Plugin inspection:

Storify

No issues found

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

We didn't find anything worrying in this plugin. It's probably safe. Read more about this recommendation.

Findings

This plugin is fundamentally well-written. We did find a few issues, but they are not too serious:

  1. Unsanitised input is passed into filters at /storify.php at line 580 and /dialog.php at line 3. However, these filters are defined by the plugin and are therefore unlikely to be hooked by other plugins.
  2. In the TinyMCE dialog handler, the plugin relies on a PHP file being executable rather than using the WordPress Ajax API.
  3. The plugin generates notices when the TinyMCE button is used.
  4. Content is not escaped at the point at which it is inserted into HTML (for example, at storify.php line 518), but no XSS vulnerabilities were apparent.
  5. The plugin does not work on HTTPS sites without modification to prevent mixed-content warnings.

Failure criteria

  • Lack of input sanitisation
  • Failure to use available core functionality
  • Lack of proper output escaping
  • Very large codebase

Read more about our failure criteria.