Defaultify Featured Image Security & Risk Analysis

wordpress.org/plugins/defaultify-featured-image

Set a default featured image for posts, pages, and custom post types with an option to enable or disable automatic application.

0 active installs v1.9.1 PHP 7.4+ WP 6.2+ Updated Aug 1, 2025
automatic-featured-imagedefault-imagefeatured-imagepost-thumbnail
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Defaultify Featured Image Safe to Use in 2026?

Generally Safe

Score 100/100

Defaultify Featured Image has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11mo ago
Risk Assessment

The 'defaultify-featured-image' v1.9.1 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and a high percentage of properly escaped output. The absence of known CVEs and a clean vulnerability history suggest a generally stable and well-maintained codebase. There are no external HTTP requests, file operations, or bundled libraries to complicate the security landscape.

However, the static analysis reveals a significant concern regarding its attack surface. There is one AJAX handler identified, and crucially, this handler lacks any authentication checks. This creates a direct entry point for unauthenticated users to interact with potentially sensitive plugin functionality. The taint analysis, while not revealing critical or high severity issues, did identify four flows with unsanitized paths, indicating a potential for unintended data handling or manipulation, though the impact appears to be mitigated by other factors or the nature of the flows.

In conclusion, while the plugin avoids common pitfalls like raw SQL and unescaped output, the single unprotected AJAX endpoint is a glaring security weakness. The lack of nonce checks further exacerbates this issue, leaving it susceptible to CSRF attacks and unauthorized actions. This single vulnerability significantly overshadows its otherwise commendable security practices. The vulnerability history offers some reassurance, but the current identified risks must be addressed.

Key Concerns

  • AJAX handler without authentication check
  • Flows with unsanitized paths
  • Missing nonce checks on AJAX
Vulnerabilities
None known

Defaultify Featured Image Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Defaultify Featured Image Release Timeline

v1.9.1Current
Code Analysis
Analyzed Apr 16, 2026

Defaultify Featured Image Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
4
26 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

87% escaped30 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
ajax_wrapper (app/class-wpdfi.php:238)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Defaultify Featured Image Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_wpdfi_change_previewwpdfi.php:26
WordPress Hooks 12
filterwpdfi_thumbnail_idapp/class-wpdfi-exceptions.php:20
filterwpdfi_thumbnail_idtags/1.9.1/app/class-wpdfi-exceptions.php:20
actionadmin_initwpdfi.php:21
actionrest_api_initwpdfi.php:22
actionadmin_print_scripts-options-media.phpwpdfi.php:24
filterget_post_metadatawpdfi.php:28
filterpost_thumbnail_htmlwpdfi.php:30
filterplugin_action_links_defaultify-featured-image/defaultify-featured-image.phpwpdfi.php:33
filterpre_do_shortcode_tagwpdfi.php:39
filterdo_shortcode_tagwpdfi.php:40
filterwpdfi_thumbnail_idwpdfi.php:47
actionplugins_loadedwpdfi.php:50
Maintenance & Trust

Defaultify Featured Image Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedAug 1, 2025
PHP min version7.4
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Developer Profile

Defaultify Featured Image Developer Profile

navneetkrkashyap

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Defaultify Featured Image

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/defaultify-featured-image/src/wpdfi-admin.js
Version Parameters
defaultify-featured-image/src/wpdfi-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpdfi-set-wpdfiwpdfi-no-fdi
Data Attributes
id="wpdfi_id"name="wpdfi_image_id"id="wpdfi-set-wpdfi"id="wpdfi-no-fdi"id="wpdfi_enable_default"name="wpdfi_enable_default"
JS Globals
wpdfi_L10n
FAQ

Frequently Asked Questions about Defaultify Featured Image