Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup Security & Risk Analysis
wordpress.org/plugins/graded-cards-systemA simple and effective system for collectors to manage, display, and verify their graded cards (PSA, BGS, SGC) with a certificate lookup feature.
Is Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup Safe to Use in 2026?
Generally Safe
Score 100/100Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The 'graded-cards-system' v2.2 plugin demonstrates a strong security posture with several positive attributes. Notably, all SQL queries are prepared, outputs are properly escaped, and there are no file operations or external HTTP requests, significantly reducing common attack vectors. The presence of nonce and capability checks, while limited in number, indicates an awareness of security best practices for handling user input and actions.
However, the taint analysis reveals a concern. One flow with an unsanitized path has been identified with a high severity, suggesting a potential for attackers to exploit this weakness to manipulate data or gain unauthorized access. While the static analysis did not find any dangerous functions or unprotected entry points, this single high-severity taint flow warrants attention. The complete lack of past vulnerabilities is a positive indicator, implying the developers are generally attentive to security, but it does not negate the current findings from the static and taint analysis.
In conclusion, the plugin has a solid foundation in secure coding practices. The primary weakness lies in a single high-severity unsanitized path identified in the taint analysis. This, combined with a relatively small attack surface and good SQL/output handling, leads to a moderate overall risk. Addressing the identified taint flow should be the priority to further strengthen the plugin's security.
Key Concerns
- High severity taint flow with unsanitized path
Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup Security Vulnerabilities
Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup Release Timeline
Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup Code Analysis
SQL Query Safety
Output Escaping
Data Flow Analysis
Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup Attack Surface
Shortcodes 2
WordPress Hooks 5
Maintenance & Trust
Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup Maintenance & Trust
Maintenance Signals
Community Trust
Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup Alternatives
No alternatives data available yet.
Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup Developer Profile
2 plugins · 0 total installs
How We Detect Graded Cards System: Collector's Database, Seller Tools & Certificate Lookup
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/graded-cards-system/assets/css/admin-styles.css/wp-content/plugins/graded-cards-system/assets/js/admin-scripts.js/wp-content/plugins/graded-cards-system/assets/css/frontend-styles.css/wp-content/plugins/graded-cards-system/assets/js/admin-scripts.jsgraded-cards-system/assets/css/admin-styles.css?ver=graded-cards-system/assets/js/admin-scripts.js?ver=graded-cards-system/assets/css/frontend-styles.css?ver=HTML / DOM Fingerprints
Dear Reviewer: A direct database call with dbDelta is the standard, recommended
method for creating/updating custom tables in WordPress.Dear Reviewer, The following `isset` check is a false positive for "Processing form data without nonce verification".
The nonce (`_wpnonce`) is correctly verified with `wp_verify_nonce()` immediately inside this conditional block before any data is processed.Dear Reviewer: This is a direct database call, which is necessary to interact with the plugin's custom table.Dear Reviewer, This `isset` check is a false positive for "Processing form data without nonce verification".
The nonce (`gcsys_add_card_nonce`) is correctly verified with `wp_verify_nonce()` immediately inside this conditional block.+1 morename="gcsys_list_layout"value="grid"value="table"[graded_cards_list]