-wp_promoter"><span class="wpp-close" id="close_wp_promoter">X</span><div id="wpp-popup">
FAQ

Frequently Asked Questions about WP Promoter