WP-Safety

WPShapere Lite Security & Risk Analysis

wordpress.org/plugins/wpshapere-lite

WPShapere is a WordPress plugin to customize the WordPress Admin theme and elements as your wish.

300 active installs v1.4.1 PHP 5.6+ WP 6.0+ Updated Jun 29, 2025
adminadmin-themewhite-labelwordpress-adminwordpress-admin-theme
78
B · Generally Safe
CVEs total1
Unpatched1
Last CVEJun 27, 2025
Plugin page Download
Safety Verdict

Is WPShapere Lite Safe to Use in 2026?

Mostly Safe

Score 78/100

WPShapere Lite is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Jun 27, 2025Updated 10mo ago
Risk Assessment

The "wpshapere-lite" v1.4.1 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals a remarkably small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are exposed without authentication or permission checks. Furthermore, all SQL queries are securely handled using prepared statements, and there are no file operations or external HTTP requests that pose an immediate threat. The presence of nonce and capability checks, though limited, is a good practice.

However, significant concerns arise from the presence of dangerous functions, specifically `unserialize`, which is often a precursor to deserialization vulnerabilities if user-controlled data is involved. The low percentage of properly escaped output (8%) is a critical weakness, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities, especially since the taint analysis found no unsanitized paths, suggesting the vulnerability might be in how data is handled *after* reaching an entry point or within the unescaped outputs themselves. The vulnerability history further reinforces these concerns, with one unpatched medium-severity CVE indicating a past issue that has not been remediated.

In conclusion, while the plugin's attack surface is commendably small and its SQL handling is robust, the reliance on `unserialize` and the widespread lack of output escaping, coupled with an unpatched CVE, present substantial security risks. Users should be aware of the potential for XSS and deserialization vulnerabilities, and the need for immediate patching or mitigation of the existing CVE is paramount.

Key Concerns

  • Unpatched CVE exists (medium severity)
  • High percentage of unescaped output (8%)
  • Presence of dangerous function (unserialize)
Vulnerabilities
1 published

WPShapere Lite Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-53317medium · 4.3Cross-Site Request Forgery (CSRF)

WPShapere - WordPress admin theme <= 1.4.1 - Cross-Site Request Forgery

Jun 27, 2025Unpatched
Version History

WPShapere Lite Release Timeline

v1.4.1Current1 CVE
CVE-2025-53317
v1.41 CVE
CVE-2025-53317
v1.01 CVE
CVE-2025-53317
Code Analysis
Analyzed Mar 16, 2026

WPShapere Lite Code Analysis

Dangerous Functions
16
Raw SQL Queries
0
0 prepared
Unescaped Output
33
3 escaped
Nonce Checks
3
Capability Checks
3
File Operations
0
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$settings = unserialize($settings);includes\acmee-framework\inc\aof.class.php:156
unserialize$get_options = unserialize(get_site_option( $option_id ));includes\acmee-framework\inc\aof.class.php:216
unserialize$get_options = unserialize(get_option( $option_id ));includes\acmee-framework\inc\aof.class.php:224
unserialize$data = unserialize($import_data); //to avoid double serializationincludes\wps-impexp.class.php:92
unserialize$wps_options = (is_serialized(get_option(WPSHAPERE_LITE_OPTIONS_SLUG))) ? unserialize(get_option(WPSincludes\wps-options.php:19
unserialize$wps_options = (is_serialized(get_site_option(WPSHAPERE_LITE_OPTIONS_SLUG))) ? unserialize(get_site_includes\wps-options.php:22
unserialize$adminbar_items = (is_serialized(get_option(WPS_ADMINBAR_LIST_SLUG))) ? unserialize(get_option(WPS_Aincludes\wps-options.php:30
unserialize$adminbar_items = (is_serialized(get_site_option(WPS_ADMINBAR_LIST_SLUG))) ? unserialize(get_site_opincludes\wps-options.php:33
unserialize$admin_users_array = (is_serialized(get_option(WPS_ADMIN_USERS_SLUG))) ? unserialize(get_option(WPS_includes\wps-options.php:37
unserialize$dash_widgets_list = (is_serialized(get_option('wps_widgets_list'))) ? unserialize(get_option('wps_wincludes\wps-options.php:41
unserialize$dash_widgets_list = (is_serialized(get_site_option('wps_widgets_list'))) ? unserialize(get_site_optincludes\wps-options.php:44
unserialize$admin_generaloptions = (is_serialized( $admin_general_options_data )) ? unserialize( $admin_generalincludes\wpshapere.class.php:160
unserialize$get_wps_option_data = (is_serialized(get_option($option_id))) ? unserialize(get_option($option_id))includes\wpshapere.class.php:326
unserialize$get_wps_option_data = (is_serialized(get_site_option($option_id))) ? unserialize(get_site_option($oincludes\wpshapere.class.php:329
unserialize$remove_dash_widgets = (is_serialized($dash_widgets_removal_data)) ? unserialize($dash_widgets_removincludes\wpshapere.class.php:463
unserialize$remove_dash_widgets = (is_serialized($dash_widgets_removal_data)) ? unserialize($dash_widgets_removincludes\wpshapere.class.php:489

