WP-Safety

CloudSearch Security & Risk Analysis

wordpress.org/plugins/cloud-search

CloudSearch is a flexible plugin that allows you to leverage the search index power of Amazon CloudSearch in your WordPress site.

80 active installs v3.0.0 PHP + WP 4.4+ Updated Jan 27, 2023
amazonawscloudresearchsearch
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEOct 16, 2025
Download
Safety Verdict

Is CloudSearch Safe to Use in 2026?

Use With Caution

Score 63/100

CloudSearch has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Oct 16, 2025Updated 3yr ago
Risk Assessment

The "cloud-search" v3.0.0 plugin presents a significant security risk due to a large, unprotected attack surface. All 34 identified AJAX handlers lack authentication checks, making them prime targets for unauthorized actions. While the plugin doesn't appear to have critical or high-severity taint flow issues, the absence of proper authorization on such a vast number of entry points is deeply concerning. The presence of 8 unsanitized path flows, even without a critical severity rating, suggests potential for directory traversal or similar vulnerabilities if further exploited.

The plugin's vulnerability history, featuring one unpatched medium-severity CVE, raises questions about the diligence in addressing past security issues. The fact that the last vulnerability was recorded in the future (2025-10-16) is an anomaly and should be investigated, but assuming it's a data error, a past medium vulnerability indicates a tendency for security flaws to emerge. Coupled with a large number of unprotected AJAX handlers and a single SQL query that does not utilize prepared statements, the plugin's overall security posture is weak.

Despite the concerning lack of authentication on AJAX handlers, the plugin does show some positive signs, such as the presence of nonce and capability checks (though limited) and a reasonable rate of output escaping (58%). The absence of external HTTP requests and a low number of file operations are also positive indicators. However, these strengths are overshadowed by the critical weakness of an exposed attack surface and a history of vulnerabilities. The bundled Guzzle library also requires attention regarding its version and potential known vulnerabilities.

Key Concerns

  • 34 AJAX handlers without auth checks
  • 1 SQL query without prepared statements
  • 8 unsanitized path flows
  • 1 unpatched medium CVE
  • Bundled library (Guzzle) might be outdated
Vulnerabilities
1

CloudSearch Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-62962medium · 4.3Cross-Site Request Forgery (CSRF)

CloudSearch <= 3.0.0 - Cross-Site Request Forgery

Oct 16, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

CloudSearch Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
154
215 escaped
Nonce Checks
3
Capability Checks
4
File Operations
6
External Requests
0
Bundled Libraries
1

Bundled Libraries

Guzzle

SQL Query Safety

0% prepared1 total queries

Output Escaping

58% escaped369 total outputs
Data Flows
8 unsanitized

Data Flow Analysis

10 flows8 with unsanitized paths
acs_api_search (api\cloud-search-api-search.php:5)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
34 unprotected

CloudSearch Attack Surface

Entry Points34
Unprotected34

AJAX Handlers 34

authwp_ajax_acs_index_documents_updateactions\cloud-search-action-operation.php:84
noprivwp_ajax_acs_index_documents_updateactions\cloud-search-action-operation.php:85
authwp_ajax_acs_index_documents_syncactions\cloud-search-action-operation.php:267
noprivwp_ajax_acs_index_documents_syncactions\cloud-search-action-operation.php:268
authwp_ajax_acs_index_documents_deleteactions\cloud-search-action-operation.php:411
noprivwp_ajax_acs_index_documents_deleteactions\cloud-search-action-operation.php:412
authwp_ajax_acs_index_documents_stopactions\cloud-search-action-operation.php:446
noprivwp_ajax_acs_index_documents_stopactions\cloud-search-action-operation.php:454
authwp_ajax_acs_search_documentsactions\cloud-search-action-search.php:9
noprivwp_ajax_acs_search_documentsactions\cloud-search-action-search.php:10
authwp_ajax_acs_search_documents_fullactions\cloud-search-action-search.php:19
noprivwp_ajax_acs_search_documents_fullactions\cloud-search-action-search.php:20
authwp_ajax_acs_index_searchable_documentsactions\cloud-search-action-status.php:52
noprivwp_ajax_acs_index_searchable_documentsactions\cloud-search-action-status.php:60
authwp_ajax_acs_index_site_documentsactions\cloud-search-action-status.php:114
noprivwp_ajax_acs_index_site_documentsactions\cloud-search-action-status.php:122
authwp_ajax_acs_index_fieldsactions\cloud-search-action-status.php:171
noprivwp_ajax_acs_index_fieldsactions\cloud-search-action-status.php:179
authwp_ajax_acs_index_statusactions\cloud-search-action-status.php:204
noprivwp_ajax_acs_index_statusactions\cloud-search-action-status.php:212
authwp_ajax_acs_api_searchapi\cloud-search-api-search.php:51
noprivwp_ajax_acs_api_searchapi\cloud-search-api-search.php:52
authwp_ajax_acs_api_search_fullapi\cloud-search-api-search.php:111
noprivwp_ajax_acs_api_search_fullapi\cloud-search-api-search.php:112
authwp_ajax_acs_api_index_searchable_documentsapi\cloud-search-api-status.php:40
noprivwp_ajax_acs_api_index_searchable_documentsapi\cloud-search-api-status.php:41
authwp_ajax_acs_api_index_site_documentsapi\cloud-search-api-status.php:81
noprivwp_ajax_acs_api_index_site_documentsapi\cloud-search-api-status.php:82
authwp_ajax_acs_api_index_fieldsapi\cloud-search-api-status.php:120
noprivwp_ajax_acs_api_index_fieldsapi\cloud-search-api-status.php:121
authwp_ajax_acs_api_index_statusapi\cloud-search-api-status.php:163
noprivwp_ajax_acs_api_index_statusapi\cloud-search-api-status.php:164
authwp_ajax_acs_suggest_callbackcloud-search.php:232
noprivwp_ajax_acs_suggest_callbackcloud-search.php:233
WordPress Hooks 15
actionadmin_initactions\cloud-search-action-import.php:23
actionadmin_initactions\cloud-search-action-import.php:145
actionadmin_menuadmin\cloud-search-admin.php:59
actionwp_enqueue_scriptsadmin\cloud-search-admin.php:139
actiontransition_post_statuscloud-search-hooks.php:44
actionedit_termscloud-search-hooks.php:78
actioncreate_termscloud-search-hooks.php:79
actiondelete_categorycloud-search-hooks.php:110
filtertemplate_includecloud-search-hooks.php:141
filterposts_requestcloud-search-hooks.php:164
filterthe_postscloud-search-hooks.php:182
actionplugins_loadedcloud-search.php:214
actionrest_api_initcloud-search.php:236
actioninitcloud-search.php:239
actionplugins_loadedcloud-search.php:247
Maintenance & Trust

