WP-Safety

ArvanCloud Object Storage Security & Risk Analysis

wordpress.org/plugins/arvancloud-object-storage

ArvanCloud Storage for offload, backup and upload your WordPress files and databases directly to your ArvanCloud object storage bucket.

60 active installs v1.15.1 PHP 7.1+ WP 4.0+ Updated Jun 1, 2025
backupfilesoffloads3storage
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is ArvanCloud Object Storage Safe to Use in 2026?

Generally Safe

Score 100/100

ArvanCloud Object Storage has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10mo ago
Risk Assessment

The 'arvancloud-object-storage' plugin v1.15.1 exhibits a concerning security posture primarily due to a significant number of unprotected AJAX handlers. While the plugin demonstrates some good practices, such as the absence of known CVEs and a substantial portion of SQL queries using prepared statements, the high number of unprotected entry points presents a substantial attack surface. The presence of an unserialize function, while not immediately flagged as a critical taint flow, warrants caution as it can be a vector for code execution if not handled with extreme care and input validation.

Although the plugin has no recorded vulnerability history, this does not negate the risks identified in the static analysis. The taint analysis, while showing no critical or high severity flows, did reveal a notable number of flows with unsanitized paths, indicating potential areas where malicious input could be processed insecurely. The limited use of capability checks and nonce checks on the numerous unprotected AJAX handlers amplifies the risk, as unauthorized users could potentially trigger these actions.

In conclusion, while the lack of past vulnerabilities and the use of prepared statements are positive signs, the plugin's security is significantly undermined by its extensive unprotected AJAX endpoints and the presence of dangerous functions like unserialize without clear input validation. This creates a risk of unauthorized actions and potential exploits, despite the current clean vulnerability record.

Key Concerns

  • Large attack surface without auth
  • Dangerous function: unserialize
  • Flows with unsanitized paths
  • Missing nonce checks on AJAX
  • Low percentage of proper output escaping
  • Limited capability checks
Vulnerabilities
None known

ArvanCloud Object Storage Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

ArvanCloud Object Storage Code Analysis

Dangerous Functions
1
Raw SQL Queries
9
16 prepared
Unescaped Output
103
61 escaped
Nonce Checks
7
Capability Checks
2
File Operations
21
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$post->attachments = empty($post->metadata)?['file'=>$post->file]:unserialize($post->metadata);inc\Admin\Controllers\RemoveLocalFilesController.php:77

Bundled Libraries

Guzzle

SQL Query Safety

64% prepared25 total queries

Output Escaping

37% escaped164 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

8 flows6 with unsanitized paths
scheduler_filter (inc\Admin\Admin.php:231)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
26 unprotected

ArvanCloud Object Storage Attack Surface

Entry Points32
Unprotected26

AJAX Handlers 26

authwp_ajax_acs_get_attachment_provider_detailsinc\Storage.php:137
authwp_ajax_ar_bulk_upload_resinc\Storage.php:152
authwp_ajax_ar_handle_bulk_uploadinc\Storage.php:153
authwp_ajax_ar_generate_acl_urlinc\Storage.php:154
authwp_ajax_ar_create_bucketinc\Storage.php:155
authwp_ajax_migrate_to_new_bucket_modalinc\Storage.php:166
authwp_ajax_get_migrate_to_new_bucket_task_statusinc\Storage.php:167
authwp_ajax_do_migrate_to_new_bucketinc\Storage.php:168
authwp_ajax_do_reschedule_migrationinc\Storage.php:169
authwp_ajax_stop_migrate_to_new_bucket_taskinc\Storage.php:170
authwp_ajax_bulk_remove_modalinc\Storage.php:177
authwp_ajax_do_bulk_removeinc\Storage.php:178
authwp_ajax_get_bulk_remove_task_statusinc\Storage.php:179
authwp_ajax_stop_current_bulk_remove_taskinc\Storage.php:180
authwp_ajax_empty_bucket_modalinc\Storage.php:185
authwp_ajax_do_empty_bucketinc\Storage.php:186
authwp_ajax_get_empty_current_bucket_task_statusinc\Storage.php:187
authwp_ajax_stop_current_bucket_emptying_taskinc\Storage.php:188
authwp_ajax_bulk_upload_modalinc\Storage.php:192
authwp_ajax_get_bulk_upload_task_statusinc\Storage.php:193
authwp_ajax_do_bulk_uploadinc\Storage.php:194
authwp_ajax_stop_current_bulk_upload_taskinc\Storage.php:195
authwp_ajax_bulk_download_modalinc\Storage.php:198
authwp_ajax_get_bulk_download_task_statusinc\Storage.php:199
authwp_ajax_do_bulk_downloadinc\Storage.php:200
authwp_ajax_stop_current_bulk_download_taskinc\Storage.php:201

