Does WPB Image Widget have any unpatched vulnerabilities?

Yes — WPB Image Widget currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WPB Image Widget compatible with WordPress 6.8.5?

According to WordPress.org data, WPB Image Widget 1.1 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is WPB Image Widget updated?

WPB Image Widget was last updated on Jun 8, 2025. Frequent updates are generally a positive security signal.

What is WPB Image Widget's security score?

WPB Image Widget has a WP-Safety security score of 78/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPB Image Widget Security & Risk Analysis

wordpress.org/plugins/wpb-image-widget

A simple widget for showing responsive image in sidebar area. It's using WordPress's new media uploader.

100 active installs v1.1 PHP + WP 3.6+ Updated Jun 8, 2025

imageimage-widgetupload-image-in-widgetwidgetwpb-image-widget

B · Generally Safe

CVEs total1

Unpatched1

Last CVESep 5, 2025

Plugin page Download

Safety Verdict

Is WPB Image Widget Safe to Use in 2026?

Mostly Safe

Score 78/100

WPB Image Widget is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Sep 5, 2025Updated 9mo ago

Risk Assessment

The "wpb-image-widget" v1.1 plugin exhibits a mixed security posture. While the static analysis reveals no overtly dangerous functions, raw SQL queries, or file operations, significant concerns arise from the low percentage of properly escaped output (19%). This suggests a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's vulnerability history, which includes a recent medium-severity XSS flaw.

The lack of nonce checks and capability checks, combined with the limited number of entry points being unprotected, is a positive sign for direct unauthorized access vectors. However, the presence of one shortcode without explicit authorization checks implies a potential avenue for exploitation if the XSS vulnerabilities are leveraged. The vulnerability history, particularly the recurring XSS pattern and a recent unpatched medium-severity issue, strongly indicates a lack of robust input sanitization and output escaping practices.

In conclusion, while the plugin avoids common pitfalls like raw SQL or dangerous functions, the severe under-escaping of output and a documented history of XSS vulnerabilities are critical weaknesses. The unpatched medium-severity CVE is a significant risk that needs immediate attention. The plugin's strengths lie in its limited attack surface and the absence of certain risky code patterns, but these are overshadowed by the ongoing threat of XSS due to poor output handling.

Key Concerns

Unescaped output detected (19% proper)
Unpatched medium severity CVE
No nonce checks detected
No capability checks detected

Vulnerabilities

WPB Image Widget Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-58858medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WPB Image Widget <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 5, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

WPB Image Widget Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

12 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

19% escaped62 total outputs

Attack Surface

WPB Image Widget Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[wpb-image-widget] inc\wpb_iw_shortcode.php:16

WordPress Hooks 4

actionadmin_enqueue_scriptsadmin\wpb_iw_widget.php:30

actionwidgets_initadmin\wpb_iw_widget.php:227

actionwp_enqueue_scriptsinc\wpb_iw_functions.php:19

actioninitmain.php:34

Maintenance & Trust

WPB Image Widget Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJun 8, 2025

PHP min version

Downloads4K

Community Trust

Rating80/100

Number of ratings1

Active installs100

Alternatives

WPB Image Widget Alternatives

Simple Image Widget

simple-image-widget

100

A simple widget that makes it a breeze to add images to your sidebars.

10K No CVEs

Image Widget

image-widget-rb

100

Image Widget - most simple and fast way to create image widget to your sidebar

4K No CVEs

HW Image Widget

hw-image-widget

Image widget that will allow you to choose responsive or fixed sized behavior. Includes TinyMCE rich text editing of the text description.

1K No CVEs

Swifty Image Widget

swifty-image-widget

Super simple but powerful widget that allows adding single or multiple images to your widget positions, using native media uploader.

1K No CVEs

Image Widget by Angie Makes

wpc-image-widget

This plugin allows for the addition of a drag / drop image widget to the existing widgets in your Wordpress theme. Easily upload, and link images to t …

500 No CVEs

Developer Profile

WPB Image Widget Developer Profile

WPBean

25 plugins · 40K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

20 days

View full developer profile

Detection Fingerprints

How We Detect WPB Image Widget

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpb-image-widget/admin/css/wpb-image-widget-admin.css/wp-content/plugins/wpb-image-widget/admin/js/wpb-image-widget-admin.js

Script Paths

/wp-content/plugins/wpb-image-widget/admin/js/wpb-image-widget-admin.js

HTML / DOM Fingerprints

CSS Classes

wpb_iw_uploaded_imagewpb_iw_show_imagewpb_iw_upload_imagewpb_iw_linking_type_wpb_iw_custom_link_

HTML Comments

WPB Image Widget
    By WPBean

Data Attributes