Flickr-stream Security & Risk Analysis

wordpress.org/plugins/flickr-stream

This plugin allows you to include photosets and galleries from Flickr in your WordPress site, either embedded in a page or post, or as a sidebar widge …

100 active installs v1.3 PHP + WP 4.4.0+ Updated Jan 12, 2021
flickrgalleryphotos
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Flickr-stream Safe to Use in 2026?

Generally Safe

Score 85/100

Flickr-stream has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The flickr-stream plugin v1.3 presents a mixed security posture. While it boasts zero known CVEs and a limited attack surface with all identified entry points seemingly protected by authentication mechanisms, several concerning code signals warrant attention. The presence of the `unserialize` function is a significant red flag, as it's a common vector for object injection vulnerabilities if not handled with extreme care and validation. Furthermore, a substantial percentage (59%) of its output is not properly escaped, increasing the risk of cross-site scripting (XSS) attacks. The taint analysis revealing a high-severity flow with unsanitized paths further reinforces these concerns, suggesting potential for malicious data to be processed without adequate sanitization. The plugin's history of no recorded vulnerabilities is a positive indicator, but it does not negate the inherent risks identified in the static analysis. Therefore, while the plugin appears to have a relatively clean track record and a controlled entry point, the identified code weaknesses, particularly `unserialize` and insufficient output escaping, introduce considerable risk.

Key Concerns

  • Use of unserialize() function
  • High percentage of unescaped output
  • High severity taint flow with unsanitized paths
  • Bundled outdated jQuery library
Vulnerabilities
None known

Flickr-stream Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Flickr-stream Release Timeline

v1.3Current
v1.2.9
v1.2.7
v1.2.6
v1.2.5
v1.2.1
v1.2
v1.1.5
v1.1
v1.0.2
v1.0.1
v1.0
Code Analysis
Analyzed Mar 16, 2026

Flickr-stream Code Analysis

Dangerous Functions
1
Raw SQL Queries
4
3 prepared
Unescaped Output
77
53 escaped
Nonce Checks
5
Capability Checks
0
File Operations
0
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$intdata = unserialize($val['option_value']);class\fsShortcodeListTable.class.php:166

Bundled Libraries

jQuery3.0.5

SQL Query Safety

43% prepared7 total queries

Output Escaping

41% escaped130 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
search_box (class\fsWPListTableBase.class.php:346)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Flickr-stream Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 1

authwp_ajax_fs_deleteshortcodeinc\ajax.inc.php:16

Shortcodes 1

[flickrstream] frontend.php:29
WordPress Hooks 8
actionadmin_initadmin.php:32
actionadmin_enqueue_scriptsadmin.php:33
actionadmin_enqueue_scriptsadmin.php:34
actionadmin_menuadmin.php:35
actionadmin_footerclass\fsWPListTableBase.class.php:157
actionwidgets_initflickrstream.php:58
actionwp_enqueue_scriptsfrontend.php:30
actionwp_enqueue_scriptsfrontend.php:31
Maintenance & Trust

Flickr-stream Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28
Last updatedJan 12, 2021
PHP min version
Downloads9K

Community Trust

Rating90/100
Number of ratings2
Active installs100
Developer Profile

Flickr-stream Developer Profile

dustinscarberry

3 plugins · 310 total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
215 days
View full developer profile
Detection Fingerprints

How We Detect Flickr-stream

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/flickr-stream/css/admin.css/wp-content/plugins/flickr-stream/js/admin.min.js
Script Paths
/wp-content/plugins/flickr-stream/js/admin.min.js
Version Parameters
flickr-stream/css/admin.css?ver=flickr-stream/js/admin.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
fs-shortcode-panelfs-masthead
Data Attributes
id="fs-shortcode-panel"
JS Globals
fsJSData
FAQ

Frequently Asked Questions about Flickr-stream