CloudSearch Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedJan 27, 2023
PHP min version
Downloads9K

Community Trust

Rating100/100
Number of ratings5
Active installs80
Alternatives

CloudSearch Alternatives

DocumentCloud

DocumentCloud

documentcloud

A
100

Embed DocumentCloud resources in WordPress content.

1K No CVEs
WPAdmin AWS CDN

WPAdmin AWS CDN

aws-cdn-by-wpadmin

A
100

Setup Amazon Cloudfront CDN for your website. Now with intuitive layout and more flexibility.

500 1 CVE
Kumori (曇)

Kumori (曇)

kumori

A
85

It's a plugin that lets the users upload video files and transcode them on-the-cloud!

10 No CVEs
Ultimate Media On The Cloud Lite

Ultimate Media On The Cloud Lite

ultimate-media-on-the-cloud-lite

A
85

With Ultimate Media On The Cloud plugin, you can easy migrate/ move and mange wordpress medias on the Cloud Storage Platforms like Amazon S3, Google C &hellip;

10 No CVEs
WP2Cloud

WP2Cloud

wp2cloud-wordpress-to-cloud

A
85

Now WordPress site can store all its content (pages and media) in cloud. This makes site powered by enormous scale and reliability of cloud storage.

10 No CVEs
Developer Profile

CloudSearch Developer Profile

Andrea Landonio

4 plugins · 1K total installs

69
trust score
Avg Security Score
85/100
Avg Patch Time
155 days
View full developer profile
Detection Fingerprints

How We Detect CloudSearch

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cloud-search/css/cloud-search-main.css/wp-content/plugins/cloud-search/css/cloud-search-admin.css/wp-content/plugins/cloud-search/js/cloud-search-admin.js/wp-content/plugins/cloud-search/js/cloud-search-main.js/wp-content/plugins/cloud-search/js/cloud-search-utils.js
Script Paths
/wp-content/plugins/cloud-search/js/cloud-search-main.js/wp-content/plugins/cloud-search/js/cloud-search-utils.js/wp-content/plugins/cloud-search/js/cloud-search-admin.js
Version Parameters
cloud-search/css/cloud-search-main.css?ver=cloud-search/css/cloud-search-admin.css?ver=cloud-search/js/cloud-search-admin.js?ver=cloud-search/js/cloud-search-main.js?ver=cloud-search/js/cloud-search-utils.js?ver=

HTML / DOM Fingerprints

CSS Classes
cloud-search-resultscloud-search-filterscloud-search-autocomplete-wrappercloud-search-autocomplete-inputcloud-search-autocomplete-results
HTML Comments
<!-- CloudSearch plugin. --><!-- CloudSearch admin plugin. -->
Data Attributes
data-cloudsearch-query-inputdata-cloudsearch-results-containerdata-cloudsearch-filter-container
JS Globals
cloudSearchacs_settingsACS
REST Endpoints
/wp-json/cloud-search/v1/search/wp-json/cloud-search/v1/suggest
Shortcode Output
[cloud_search_results][cloud_search_filters][cloud_search_autocomplete]
FAQ

Frequently Asked Questions about CloudSearch