WP-Safety

WYSIWYG Button Manager Security & Risk Analysis

wordpress.org/plugins/wysiwyg-button-manager

Allow the admin to override the default WYSIWYG button bar. Also allow the admin to create a unique 3-row button panel and assign this to a user.

10 active installs v0.5 PHP + WP 2.0.2+ Updated Apr 24, 2007
wysiwyg-button-manager-admin-editor
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WYSIWYG Button Manager Safe to Use in 2026?

Generally Safe

Score 85/100

WYSIWYG Button Manager has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 18yr ago
Risk Assessment

The "wysiwyg-button-manager" v0.5 plugin presents a mixed security profile. On the positive side, it boasts a zero attack surface in terms of AJAX handlers, REST API routes, shortcodes, and cron events, indicating a deliberate effort to limit entry points. Furthermore, there's no known vulnerability history, which is a strong indicator of past security diligence. However, the static analysis reveals significant concerns, most notably the presence of the `unserialize` function without any apparent sanitization or nonce checks. Combined with a complete lack of output escaping and capability checks, this creates a substantial risk. The taint analysis showing two flows with unsanitized paths further exacerbates this, suggesting that user-controlled data could potentially be manipulated to execute arbitrary code or lead to other vulnerabilities.

Key Concerns

  • Unescaped output
  • Dangerous function: unserialize
  • No nonce checks
  • No capability checks
  • Taint flow with unsanitized paths
  • SQL queries not fully prepared
Vulnerabilities
None known

WYSIWYG Button Manager Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WYSIWYG Button Manager Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
1 prepared
Unescaped Output
19
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$this->button_info = unserialize($this->button_info);wysiwyg_button_manager.php:104

SQL Query Safety

50% prepared2 total queries

Output Escaping

0% escaped19 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
display_buttons_editor (wysiwyg_button_manager.php:328)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WYSIWYG Button Manager Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 6
actionadmin_menuwysiwyg_button_manager.php:74
actioninitwysiwyg_button_manager.php:80
filtermce_pluginswysiwyg_button_manager.php:82
filtermce_buttonswysiwyg_button_manager.php:83
filtermce_buttons_2wysiwyg_button_manager.php:84
filtermce_buttons_3wysiwyg_button_manager.php:85
Maintenance & Trust

WYSIWYG Button Manager Maintenance & Trust

Maintenance Signals

WordPress version tested2.1.3
Last updatedApr 24, 2007
PHP min version
Downloads7K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

WYSIWYG Button Manager Alternatives

No alternatives data available yet.

Developer Profile

WYSIWYG Button Manager Developer Profile

Paul Menard

4 plugins · 240 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WYSIWYG Button Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wysiwyg-button-manager/js/wysiwyg-button-manager.js
Version Parameters
wysiwyg-button-manager/js/wysiwyg-button-manager.js?ver=

HTML / DOM Fingerprints

Data Attributes
name="users_panel"id="updateusers"
FAQ

Frequently Asked Questions about WYSIWYG Button Manager