WP-Safety

Fediverse Embeds Security & Risk Analysis

wordpress.org/plugins/fediverse-embeds

Embed fediverse posts easily.

90 active installs v1.5.7 PHP 7.4+ WP 5.0+ Updated Dec 27, 2025
embedfediversemastodonposttoot
97
A · Safe
CVEs total1
Unpatched0
Last CVENov 19, 2024
Plugin page Download
Safety Verdict

Is Fediverse Embeds Safe to Use in 2026?

Generally Safe

Score 97/100

Fediverse Embeds has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Nov 19, 2024Updated 3mo ago
Risk Assessment

The fediverse-embeds plugin v1.5.7 exhibits a mixed security posture. While it demonstrates good practices such as a high percentage of properly escaped outputs and the use of prepared statements for most SQL queries, there are notable areas of concern. The presence of unprotected AJAX handlers and REST API routes represents direct entry points that could be exploited without proper authentication. The lack of capability checks further exacerbates this risk, meaning any authenticated user, regardless of their role, could potentially trigger these unprotected endpoints. The plugin's vulnerability history includes one critical CVE for unrestricted file uploads, which is a serious concern that was seemingly addressed as it is currently unpatched. This past critical vulnerability suggests a potential for severe security flaws if not meticulously managed. Overall, while the code itself shows some positive security development, the unprotected entry points and past critical vulnerability history warrant careful consideration and mitigation.

Key Concerns

  • Unprotected AJAX handler
  • Unprotected REST API route
  • No capability checks
  • Past critical CVE (Unrestricted Upload)
Vulnerabilities
1

Fediverse Embeds Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1

1 total CVE

CVE-2024-52476critical · 9.8Unrestricted Upload of File with Dangerous Type

Fediverse Embeds <= 1.5.3 - Unauthenticated Arbitrary File Upload

Nov 19, 2024 Patched in 1.5.4 (8d)
Code Analysis
Analyzed Mar 16, 2026

Fediverse Embeds Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
2 prepared
Unescaped Output
3
22 escaped
Nonce Checks
2
Capability Checks
0
File Operations
6
External Requests
3
Bundled Libraries
0

SQL Query Safety

67% prepared3 total queries

Output Escaping

88% escaped25 total outputs
Attack Surface
2 unprotected

Fediverse Embeds Attack Surface

Entry Points6
Unprotected2

AJAX Handlers 5

authwp_ajax_ftf_get_postincludes\Embed_Posts.php:25
noprivwp_ajax_ftf_get_postincludes\Embed_Posts.php:26
noprivwp_ajax_ftf_media_proxyincludes\Media_Proxy.php:20
authwp_ajax_ftf_get_site_infoincludes\Site_Info.php:13
noprivwp_ajax_ftf_get_site_infoincludes\Site_Info.php:14

REST API Routes 1

GET/wp-json/ftfmedia-proxyincludes\Media_Proxy.php:25
WordPress Hooks 8
actionrender_blockincludes\Embed_Posts.php:24
actionwp_enqueue_scriptsincludes\Enqueue_Assets.php:13
actionwp_footerincludes\Enqueue_Assets.php:14
actionscript_loader_tagincludes\Enqueue_Assets.php:15
actionrest_api_initincludes\Media_Proxy.php:19
actionadmin_initincludes\Settings.php:15
actionadmin_menuincludes\Settings.php:16
filterplugin_action_links_fediverse-embeds/index.phpincludes\Settings.php:17
Maintenance & Trust

Fediverse Embeds Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 27, 2025
PHP min version7.4
Downloads3K

Community Trust

Rating100/100
Number of ratings1
Active installs90
Alternatives

Fediverse Embeds Alternatives

TootPress

TootPress

tootpress

A
100

TootPress copies your toots from Mastodon to WordPress.

30 No CVEs
XPoster – Share to Bluesky and Mastodon

XPoster – Share to Bluesky and Mastodon

wp-to-twitter

A
99

Posts to Bluesky, Mastodon or X when you update your WordPress blog or add a link, with your chosen URL shortening service.

10K 1 CVE
Intagrate Lite

Intagrate Lite

instagrate-to-wordpress

A
99

Automatically post your Instagram images to your WordPress site. Create new WordPress posts from your Instagram images, save the Instagram image to th &hellip;

4K 1 CVE
Feeds for Twitter – Embed Social Media Posts with Live Updates

Feeds for Twitter – Embed Social Media Posts with Live Updates

easy-twitter-feeds

A
99

Embed Twitter Timeline/Feed, Post, Video, Hashtag, Follow Button, Tweet Button easily. This plugin is lightweight but super powerful.

2K 2 CVEs
Embed Iframe

Embed Iframe

embed-iframe

A
85

Allows the insertion of code to display an external webpage within an iframe.

2K No CVEs
Developer Profile

Fediverse Embeds Developer Profile

Stefan Bohacek

3 plugins · 150 total installs

90
trust score
Avg Security Score
94/100
Avg Patch Time
8 days
View full developer profile
Detection Fingerprints

How We Detect Fediverse Embeds

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/fediverse-embeds/dist/js/scripts.js/wp-content/plugins/fediverse-embeds/dist/css/styles-bs.min.css/wp-content/plugins/fediverse-embeds/dist/css/styles.min.css
Script Paths
/wp-content/plugins/fediverse-embeds/dist/js/scripts.js
Version Parameters
/wp-content/plugins/fediverse-embeds/dist/css/styles-bs.min.css?ver=/wp-content/plugins/fediverse-embeds/dist/css/styles.min.css?ver=/wp-content/plugins/fediverse-embeds/dist/js/scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
ftf-fediverse-embeds-post-wrapper
Data Attributes
data-post-id
JS Globals
ftf_fediverse_embeds
REST Endpoints
/wp-json/ftf/media-proxy
FAQ

Frequently Asked Questions about Fediverse Embeds