Extra Settings for RocketChat Security & Risk Analysis

wordpress.org/plugins/extra-settings-for-rocketchat

Extra settings for Rocket.Chat's Wordpress plugin. Helps display better on sites that have WooCommerce activated, adjust if data is collected fro …

10 active installs v0.1 PHP 5.2.4+ WP 5.1+ Updated Feb 25, 2020
livechatrocketchatwoocommerce
63
C · Use Caution
CVEs total1
Unpatched1
Last CVEJun 8, 2026
Safety Verdict

Is Extra Settings for RocketChat Safe to Use in 2026?

Use With Caution

Score 63/100

Extra Settings for RocketChat has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jun 8, 2026Updated 6yr ago
Risk Assessment

The plugin 'extra-settings-for-rocketchat' v0.1 exhibits a mixed security posture. On the positive side, it has no known vulnerabilities (CVEs) and the static analysis shows no dangerous functions, file operations, or external HTTP requests. Crucially, all SQL queries are prepared, which is a significant strength in preventing SQL injection. Taint analysis also reported no vulnerabilities.

However, there are notable areas of concern. The plugin has an extremely low percentage of properly escaped output (14%), indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the absence of nonce checks and capability checks is a critical weakness. While the identified entry point is only a shortcode, without proper authorization checks, it could potentially be exploited if it interacts with user-provided data or performs sensitive actions.

The complete lack of past vulnerability history is a positive sign, suggesting the developers may have a good security awareness or the plugin has not been widely targeted. Despite this, the current code analysis reveals significant potential for XSS and authorization bypass due to unescaped output and missing security checks on its single entry point.

Key Concerns

  • Low output escaping percentage
  • Missing nonce checks
  • Missing capability checks
Vulnerabilities
1 published

Extra Settings for RocketChat Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-8841medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Extra Settings for RocketChat <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Jun 8, 2026Unpatched
Version History

Extra Settings for RocketChat Release Timeline

No version history available.
Code Analysis
Analyzed Mar 17, 2026

Extra Settings for RocketChat Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
6
1 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

14% escaped7 total outputs
Attack Surface

Extra Settings for RocketChat Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[rocketchat] rocketchat-extra-settings.php:344
WordPress Hooks 8
actionadmin_menurocketchat-extra-settings.php:43
actionadmin_initrocketchat-extra-settings.php:47
actionwp_footerrocketchat-extra-settings.php:168
actionwp_enqueue_scriptsrocketchat-extra-settings.php:210
actionstorefront_handheld_footer_bar_linksrocketchat-extra-settings.php:244
actionwp_enqueue_scriptsrocketchat-extra-settings.php:304
actionwp_enqueue_scriptsrocketchat-extra-settings.php:317
actionwp_enqueue_scriptsrocketchat-extra-settings.php:357
Maintenance & Trust

Extra Settings for RocketChat Maintenance & Trust

Maintenance Signals

WordPress version tested5.3.21
Last updatedFeb 25, 2020
PHP min version5.2.4
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

Extra Settings for RocketChat Developer Profile

andrewabarber

2 plugins · 50 total installs

76
trust score
Avg Security Score
74/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Extra Settings for RocketChat

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes
dashicons-yes-altdashicons-no-altdashicons-format-statusbtn
Data Attributes
id="rxstg_shortcode_btn"
Shortcode Output
[rocketchat title='Open Support Chat']
FAQ

Frequently Asked Questions about Extra Settings for RocketChat