WpQrCode Security & Risk Analysis

wordpress.org/plugins/wpqrcode

Just another WordPress plugin for adding QrCode.

10 active installs v1.0.3 PHP + WP 3.5+ Updated Feb 20, 2015
canvasdynamicimageqrcodewidget
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is WpQrCode Safe to Use in 2026?

Generally Safe

Score 85/100

WpQrCode has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago
Risk Assessment

The "wpqrcode" v1.0.3 plugin exhibits a generally positive security posture based on the provided static analysis. The absence of any known CVEs and the lack of dangerous functions or direct SQL queries are strong indicators of good development practices in these areas. However, a significant concern arises from the output escaping, with only 20% of 59 total outputs being properly escaped. This suggests a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, where user-supplied data could be rendered directly in the browser without proper sanitization, potentially leading to malicious code execution. The taint analysis, while limited in scope (2 flows analyzed), revealing "flows with unsanitized paths" is a red flag, even without critical or high severity findings. This indicates that the plugin might be susceptible to certain types of injection attacks if these paths are exploited. Overall, while the plugin avoids common pitfalls like unpatched vulnerabilities or raw SQL, the poor output escaping and potential for unsanitized data flows represent critical weaknesses that require immediate attention.

Key Concerns

  • Poor output escaping (80% unescaped)
  • Taint analysis shows unsanitized paths
Vulnerabilities
None known

WpQrCode Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

WpQrCode Release Timeline

v1.0.2
v1.0.1
v1.0
Code Analysis
Analyzed Apr 16, 2026

WpQrCode Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
47
12 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

20% escaped59 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
widget (wpqrcode.php:121)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WpQrCode Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 3
actionwidgets_initwpqrcode.php:159
actionadmin_enqueue_scriptswpqrcode.php:169
actionwp_enqueue_scriptswpqrcode.php:176
Maintenance & Trust

WpQrCode Maintenance & Trust

Maintenance Signals

WordPress version tested4.1.42
Last updatedFeb 20, 2015
PHP min version
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Developer Profile

WpQrCode Developer Profile

Nazmul Hossain Nihal

5 plugins · 200 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WpQrCode

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpqrcode/js/jscolor.js/wp-content/plugins/wpqrcode/js/script.js/wp-content/plugins/wpqrcode/js/wpqrcode.js
Script Paths
/wp-content/plugins/wpqrcode/js/jscolor.js/wp-content/plugins/wpqrcode/js/script.js/wp-content/plugins/wpqrcode/js/wpqrcode.js

HTML / DOM Fingerprints

CSS Classes
wpqrcode-colorpicker
JS Globals
wpqrcode
FAQ

Frequently Asked Questions about WpQrCode