WP-Safety

Auto Last Youtube Video Security & Risk Analysis

wordpress.org/plugins/auto-last-youtube-video

This plugin provides both Widget and Shortcode to show latest videos from any public Youtube channel.

100 active installs v1.0.7 PHP + WP 3.3+ Updated May 8, 2020
davidmerinaslast-videosshortcodewidgetyoutube
63
C · Use Caution
CVEs total1
Unpatched1
Last CVESep 5, 2025
Plugin page Download
Safety Verdict

Is Auto Last Youtube Video Safe to Use in 2026?

Use With Caution

Score 63/100

Auto Last Youtube Video has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 5, 2025Updated 6yr ago
Risk Assessment

The "auto-last-youtube-video" v1.0.7 plugin exhibits a mixed security posture. While the attack surface appears limited to a single shortcode with no direct authentication checks highlighted, and there are no reported taint flows, several concerning code signals warrant attention. The presence of dangerous functions like `ini_set`, `create_function`, and `unserialize` is a significant red flag, as these can be exploited to execute arbitrary code or lead to deserialization vulnerabilities if user-supplied data is not meticulously handled. Furthermore, a substantial portion of SQL queries are not prepared, and a considerable percentage of output is not properly escaped, increasing the risk of SQL injection and cross-site scripting (XSS) attacks, respectively. The vulnerability history reveals a past medium-severity Cross-Site Request Forgery (CSRF) vulnerability, which, coupled with the lack of nonce checks in the code analysis, suggests a pattern of insufficient input validation and protection against malicious user interactions. The current unpatched CVE is a critical concern and demands immediate attention.

Key Concerns

  • Unpatched CVE (Medium severity)
  • Dangerous functions found (ini_set, create_function, unserialize)
  • Significant percentage of SQL queries not prepared
  • Significant percentage of output not properly escaped
  • No nonce checks detected
  • No capability checks detected on entry points
  • Shortcode exists without explicit auth checks reported
Vulnerabilities
1 published

Auto Last Youtube Video Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-58843medium · 4.3Cross-Site Request Forgery (CSRF)

Auto Last Youtube Video <= 1.0.7 - Cross-Site Request Forgery

Sep 5, 2025Unpatched
Version History

Auto Last Youtube Video Release Timeline

No version history available.
Code Analysis
Analyzed Apr 16, 2026

Auto Last Youtube Video Code Analysis

Dangerous Functions
9
Raw SQL Queries
8
40 prepared
Unescaped Output
13
10 escaped
Nonce Checks
0
Capability Checks
0
File Operations
15
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

ini_set@ini_set('track_errors', 1);inc/Zend/Feed/Abstract.php:112
create_functionreturn array_map(create_function('$e', 'return new Zend_Feed_Element($e);'), $nodes);inc/Zend/Feed/Element.php:196
ini_set@ini_set('track_errors', 1);inc/Zend/Feed/Entry/Abstract.php:81
ini_set@ini_set('track_errors', 1);inc/Zend/Feed/Entry/Atom.php:195
ini_set@ini_set('track_errors', 1);inc/Zend/Feed/Reader.php:368
ini_set@ini_set('track_errors', 1);inc/Zend/Feed/Reader.php:430
unserialize$value = unserialize($value);inc/Zend/Feed/Reader.php:716
ini_set@ini_set('track_errors', 1);inc/Zend/Feed.php:262
ini_set@ini_set('track_errors', 1);inc/Zend/Feed.php:302

SQL Query Safety

83% prepared48 total queries

Output Escaping

43% escaped23 total outputs
Attack Surface

Auto Last Youtube Video Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[auto_last_youtube_video] autolastyoutubevideo.php:223
WordPress Hooks 2
actionwp_enqueue_scriptsautolastyoutubevideo.php:219
actionplugins_loadedautolastyoutubevideo.php:220
Maintenance & Trust

Auto Last Youtube Video Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19
Last updatedMay 8, 2020
PHP min version
Downloads9K

Community Trust

Rating84/100
Number of ratings6
Active installs100
Alternatives

Auto Last Youtube Video Alternatives

TechGasp Tube Master

TechGasp Tube Master

youtube-master

A
85

TechGasp Tube Master displays Youtube Playlists or Single Videos with optional Youtube Subscribe Channel button and Google Hangouts.

90 No CVEs
Awesome Youtube Subscribe

Awesome Youtube Subscribe

awsome-youtube-subscribe

A
85

Here is a short description of the plugin. This should be no more than 150 characters. No markup here.

10 No CVEs
Feeds for YouTube (YouTube video, channel, and gallery plugin)

Feeds for YouTube (YouTube video, channel, and gallery plugin)

feeds-for-youtube

A
96

The Feeds for YouTube plugin allows you to display customizable YouTube feeds from any YouTube channel.

100K 4 CVEs
Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress

Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress

contact-form-plugin

A
92

The most powerful and user-friendly WordPress contact form plugin. Create beautiful contact forms, widgets and pages using shortcodes.

30K 10 CVEs
Apollo13 Framework Extensions

Apollo13 Framework Extensions

apollo13-framework-extensions

A
95

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs
Developer Profile

Auto Last Youtube Video Developer Profile

David Merinas

3 plugins · 210 total installs

68
trust score
Avg Security Score
63/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Auto Last Youtube Video

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes
widget-titleautolasvideoseeall
Data Attributes
id="autolasvideoseeall"
Shortcode Output
[embed width=https://www.youtube.com/watch?v=][/embed]
FAQ

Frequently Asked Questions about Auto Last Youtube Video