WP-Safety

Goracash Security & Risk Analysis

wordpress.org/plugins/goracash

Goracash, part of Wengo - Vivendi Group, is an affiliate program that allows you to monetize your traffic and earn money with it.

300 active installs v1.1 PHP + WP 3.0.1+ Updated Oct 22, 2018
adserverbannergoracashleadteach
63
C · Use Caution
CVEs total1
Unpatched1
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is Goracash Safe to Use in 2026?

Use With Caution

Score 63/100

Goracash has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 22, 2025Updated 7yr ago
Risk Assessment

The goracash v1.1 plugin exhibits a mixed security posture. While it demonstrates good practices by not using dangerous functions and exclusively employing prepared statements for SQL queries, significant concerns arise from its output escaping and vulnerability history. The complete absence of proper output escaping for all 15 identified output points is a critical weakness, leaving the plugin highly susceptible to Cross-Site Scripting (XSS) attacks. This is further exacerbated by the plugin's history, which includes a known medium-severity XSS vulnerability that remains unpatched. The presence of an unpatched CVE, especially related to XSS, is a major red flag. The limited attack surface and lack of directly exploitable AJAX or REST API endpoints without permission checks are positive aspects, but they are overshadowed by the fundamental flaws in output handling and the unresolved historical vulnerability.

Key Concerns

  • Unpatched CVE exists
  • No output escaping
  • No nonce checks
  • No capability checks
Vulnerabilities
1 published

Goracash Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-53458medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Goracash <= 1.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 22, 2025Unpatched
Version History

Goracash Release Timeline

v1.1Current1 CVE
CVE-2025-53458
v1.01 CVE
CVE-2025-53458
v0.91 CVE
CVE-2025-53458
v0.81 CVE
CVE-2025-53458
v0.71 CVE
CVE-2025-53458
v0.61 CVE
CVE-2025-53458
v0.51 CVE
CVE-2025-53458
v0.41 CVE
CVE-2025-53458
v0.31 CVE
CVE-2025-53458
v0.21 CVE
CVE-2025-53458
Code Analysis
Analyzed Mar 16, 2026

Goracash Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
15
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
3
External Requests
1
Bundled Libraries
0

Output Escaping

0% escaped15 total outputs
Attack Surface

Goracash Attack Surface

Entry Points3
Unprotected0

Shortcodes 3

[goracash_banner] includes\banner.php:25
[goracash_free_content] includes\free.content.php:24
[goracash_iframe] includes\iframe.php:22
WordPress Hooks 8
actionwidgets_initincludes\banner.php:21
actionwp_headincludes\banner.php:24
actionwidgets_initincludes\free.content.php:21
actionwidgets_initincludes\iframe.php:19
actionadmin_menuwp-goracash.php:47
actionadmin_initwp-goracash.php:48
actionadmin_enqueue_scriptswp-goracash.php:49
actionplugins_loadedwp-goracash.php:61
Maintenance & Trust

Goracash Maintenance & Trust

Maintenance Signals

WordPress version tested3.4.2
Last updatedOct 22, 2018
PHP min version
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs300
Alternatives

Goracash Alternatives

AdSpeed Ad Server

AdSpeed Ad Server

adspeed-ad-server

A
85

This plugin displays ads from your AdSpeed account on the sidebar or within a post. Ads are served, managed and tracked for impressions and clicks by &hellip;

20 No CVEs
Eldolink®

Eldolink®

eldolink

A
85

Eldolink® is an affiliate program that allows you to monetize your traffic. Original wellness contents & products. Win big with Slimdoo®.

10 No CVEs
mySimpleAds WordPress Ad Manager

mySimpleAds WordPress Ad Manager

mysimpleads-wordpress-ad-manager

A
85

The wordpress plugin will allow you to easily place your mySimpleAds Ads anywhere into posts, pages, or templates.

10 No CVEs
CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)

CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice)

cookie-law-info

A
100

Easily set up cookie banner or notice in WordPress, and policy pages for compliance with global cookie laws (GDPR, DSGVO, RGPD, CCPA/CPRA, etc).

1.0M 1 CVE
Hostinger Reach – AI-Powered Email Marketing for WordPress

Hostinger Reach – AI-Powered Email Marketing for WordPress

hostinger-reach

A
99

Launch and grow your email marketing effortlessly with Hostinger Reach. Collect contacts, sync subscribers, and send emails – all in one, AI powered.

1.0M 1 CVE
Developer Profile

Goracash Developer Profile

davaxi

1 plugin · 300 total installs

68
trust score
Avg Security Score
63/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Goracash

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/goracash/css/bootstrap.min.css/wp-content/plugins/goracash/css/font-awesome.min.css/wp-content/plugins/goracash/css/admin.css/wp-content/plugins/goracash/js/admin.js
Script Paths
/wp-content/plugins/goracash/js/admin.js
Version Parameters
goracash_admin_bootstrap_css?ver=3.3.5goracash_admin_fontaweome_css?ver=4.4.0goracash_admin_css?ver=0.1goracash_admin_js?ver=0.1

HTML / DOM Fingerprints

CSS Classes
alert-warning
FAQ

Frequently Asked Questions about Goracash