WP-Safety

Crelly Slider Security & Risk Analysis

wordpress.org/plugins/crelly-slider

A free responsive slider that supports layers. Add texts, images, videos and beautify them with transitions and animations.

10K active installs v1.4.7 PHP + WP 4.6+ Updated Jan 2, 2025
animationslayersslidertextstransitions
63
C · Use Caution
CVEs total5
Unpatched1
Last CVEJan 6, 2025
Plugin page Download
Safety Verdict

Is Crelly Slider Safe to Use in 2026?

Use With Caution

Score 63/100

Crelly Slider has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

5 known CVEs 1 unpatched Last CVE: Jan 6, 2025Updated 1yr ago
Risk Assessment

The Crelly Slider plugin version 1.4.7 presents a mixed security posture. While it demonstrates good practices such as a majority of SQL queries using prepared statements and a reasonable number of capability checks and nonce checks for its entry points, several concerning signals emerge from the static analysis. Specifically, the presence of 5 flows with unsanitized paths and 4 high-severity taint flows indicate potential avenues for attackers to manipulate the application. This, coupled with a historical pattern of vulnerabilities including Cross-Site Scripting, SQL Injection, and Authorization Bypass, paints a picture of a plugin that, despite some security efforts, has previously been susceptible to significant risks. The fact that there is still one unpatched CVE as of January 2025 is a critical red flag, suggesting that known vulnerabilities may still be exploitable.

Key Concerns

  • Currently unpatched CVE
  • High severity taint flows
  • Flows with unsanitized paths
  • Historical high severity vulnerabilities
  • Output escaping is not consistently applied
Vulnerabilities
5

Crelly Slider Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
1 CVE in 2019
2019
2 CVEs in 2024 · unpatched
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
3

5 total CVEs

CVE-2024-13116medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Crelly Slider <= 1.4.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Jan 6, 2025 Patched in 1.4.7 (44d)
CVE-2024-33542medium · 5.4Authorization Bypass Through User-Controlled Key

Crelly Slider <= 1.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference

Apr 25, 2024 Patched in 1.4.6 (37d)
CVE-2024-3752medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Crelly Slider <= 1.4.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 15, 2024Unpatched
CVE-2019-15866high · 8.8Unrestricted Upload of File with Dangerous Type

Crelly Slider <= 1.3.4 - Arbitrary File Upload

Jun 6, 2019 Patched in 1.3.5 (1898d)
WF-473ff00e-e045-4b66-b0af-89d666de4de8-crelly-sliderhigh · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Crelly Slider <= 1.1.1 - SQL Injection

Jun 5, 2017 Patched in 1.1.2 (2423d)
Code Analysis
Analyzed Mar 16, 2026

Crelly Slider Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
53 prepared
Unescaped Output
134
194 escaped
Nonce Checks
6
Capability Checks
10
File Operations
6
External Requests
0
Bundled Libraries
0

SQL Query Safety

96% prepared55 total queries

Output Escaping

59% escaped328 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

11 flows5 with unsanitized paths
<ajax> (wordpress\ajax.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Crelly Slider Attack Surface

Entry Points10
Unprotected0

AJAX Handlers 9

authwp_ajax_crellyslider_listSlidersForGutenbergwordpress\ajax.php:68
authwp_ajax_crellyslider_addSliderwordpress\ajax.php:125
authwp_ajax_crellyslider_editSliderwordpress\ajax.php:194
authwp_ajax_crellyslider_editSlideswordpress\ajax.php:266
authwp_ajax_crellyslider_editElementswordpress\ajax.php:346
authwp_ajax_crellyslider_deleteSliderwordpress\ajax.php:438
authwp_ajax_crellyslider_duplicateSliderwordpress\ajax.php:492
authwp_ajax_crellyslider_exportSliderwordpress\ajax.php:593
authwp_ajax_crellyslider_importSliderwordpress\ajax.php:711

Shortcodes 1

[crellyslider] wordpress\frontend.php:34
WordPress Hooks 8
actionadmin_menuwordpress\admin.php:10
actionadmin_print_footer_scriptswordpress\admin.php:262
actionadmin_headwordpress\admin.php:281
actionadmin_enqueue_scriptswordpress\admin.php:282
actionwp_enqueue_scriptswordpress\common.php:21
actionadmin_enqueue_scriptswordpress\common.php:22
actionplugins_loadedwordpress\common.php:26
actionwp_enqueue_scriptswordpress\frontend.php:16
Maintenance & Trust

Crelly Slider Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJan 2, 2025
PHP min version
Downloads355K

Community Trust

Rating98/100
Number of ratings112
Active installs10K
Alternatives

Crelly Slider Alternatives

View Transitions

View Transitions

view-transitions

A
100

Adds smooth transitions between navigations to your WordPress site.

10K No CVEs
Cinematic 3D Parallax Touch Slider

Cinematic 3D Parallax Touch Slider

cinematic

A
100

Responsive 3D Parallax Touch Slider. The most realistic mobile 3D layer photo animation in the market.

60 No CVEs
Motion

Motion

motion

A
85

Motion WordPress Plugin provide user friendly solution to beautiful CSS3 animations.

60 No CVEs
Simple Text Slider

Simple Text Slider

simple-text-slider

C
63

A simple text slider plugin for several vertical textslider via shortcode.

30 1 unpatched
Page slideshow

Page slideshow

page-slideshow

A
85

With Page Slideshow you can create individual, responsive and sortable slideshows. Uses performance-friendly CSS3 transitions.

10 No CVEs
Developer Profile

Crelly Slider Developer Profile

Fabio Rinaldi

1 plugin · 10K total installs

53
trust score
Avg Security Score
63/100
Avg Patch Time
1101 days
View full developer profile
Detection Fingerprints

How We Detect Crelly Slider

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/crelly-slider/wordpress/css/admin.css/wp-content/plugins/crelly-slider/wordpress/css/common.css/wp-content/plugins/crelly-slider/wordpress/css/frontend.css/wp-content/plugins/crelly-slider/wordpress/css/slider.css/wp-content/plugins/crelly-slider/wordpress/css/slides.css/wp-content/plugins/crelly-slider/wordpress/js/admin.js/wp-content/plugins/crelly-slider/wordpress/js/common.js/wp-content/plugins/crelly-slider/wordpress/js/frontend.js+4 more
Script Paths
/wp-content/plugins/crelly-slider/wordpress/js/admin.js/wp-content/plugins/crelly-slider/wordpress/js/common.js/wp-content/plugins/crelly-slider/wordpress/js/frontend.js/wp-content/plugins/crelly-slider/wordpress/js/slider.js/wp-content/plugins/crelly-slider/wordpress/js/slides.js
Version Parameters
crelly-slider/wordpress/css/admin.css?ver=crelly-slider/wordpress/css/common.css?ver=crelly-slider/wordpress/css/frontend.css?ver=crelly-slider/wordpress/css/slider.css?ver=crelly-slider/wordpress/css/slides.css?ver=crelly-slider/wordpress/js/admin.js?ver=crelly-slider/wordpress/js/common.js?ver=crelly-slider/wordpress/js/frontend.js?ver=crelly-slider/wordpress/js/slider.js?ver=crelly-slider/wordpress/js/slides.js?ver=

HTML / DOM Fingerprints

CSS Classes
cs-admincs-no-jscs-messagecs-message-errorcs-message-okcs-message-waitcs-message-warningcs-logo+16 more
Data Attributes
data-id
JS Globals
crellyslider_localecrellyslider_currentSliderNonce
FAQ

Frequently Asked Questions about Crelly Slider