REST API Routes 6

GET/wp-json/ac-storage/v1/ListBucketsinc\RestApi.php:15
POST/wp-json/ac-storage/v1/CreateBucketinc\RestApi.php:21
POST/wp-json/ac-storage/v1/DirectFetchinc\RestApi.php:27
POST/wp-json/ac-storage/v1/PutObjectinc\RestApi.php:33
POST/wp-json/ac-storage/v1/DeleteObjectinc\RestApi.php:39
POST/wp-json/ac-storage/v1/ListObjectsinc\RestApi.php:45
WordPress Hooks 50
actionadmin_noticesinc\Admin\Admin.php:325
actionadmin_noticesinc\Admin\Admin.php:353
actionadmin_noticesinc\Admin\Admin.php:408
actionadmin_noticesinc\Admin\Admin.php:445
actionadmin_noticesinc\Admin\Admin.php:477
actionadmin_noticesinc\Admin\Admin.php:483
actionadmin_noticesinc\Admin\Admin.php:552
actionadmin_noticesinc\Admin\Admin.php:558
actionadmin_noticesinc\Admin\Admin.php:573
actionadmin_noticesinc\Admin\Admin.php:870
actionadmin_noticesinc\Admin\Admin.php:1802
actionadmin_noticesinc\Admin\Admin.php:1827
actionobs_do_transfer_from_source_to_destinationinc\Admin\Controllers\BucketTransferController.php:21
actionobs_do_bulk_downloadinc\Admin\Controllers\BulkDownloadController.php:28
actionobs_do_bulk_uploadinc\Admin\Controllers\BulkUploaderController.php:31
actionobs_do_empty_current_bucketinc\Admin\Controllers\EmptyCurrentBucketController.php:24
actionobs_do_bulk_removeinc\Admin\Controllers\RemoveLocalFilesController.php:25
actionobs_periodic_validate_apiinc\ApiValidator.php:16
actionadmin_noticesinc\Helper.php:105
filteraction_scheduler_retention_periodinc\Kueue\KueueCore.php:14
actionrest_api_initinc\RestApi.php:9
actionplugins_loadedinc\Storage.php:114
actionadmin_enqueue_scriptsinc\Storage.php:129
actionadmin_enqueue_scriptsinc\Storage.php:130
actionadmin_menuinc\Storage.php:131
actioninitinc\Storage.php:132
actioninitinc\Storage.php:133
actioninitinc\Storage.php:134
actionadmin_initinc\Storage.php:135
actiondelete_attachmentinc\Storage.php:136
actionadmin_initinc\Storage.php:138
actionadmin_noticesinc\Storage.php:139
actionadd_meta_boxesinc\Storage.php:140
actionadmin_head-post.phpinc\Storage.php:141
filteradd_attachmentinc\Storage.php:143
filterwp_generate_attachment_metadatainc\Storage.php:144
filterwp_get_attachment_urlinc\Storage.php:145
filterwp_get_attachment_image_srcinc\Storage.php:146
filterbulk_actions-uploadinc\Storage.php:147
filterhandle_bulk_actions-uploadinc\Storage.php:148
filtermedia_row_actionsinc\Storage.php:149
filterwp_calculate_image_srcsetinc\Storage.php:150
filterwp_update_attachment_metadatainc\Storage.php:151
filterget_site_icon_urlinc\Storage.php:156
actionrestrict_manage_postsinc\Storage.php:157
actionpre_get_postsinc\Storage.php:158
filtermanage_upload_columnsinc\Storage.php:159
filtermanage_media_custom_columninc\Storage.php:160
actionadmin_footerinc\Storage.php:161
actioninitinc\Storage.php:204
Maintenance & Trust

ArvanCloud Object Storage Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJun 1, 2025
PHP min version7.1
Downloads12K

Community Trust

Rating66/100
Number of ratings14
Active installs60
Alternatives

ArvanCloud Object Storage Alternatives

Advanced Media Offloader

Advanced Media Offloader

advanced-media-offloader

A
100

Save server space & speed up your site by automatically offloading media to Amazon S3, Cloudflare R2 & more.

3K No CVEs
Advanced S3 Destinations for BackWPup

Advanced S3 Destinations for BackWPup

advanced-backwpup-s3-destinations

A
85

Easily add custom S3 destinations for BackWPup.

30 No CVEs
Swift Offload

Swift Offload

swift-offload

A
100

Offload WordPress media to Amazon S3, Wasabi, DigitalOcean Spaces, or MinIO. Serve files via CloudFront CDN for faster delivery.

0 No CVEs
WP Database Backup – Unlimited Database & Files Backup by Backup for WP

WP Database Backup – Unlimited Database & Files Backup by Backup for WP

wp-database-backup

A
87

Create & Restore Database Backup easily on single click. Manual or automated backups (backup to Dropbox, Google drive, Amazon s3,FTP,Email).

30K 13 CVEs
Zippy

Zippy

zippy

B
71

Incredibly easy solution to archive pages and posts as zip file and unpack them back even on the other website!

10K 1 unpatched
Developer Profile

ArvanCloud Object Storage Developer Profile

ArvanCloud

3 plugins · 140 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect ArvanCloud Object Storage

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/arvancloud-object-storage/assets/css/main.css/wp-content/plugins/arvancloud-object-storage/assets/css/tagify.css/wp-content/plugins/arvancloud-object-storage/assets/js/admin.js/wp-content/plugins/arvancloud-object-storage/assets/js/bulkops.js/wp-content/plugins/arvancloud-object-storage/assets/js/tagify.min.js
Script Paths
assets/js/admin.jsassets/js/bulkops.jsassets/js/tagify.min.js
Version Parameters
arvancloud-object-storage/assets/css/main.css?ver=arvancloud-object-storage/assets/css/tagify.css?ver=arvancloud-object-storage/assets/js/admin.js?ver=arvancloud-object-storage/assets/js/bulkops.js?ver=arvancloud-object-storage/assets/js/tagify.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
tagify
Data Attributes
data-page="wp-arvancloud-storage"
JS Globals
acs_mediaobs_bulk_ops_nonce
FAQ

Frequently Asked Questions about ArvanCloud Object Storage