ER Swiffy Insert Security & Risk Analysis

wordpress.org/plugins/er-swiffy-insert

ER Swiffy Insert allows you to insert HTML5 animations generated with Google Swiffy.

10 active installs v1.0.0 PHP + WP 3.0.0+ Updated Apr 2, 2013
erhtml5insertshortcodeswiffy
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEApr 21, 2026
Safety Verdict

Is ER Swiffy Insert Safe to Use in 2026?

Use With Caution

Score 63/100

ER Swiffy Insert has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 21, 2026Updated 13yr ago
Risk Assessment

The er-swiffy-insert plugin v1.0.0 exhibits a generally good security posture based on static analysis, with no direct vulnerabilities flagged in taint analysis or a history of recorded CVEs. The absence of dangerous functions, external HTTP requests, and file operations are positive indicators. SQL queries are also safely implemented using prepared statements. However, a significant concern arises from the lack of output escaping. With 100% of its outputs unescaped, this presents a clear risk of Cross-Site Scripting (XSS) vulnerabilities, especially given that the plugin has at least one shortcode, which is a common entry point for user-provided data that can be rendered to the page. The complete absence of nonce and capability checks, while not directly tied to an exposed entry point in this analysis, indicates a lack of defense-in-depth, making any future expansion of the attack surface potentially more vulnerable.

Key Concerns

  • Unescaped output detected
  • No nonce checks present
  • No capability checks present
Vulnerabilities
1 published

ER Swiffy Insert Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-4082medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ER Swiffy Insert <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Apr 21, 2026Unpatched
Version History

ER Swiffy Insert Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

ER Swiffy Insert Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
3
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped3 total outputs
Attack Surface

ER Swiffy Insert Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[swiffy] er-swiffy-insert.php:38
WordPress Hooks 5
actionadmin_enqueue_scriptser-swiffy-insert.php:31
actionwp_enqueue_scriptser-swiffy-insert.php:32
actionadmin_menuer-swiffy-insert.php:35
actionwp_header-swiffy-insert.php:41
actionwp_footerer-swiffy-insert.php:44
Maintenance & Trust

ER Swiffy Insert Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.2
Last updatedApr 2, 2013
PHP min version
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Developer Profile

ER Swiffy Insert Developer Profile

ER (ET & RaveMaker)

1 plugin · 10 total installs

68
trust score
Avg Security Score
63/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect ER Swiffy Insert

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/er-swiffy-insert/js/er-swiffy-insert.js/wp-content/plugins/er-swiffy-insert/css/er-swiffy-insert.css
Script Paths
https://www.gstatic.com/swiffy/v
Version Parameters
er-swiffy-insert/js/er-swiffy-insert.js?ver=er-swiffy-insert/css/er-swiffy-insert.css?ver=

HTML / DOM Fingerprints

JS Globals
swiffyobject_
Shortcode Output
<div id='swiffycontainer_
FAQ

Frequently Asked Questions about ER Swiffy Insert