WP-Safety

Wp Favs – Plugin Manager Security & Risk Analysis

wordpress.org/plugins/wpfavs

Wpfavs is a plugin manager tool that let's you import your plugins lists from https://wpfavs.com

3K active installs v1.2.1.1 PHP + WP 3.6+ Updated Dec 20, 2023
bulk-plugin-installationfavorite-pluginsinstall-multiple-pluginsmultiple-pluginsplugins
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Wp Favs – Plugin Manager Safe to Use in 2026?

Generally Safe

Score 85/100

Wp Favs – Plugin Manager has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2yr ago
Risk Assessment

The wpfavs plugin v1.2.1.1 exhibits a generally strong security posture, as indicated by the static analysis. There are no critical or high-severity taint flows identified, and all SQL queries utilize prepared statements, which is a significant strength. The plugin also demonstrates good practices regarding nonce and capability checks, with a substantial number of both implemented across its entry points. Furthermore, the absence of any known vulnerabilities or CVEs in its history suggests a well-maintained and secure codebase over time.

However, a notable area for concern lies in the output escaping. With 133 total outputs, only 74% are properly escaped, leaving approximately 35 outputs potentially vulnerable to cross-site scripting (XSS) attacks if the data originates from untrusted sources. While the attack surface is small and all entry points have apparent authentication checks, this single weakness in output sanitization represents the most significant risk identified in the static analysis. The external HTTP requests, while present, are not inherently a risk without further context on their nature and how the responses are handled.

In conclusion, wpfavs v1.2.1.1 is a relatively secure plugin, primarily due to its robust handling of SQL and authentication. The lack of historical vulnerabilities further bolsters this assessment. The primary weakness is the incomplete output escaping, which should be addressed to mitigate potential XSS risks. Addressing this would bring the plugin's security to an even higher standard.

Key Concerns

  • Insufficient output escaping
Vulnerabilities
None known

Wp Favs – Plugin Manager Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Wp Favs – Plugin Manager Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
35
98 escaped
Nonce Checks
10
Capability Checks
15
File Operations
0
External Requests
2
Bundled Libraries
0

Output Escaping

74% escaped133 total outputs
Data Flows
All sanitized

Data Flow Analysis

4 flows
wpfav_apikey_cb (admin\class-wpfavs-admin.php:352)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Wp Favs – Plugin Manager Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 3

authwp_ajax_wpfav_apikeyadmin\class-wpfavs-admin.php:119
authwp_ajax_wpfav_quickkeyadmin\class-wpfavs-admin.php:120
authwp_ajax_wpfav_wp_usernameadmin\class-wpfavs-admin.php:121
WordPress Hooks 31
actioninitadmin\class-wpfavs-admin.php:105
actionadmin_enqueue_scriptsadmin\class-wpfavs-admin.php:108
actionadmin_enqueue_scriptsadmin\class-wpfavs-admin.php:109
actionadmin_menuadmin\class-wpfavs-admin.php:112
actiontgmpa_wpfav_registeradmin\class-wpfavs-admin.php:129
filtertgmpa_wpfav_admin_menu_argsadmin\class-wpfavs-admin.php:304
actioninitadmin\includes\class-tgm-plugin-activation.php:268
filterload_textdomain_mofileadmin\includes\class-tgm-plugin-activation.php:269
actioninitadmin\includes\class-tgm-plugin-activation.php:272
actionadmin_menuadmin\includes\class-tgm-plugin-activation.php:423
actionadmin_headadmin\includes\class-tgm-plugin-activation.php:424
filterinstall_plugin_complete_actionsadmin\includes\class-tgm-plugin-activation.php:427
filterupdate_plugin_complete_actionsadmin\includes\class-tgm-plugin-activation.php:428
actionadmin_noticesadmin\includes\class-tgm-plugin-activation.php:431
actionadmin_initadmin\includes\class-tgm-plugin-activation.php:432
actionadmin_enqueue_scriptsadmin\includes\class-tgm-plugin-activation.php:433
actionload-plugins.phpadmin\includes\class-tgm-plugin-activation.php:438
actionswitch_themeadmin\includes\class-tgm-plugin-activation.php:441
actionswitch_themeadmin\includes\class-tgm-plugin-activation.php:444
actionadmin_initadmin\includes\class-tgm-plugin-activation.php:449
actionswitch_themeadmin\includes\class-tgm-plugin-activation.php:454
actionload_textdomain_mofileadmin\includes\class-tgm-plugin-activation.php:477
filterupgrader_source_selectionadmin\includes\class-tgm-plugin-activation.php:891
actionplugins_loadedadmin\includes\class-tgm-plugin-activation.php:2190
filtertgmpa_wpfav_table_data_itemsadmin\includes\class-tgm-plugin-activation.php:2314
filterupgrader_source_selectionadmin\includes\class-tgm-plugin-activation.php:3090
actionadmin_initadmin\includes\class-tgm-plugin-activation.php:3299
actionupgrader_process_completeadmin\includes\class-tgm-plugin-activation.php:3394
filterupgrader_post_installadmin\includes\class-tgm-plugin-activation.php:3508
filterupgrader_post_installadmin\includes\class-tgm-plugin-activation.php:3653
actionplugins_loadedwpfavs.php:38
Maintenance & Trust

Wp Favs – Plugin Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedDec 20, 2023
PHP min version
Downloads83K

Community Trust

Rating94/100
Number of ratings32
Active installs3K
Alternatives

Wp Favs – Plugin Manager Alternatives

WP Rollback – Rollback Plugins and Themes

WP Rollback – Rollback Plugins and Themes

wp-rollback

A
99

Rollback (or forward) any WordPress.org plugin, theme, or block like a boss.

300K 2 CVEs
Download Plugin

Download Plugin

download-plugin

A
94

Download any plugin from your WordPress admin panel's Plugins page by just one click! Now, download themes, users, blog posts, pages, custom post …

50K 5 CVEs
Advanced Automatic Updates

Advanced Automatic Updates

automatic-updater

A
85

Adds extra options to WordPress' built-in Automatic Updates feature.

30K No CVEs
Stratum Widgets for Elementor

Stratum Widgets for Elementor

stratum

A
95

20+ Premium widgets for Elementor, including Advanced Slider, Instagram, Google Maps, Advanced Accordion, Post Grid.

30K 6 CVEs
Flipbox – Awesomes Flip Boxes Image Overlay

Flipbox – Awesomes Flip Boxes Image Overlay

image-hover-effects-ultimate-visual-composer

A
99

Showcase team members or any list with Flipbox - Awesome Flip Boxes Image Overlay. A clean, responsive, and professional way to display your team.

10K 1 CVE
Developer Profile

Wp Favs – Plugin Manager Developer Profile

Ido Navarro

6 plugins · 6K total installs

84
trust score
Avg Security Score
86/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Wp Favs – Plugin Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpfavs/assets/css/admin.css/wp-content/plugins/wpfavs/assets/js/admin.js
Version Parameters
wpfavs-admin-styles?ver=wpfavs-admin-script?ver=

HTML / DOM Fingerprints

Data Attributes
data-nonce="wpfav-nonce"
JS Globals
wpfavs
REST Endpoints
/wp-json/wpfavs/v1/nonce
FAQ

Frequently Asked Questions about Wp Favs – Plugin Manager