
ArvanCloud Object Storage Security & Risk Analysis
wordpress.org/plugins/arvancloud-object-storageArvanCloud Storage for offload, backup and upload your WordPress files and databases directly to your ArvanCloud object storage bucket.
Is ArvanCloud Object Storage Safe to Use in 2026?
Generally Safe
Score 92/100ArvanCloud Object Storage has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The 'arvancloud-object-storage' plugin v1.15.1 exhibits a concerning security posture primarily due to a significant number of unprotected AJAX handlers. While the plugin demonstrates some good practices, such as the absence of known CVEs and a substantial portion of SQL queries using prepared statements, the high number of unprotected entry points presents a substantial attack surface. The presence of an unserialize function, while not immediately flagged as a critical taint flow, warrants caution as it can be a vector for code execution if not handled with extreme care and input validation.
Although the plugin has no recorded vulnerability history, this does not negate the risks identified in the static analysis. The taint analysis, while showing no critical or high severity flows, did reveal a notable number of flows with unsanitized paths, indicating potential areas where malicious input could be processed insecurely. The limited use of capability checks and nonce checks on the numerous unprotected AJAX handlers amplifies the risk, as unauthorized users could potentially trigger these actions.
In conclusion, while the lack of past vulnerabilities and the use of prepared statements are positive signs, the plugin's security is significantly undermined by its extensive unprotected AJAX endpoints and the presence of dangerous functions like unserialize without clear input validation. This creates a risk of unauthorized actions and potential exploits, despite the current clean vulnerability record.
Key Concerns
- Large attack surface without auth
- Dangerous function: unserialize
- Flows with unsanitized paths
- Missing nonce checks on AJAX
- Low percentage of proper output escaping
- Limited capability checks
ArvanCloud Object Storage Security Vulnerabilities
ArvanCloud Object Storage Release Timeline
ArvanCloud Object Storage Code Analysis
Dangerous Functions Found
Bundled Libraries
SQL Query Safety
Output Escaping
Data Flow Analysis
ArvanCloud Object Storage Attack Surface
AJAX Handlers 26
REST API Routes 6
WordPress Hooks 50
Maintenance & Trust
ArvanCloud Object Storage Maintenance & Trust
Maintenance Signals
Community Trust
ArvanCloud Object Storage Alternatives
Advanced Media Offloader
advanced-media-offloader
Save server space & speed up your site by automatically offloading media to Amazon S3, Cloudflare R2 & more.
Advanced S3 Destinations for BackWPup
advanced-backwpup-s3-destinations
Easily add custom S3 destinations for BackWPup.
CloudSync Master – Offload Media to S3, Cloudflare R2 & Google Cloud
wp-cloudsync-master
Speed up WordPress by offloading media to Cloudflare R2, Amazon S3, Google Cloud & 7 more. Zero egress fees. Migrate from WP Offload Media in one …
Swift Offload
swift-offload
Offload WordPress media to Amazon S3, Wasabi, DigitalOcean Spaces, or MinIO. Serve files via CloudFront CDN for faster delivery.
ZATA S3 Backup
zata-s3-backup
Backup your site database, themes, and plugins and upload them to ZATA or any S3-compatible object storage.
ArvanCloud Object Storage Developer Profile
3 plugins · 130 total installs
How We Detect ArvanCloud Object Storage
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/arvancloud-object-storage/assets/css/main.css/wp-content/plugins/arvancloud-object-storage/assets/css/tagify.css/wp-content/plugins/arvancloud-object-storage/assets/js/admin.js/wp-content/plugins/arvancloud-object-storage/assets/js/bulkops.js/wp-content/plugins/arvancloud-object-storage/assets/js/tagify.min.jsassets/js/admin.jsassets/js/bulkops.jsassets/js/tagify.min.jsarvancloud-object-storage/assets/css/main.css?ver=arvancloud-object-storage/assets/css/tagify.css?ver=arvancloud-object-storage/assets/js/admin.js?ver=arvancloud-object-storage/assets/js/bulkops.js?ver=arvancloud-object-storage/assets/js/tagify.min.js?ver=HTML / DOM Fingerprints
tagifydata-page="wp-arvancloud-storage"acs_mediaobs_bulk_ops_nonce