WP-Safety

Holostep: 3D viewer Security & Risk Analysis

wordpress.org/plugins/holostep

💥 3D & AR viewer platform. Transform Products into Experiences.

20 active installs v1.1.5 PHP + WP 2.8.0+ Updated Oct 27, 2025
3d-viewerconversionmodelwordpress-3dwordpress-3d-viewer
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Holostep: 3D viewer Safe to Use in 2026?

Generally Safe

Score 100/100

Holostep: 3D viewer has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5mo ago
Risk Assessment

The holostep plugin exhibits a generally good security posture with several positive indicators. The absence of dangerous functions, SQL injection vulnerabilities due to prepared statements, and file operations are strong points. Furthermore, the high percentage of properly escaped output and the presence of nonce and capability checks in most areas suggest a developer mindful of common security pitfalls. The vulnerability history being completely clear of known CVEs is also a very positive sign.

However, a significant concern arises from the static analysis: one of the two AJAX handlers lacks authentication checks. This creates an unprotected entry point into the plugin's functionality, which could be exploited if sensitive actions are performed without proper authorization. While no critical taint flows or direct SQL vulnerabilities were identified, this unprotected AJAX endpoint represents a clear risk that could be leveraged for various attacks depending on the AJAX handler's functionality.

In conclusion, holostep v1.1.5 demonstrates good coding practices in many areas. The lack of historical vulnerabilities is reassuring. Nevertheless, the unprotected AJAX handler is a critical weakness that requires immediate attention. Addressing this single point of failure will significantly improve the plugin's overall security.

Key Concerns

  • AJAX handler without auth check
Vulnerabilities
None known

Holostep: 3D viewer Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Holostep: 3D viewer Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
3
32 escaped
Nonce Checks
3
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

91% escaped35 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
postHandler (holostep-admin.php:164)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Holostep: 3D viewer Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 2

authwp_ajax_holo_settings_formholostep-admin.php:35
authwp_ajax_dismiss_om_noticeinclude\class-notification.php:28
WordPress Hooks 18
actionadmin_enqueue_scriptsholostep-admin.php:28
actionadmin_enqueue_scriptsholostep-admin.php:29
actionadmin_initholostep-admin.php:30
actionadmin_menuholostep-admin.php:31
actionadmin_post_holostep_settingsholostep-admin.php:32
actionplugins_loadedholostep-admin.php:33
actionadmin_footerholostep-admin.php:34
filterquery_varsholostep-front.php:13
actionwpholostep-front.php:14
filterscript_loader_tagholostep-front.php:97
filterauto_update_pluginholostep-front.php:98
actionwp_headholostep.php:36
actionwp_enqueue_scriptsholostep.php:37
actionadmin_initholostep.php:41
actionadmin_initholostep.php:42
actionadmin_footerinclude\class-notification.php:27
actionholostep_all_admin_noticesinclude\class-notification.php:94
actionwp_before_admin_bar_renderinclude\class-notification.php:95
Maintenance & Trust

Holostep: 3D viewer Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedOct 27, 2025
PHP min version
Downloads727

Community Trust

Rating0/100
Number of ratings0
Active installs20
Alternatives

Holostep: 3D viewer Alternatives

3D Viewer Block – Interactive 3D Model Display

3D Viewer Block – Interactive 3D Model Display

3d-viewer-block

A
100

Embed 3D models. Display interactive 3D models within a few clicks using the Gutenberg Editor.

900 No CVEs
3D viewer by Visody

3D viewer by Visody

visody-3d-product-viewer

A
100

Easily add beautiful, fully-customizable 3D viewers to your WooCommerce product galleries and WordPress pages! AR capabilies included.

900 No CVEs
3D Viewer Online

3D Viewer Online

3dvieweronline-wp

A
91

An easy, realistic and customizable 3D Viewer to embed 3D models of your products/designs into your Wordpress/WooCommerce website (responsive layout)

40 1 CVE
3D Viewer – glb/gltf Viewer by WPSE

3D Viewer – glb/gltf Viewer by WPSE

advanced-3d-model-viewer

A
100

Embed and interact with 3D models in your WordPress content using a block, shortcode, or custom post type.

40 No CVEs
ExploreXR

ExploreXR

explorexr

A
100

Interactive 3D models for WordPress. Upload GLB/GLTF files, embed via shortcode, and extend with modular add-ons. No coding required.

30 No CVEs
Developer Profile

Holostep: 3D viewer Developer Profile

Erik Grof

1 plugin · 20 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Holostep: 3D viewer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/holostep/css/holostep-style.css/wp-content/plugins/holostep/assets/insert_code_en.png/wp-content/plugins/holostep/assets/insert_code_hu.png

HTML / DOM Fingerprints

CSS Classes
holo-notification-bubble
Data Attributes
data-holo-register-urldata-holo-review-urldata-holo-signup-textdata-holo-review-textdata-holo-domaindata-holo-insert-image+1 more
JS Globals
holostep
REST Endpoints
/wp-json/holostep/v1/settings
FAQ

Frequently Asked Questions about Holostep: 3D viewer