This plugin is fundamentally well-written. We did find a few issues, but they are not too serious:
- Unsanitised input is passed into filters at /storify.php at line 580 and /dialog.php at line 3. However, these filters are defined by the plugin and are therefore unlikely to be hooked by other plugins.
- In the TinyMCE dialog handler, the plugin relies on a PHP file being executable rather than using the WordPress Ajax API.
- The plugin generates notices when the TinyMCE button is used.
- Content is not escaped at the point at which it is inserted into HTML (for example, at storify.php line 518), but no XSS vulnerabilities were apparent.
- The plugin does not work on HTTPS sites without modification to prevent mixed-content warnings.