WP-Safety

WP Whoosh Security & Risk Analysis

wordpress.org/plugins/wp-whoosh

Build new feature-rich, fast and secure WordPress sites in a smarter way in under 60 seconds using WP Whoosh.

10 active installs v1.6 PHP + WP 3.0+ Updated Aug 20, 2013
performancesecuritysite-buildertimesaving
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP Whoosh Safe to Use in 2026?

Generally Safe

Score 85/100

WP Whoosh has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 12yr ago
Risk Assessment

The wp-whoosh plugin v1.6 exhibits a generally good security posture, with no publicly known vulnerabilities (CVEs) and a clean vulnerability history. The absence of AJAX handlers, REST API routes, shortcodes, and cron events significantly limits its attack surface, and all detected SQL queries use prepared statements, which is excellent. However, the presence of 'unserialize' as a dangerous function, coupled with two flows with unsanitized paths, raises concerns. While no critical or high severity issues were found in the taint analysis, these could still be exploited under specific conditions. The low percentage of properly escaped output (28%) indicates a weakness that could lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled carefully.

Key Concerns

  • Dangerous function 'unserialize' found
  • Flows with unsanitized paths detected
  • Low percentage of properly escaped output
Vulnerabilities
None known

WP Whoosh Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

WP Whoosh Code Analysis

Dangerous Functions
4
Raw SQL Queries
0
0 prepared
Unescaped Output
55
21 escaped
Nonce Checks
3
Capability Checks
3
File Operations
0
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserializeif (! empty($templates) && ! is_array($templates)) $templates = unserialize(strrev(base64_decode($tefunctions.php:97
unserializeif (! empty($hosts) && ! is_array($hosts)) $hosts = stripslashes_deep(unserialize(strrev(base64_decofunctions.php:125
unserializeif (! empty($sites) && ! is_array($sites)) $sites = stripslashes_deep(unserialize(strrev(base64_decofunctions.php:175
unserializereturn @unserialize(empty($secret) ? @gzinflate(base64_decode($message)) : self::decrypt($message, $updater.php:219

Output Escaping

28% escaped76 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
clear_nonce (functions.php:257)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Whoosh Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 38
actioninitadmin.php:29
actioninitadmin.php:30
actioninitadmin.php:31
actioninitadmin.php:32
actioninitadmin.php:33
actioninitadmin.php:34
actionadmin_menuadmin.php:35
filterplugin_action_linksadmin.php:36
actionadmin_enqueue_scriptsadmin.php:56
filterscreen_layout_columnsadmin.php:57
actionadmin_menucredits.php:25
actionadmin_enqueue_scriptscredits.php:35
actionadmin_enqueue_scriptscredits.php:36
actionadmin_menuhosts.php:54
filterscreen_options_show_screenhosts.php:66
filterscreen_layout_columnshosts.php:67
actionadmin_enqueue_scriptshosts.php:68
actionadmin_enqueue_scriptshosts.php:69
actionadmin_menukey.php:33
actionadmin_enqueue_scriptskey.php:43
actionadmin_enqueue_scriptskey.php:44
filterscreen_layout_columnskey.php:45
actioninitpublic.php:3
filterlogin_errorspublic.php:12
filterxmlrpc_methodspublic.php:14
actionadmin_menusecret.php:32
actionadmin_enqueue_scriptssecret.php:42
actionadmin_enqueue_scriptssecret.php:43
filterscreen_layout_columnssecret.php:44
actionadmin_menusites.php:112
filterscreen_options_show_screensites.php:124
filterscreen_layout_columnssites.php:125
actionadmin_enqueue_scriptssites.php:126
actionadmin_enqueue_scriptssites.php:127
actionadmin_menutemplates.php:25
actionadmin_enqueue_scriptstemplates.php:35
actionadmin_enqueue_scriptstemplates.php:36
filterscreen_layout_columnstemplates.php:37
Maintenance & Trust

WP Whoosh Maintenance & Trust

Maintenance Signals

WordPress version tested3.6.1
Last updatedAug 20, 2013
PHP min version
Downloads4K

Community Trust

Rating88/100
Number of ratings7
Active installs10
Alternatives

WP Whoosh Alternatives

Jetpack – WP Security, Backup, Speed, & Growth

Jetpack – WP Security, Backup, Speed, & Growth

jetpack

A
87

Improve your WP security with powerful one-click tools like backup, WAF, and malware scan. Includes free tools like stats, CDN and social sharing.

3.0M 24 CVEs
ManageWP Worker

ManageWP Worker

worker

A
98

A better way to manage dozens of WordPress websites.

1.0M 1 CVE
Simply Static – The Static Site Generator

Simply Static – The Static Site Generator

simply-static

A
99

Convert WordPress to static HTML. Boost performance 3-5x. Eliminate security vulnerabilities. Deploy anywhere.

30K 2 CVEs
Plugin Check (PCP)

Plugin Check (PCP)

plugin-check

A
100

Plugin Check is a WordPress.org tool which provides checks to help plugins meet the directory requirements and follow various best practices.

7K No CVEs
DefendWP Firewall

DefendWP Firewall

defend-wp-firewall

A
99

Get instant protection against vulnerabilities disclosed by security companies.

3K 1 CVE
Developer Profile

WP Whoosh Developer Profile

Russell Jamieson

4 plugins · 4K total installs

76
trust score
Avg Security Score
74/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP Whoosh

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-whoosh/admin.css
Version Parameters
wp-whoosh/admin.css?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- Admin page --><!-- Intro tab -->
Data Attributes
data-template-urldata-key-urldata-secret-urldata-hosts-urldata-sites-urldata-credits-url
FAQ

Frequently Asked Questions about WP Whoosh