Output Escaping

8% escaped36 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
wps_settings_action (includes\wps-impexp.class.php:82)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WPShapere Lite Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 41
actionafter_setup_themeincludes\acmee-framework\inc\aof.class.php:25
actionaof_tab_startincludes\acmee-framework\inc\aof.class.php:26
actionaof_tab_startincludes\acmee-framework\inc\aof.class.php:27
actionaof_tab_closeincludes\acmee-framework\inc\aof.class.php:28
actionaof_tab_closeincludes\acmee-framework\inc\aof.class.php:29
actionaof_after_headingincludes\acmee-framework\inc\aof.class.php:30
actionadmin_menuincludes\premium-version.class.php:18
actionadmin_menuincludes\wps-impexp.class.php:19
actionplugins_loadedincludes\wps-impexp.class.php:20
actionadmin_menuincludes\wpshapere.class.php:24
actionwp_dashboard_setupincludes\wpshapere.class.php:25
filteradmin_titleincludes\wpshapere.class.php:27
actioninitincludes\wpshapere.class.php:28
actionadmin_bar_menuincludes\wpshapere.class.php:30
actionadmin_bar_menuincludes\wpshapere.class.php:31
actionwp_before_admin_bar_renderincludes\wpshapere.class.php:32
actionwp_dashboard_setupincludes\wpshapere.class.php:33
actionlogin_enqueue_scriptsincludes\wpshapere.class.php:36
actionlogin_headincludes\wpshapere.class.php:37
actionlogin_headerincludes\wpshapere.class.php:38
actionlogin_footerincludes\wpshapere.class.php:39
actionadmin_enqueue_scriptsincludes\wpshapere.class.php:41
actionadmin_headincludes\wpshapere.class.php:42
actionwp_before_admin_bar_renderincludes\wpshapere.class.php:43
actionadmin_bar_menuincludes\wpshapere.class.php:45
filterlogin_headerurlincludes\wpshapere.class.php:46
filterlogin_headertextincludes\wpshapere.class.php:47
actionadmin_headincludes\wpshapere.class.php:48
actionwp_headincludes\wpshapere.class.php:49
actionaof_after_headingincludes\wpshapere.class.php:50
filterlogin_titleincludes\wpshapere.class.php:51
filterautomatic_updater_disabledincludes\wpshapere.class.php:84
filterauto_core_update_send_emailincludes\wpshapere.class.php:87
filterscreen_options_show_screenincludes\wpshapere.class.php:167
filteradmin_footer_textincludes\wpshapere.class.php:178
filterupdate_footerincludes\wpshapere.class.php:180
filtershow_admin_barincludes\wpshapere.class.php:516
actionadmin_enqueue_scriptsmain-settings.php:31
actionadmin_menumain-settings.php:48
actionadmin_initmain-settings.php:59
actionplugins_loadedwpshapere-lite.php:71
Maintenance & Trust

WPShapere Lite Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJun 29, 2025
PHP min version5.6
Downloads6K

Community Trust

Rating100/100
Number of ratings3
Active installs300
Alternatives

WPShapere Lite Alternatives

Slate Admin Theme

Slate Admin Theme

slate-admin-theme

A
85

A clean, simplified WordPress Admin theme.

6K No CVEs
Clean WP Admin Theme – Simple design

Clean WP Admin Theme – Simple design

wp-clean-admin-theme

A
92

Beautiful design for WP Admin, Clean Admin Theme for wp-admin.

200 No CVEs
Webseo Admin Theme

Webseo Admin Theme

webseo-admin-theme

A
85

Webseo provides a clean, simplified design for your WordPress Admin area.

10 No CVEs
Cool Admin Theme Lite for WP

Cool Admin Theme Lite for WP

cool-admin-theme-lite-for-wp

A
85

Use the Cool Admin Theme Lite for WP to make your administration area cleaner, more fresh and cool, ofcourse.

20 No CVEs
Aquila Admin Theme

Aquila Admin Theme

aquila-admin-theme

A
85

Material Design inspired admin theme with a customisable color scheme. Add your own custom logo to match your website.

3K No CVEs
Developer Profile

WPShapere Lite Developer Profile

AcmeeDesign

3 plugins · 330 total installs

85
trust score
Avg Security Score
87/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WPShapere Lite

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wpshapere-lite/assets/css/default/wp-content/plugins/wpshapere-lite/assets/css/pomegranate/wp-content/plugins/wpshapere-lite/assets/css/black-white/wp-content/plugins/wpshapere-lite/assets/css/beach/wp-content/plugins/wpshapere-lite/assets/css/africa
Script Paths
/wp-content/plugins/wpshapere-lite/assets/js/loginjs.js
Version Parameters
wpshapere-lite/assets/css/default?ver=wpshapere-lite/assets/css/pomegranate?ver=wpshapere-lite/assets/css/black-white?ver=wpshapere-lite/assets/css/beach?ver=wpshapere-lite/assets/css/africa?ver=wpshapere-lite/assets/js/loginjs.js?ver=

HTML / DOM Fingerprints

CSS Classes
wps-login-containerwps-login-bgwps-icon-loginwps-icon-emailwps-icon-pwdwps_kb_link
JS Globals
WPSHAPERE
FAQ

Frequently Asked Questions about WPShapere Lite