WP-Safety

JW Player for WordPress Security & Risk Analysis

wordpress.org/plugins/jw-player-7-for-wp

JW Player for WordPress enables you to publish videos on your WordPress posts and pages using the most popular video player on the web.

1K active installs v2.3.7 PHP + WP 5.0+ Updated Apr 12, 2026
embed-videojw-playervideo-playervideo-prerollvideo-subtitles
76
B · Generally Safe
CVEs total2
Unpatched1
Last CVEFeb 10, 2026
Plugin page Download
Safety Verdict

Is JW Player for WordPress Safe to Use in 2026?

Mostly Safe

Score 76/100

JW Player for WordPress is generally safe to use. 2 past CVEs were resolved.

2 known CVEs 1 unpatched Last CVE: Feb 10, 2026Updated 1mo ago
Risk Assessment

The "jw-player-7-for-wp" plugin version 2.3.6 exhibits a generally good security posture, with a high percentage of properly escaped outputs and 100% of SQL queries using prepared statements. The absence of dangerous functions, file operations, and critical/high severity taint flows are positive indicators. The plugin also demonstrates a robust use of nonces, with 29 checks in place. However, a significant concern is the presence of one AJAX handler that lacks authentication checks, creating a potential entry point for unauthorized actions. The vulnerability history, while having only one medium-severity CVE, is concerning because its last occurrence was very recent, indicating potential for ongoing security weaknesses or a pattern of vulnerabilities. The common vulnerability type being 'Missing Authorization' reinforces the risk identified in the static analysis regarding the unprotected AJAX handler.

Key Concerns

  • AJAX handler without authentication
  • Recent medium severity CVE
  • Flows with unsanitized paths
Vulnerabilities
2 published

JW Player for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-39614medium · 4.3Missing Authorization

JW Player for WordPress <= 2.3.7 - Missing Authorization

Feb 10, 2026Unpatched
CVE-2024-33931medium · 5.3Missing Authorization

JW Player for WordPress <= 2.3.3 - Missing Authorization

Apr 29, 2024 Patched in 2.3.4 (64d)
Version History

JW Player for WordPress Release Timeline

v2.3.7Current1 CVE
CVE-2026-39614
v2.3.61 CVE
CVE-2026-39614
v2.3.51 CVE
CVE-2026-39614
v2.3.41 CVE
CVE-2026-39614
v2.3.32 CVEs
CVE-2024-33931 CVE-2026-39614
v2.3.22 CVEs
CVE-2024-33931 CVE-2026-39614
v2.3.12 CVEs
CVE-2024-33931 CVE-2026-39614
v2.3.02 CVEs
CVE-2024-33931 CVE-2026-39614
v2.2.12 CVEs
CVE-2024-33931 CVE-2026-39614
v2.2.02 CVEs
CVE-2024-33931 CVE-2026-39614
v2.1.32 CVEs
CVE-2024-33931 CVE-2026-39614
v2.1.22 CVEs
CVE-2024-33931 CVE-2026-39614
v2.1.12 CVEs
CVE-2024-33931 CVE-2026-39614
v2.1.02 CVEs
CVE-2024-33931 CVE-2026-39614
v2.0.22 CVEs
CVE-2024-33931 CVE-2026-39614
v2.0.12 CVEs
CVE-2024-33931 CVE-2026-39614
v2.0.02 CVEs
CVE-2024-33931 CVE-2026-39614
v1.5.32 CVEs
CVE-2024-33931 CVE-2026-39614
v1.5.22 CVEs
CVE-2024-33931 CVE-2026-39614
v1.5.12 CVEs
CVE-2024-33931 CVE-2026-39614
Code Analysis
Analyzed Mar 16, 2026

JW Player for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
43
678 escaped
Nonce Checks
29
Capability Checks
1
File Operations
0
External Requests
2
Bundled Libraries
0

Output Escaping

94% escaped721 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

12 flows5 with unsanitized paths
jwppp_ads_tag_callback (admin\jwppp-admin.php:258)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

JW Player for WordPress Attack Surface

Entry Points11
Unprotected1

AJAX Handlers 8

authwp_ajax_skin-customizationadmin\jwppp-admin.php:148
authwp_ajax_player_checkadmin\jwppp-admin.php:210
authwp_ajax_add_ads_tagadmin\jwppp-admin.php:269
authwp_ajax_add_ad_partneradmin\jwppp-admin.php:320
authwp_ajax_jwppp_ajax_removeincludes\jwppp-ajax-remove-video-callback.php:39
authwp_ajax_jwppp_ajax_addincludes\jwppp-functions.php:187
authwp_ajax_search-contentincludes\jwppp-functions.php:852
authwp_ajax_init-apiincludes\jwppp-functions.php:951

Shortcodes 3

[jw7-video] includes\jwppp-functions.php:650
[jwp-video] includes\jwppp-functions.php:651
[jwplayer] includes\jwppp-functions.php:758
WordPress Hooks 20
actionadmin_noticesadmin\ilghera-notice\class-ilghera-notice.php:183
actionadmin_noticesadmin\ilghera-notice\class-ilghera-notice.php:189
actionadmin_noticesadmin\ilghera-notice\class-ilghera-notice.php:195
actionadmin_enqueue_scriptsadmin\ilghera-notice\extension.php:25
actionadmin_initadmin\jwppp-admin.php:18
actionadmin_menuadmin\jwppp-admin.php:27
actionadmin_enqueue_scriptsadmin\jwppp-admin.php:97
actionadmin_menuadmin\jwppp-admin.php:125
actionadmin_noticesclasses\class-jwppp-dashboard-api.php:100
actionadd_meta_boxesincludes\jwppp-functions.php:35
actionwp_enqueue_scriptsincludes\jwppp-functions.php:439
actionadmin_enqueue_scriptsincludes\jwppp-functions.php:483
actioninitincludes\jwppp-functions.php:500
filterwidget_textincludes\jwppp-functions.php:765
filterthe_contentincludes\jwppp-functions.php:812
filterhas_post_thumbnailincludes\jwppp-functions.php:1011
filterpost_thumbnail_htmlincludes\jwppp-functions.php:1045
actionsave_postincludes\jwppp-save-single-video-data.php:148
actionplugins_loadedjw-player-7-for-wp.php:48
actioninitjw-widget\jwppp-carousel-config.php:45
Maintenance & Trust

JW Player for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 12, 2026
PHP min version
Downloads185K

Community Trust

Rating76/100
Number of ratings29
Active installs1K
Alternatives

JW Player for WordPress Alternatives

skiv video embedding

skiv video embedding

muse-ai

A
99

This plugin enables skiv.com oEmbed links, and adds shortcodes to easily embed videos hosted on skiv.com.

30 1 CVE
MK Auto Youtube Player

MK Auto Youtube Player

mk-auto-youtube-player

A
85

MK Auto Youtube Player will help you increase your sales conversion up to 50%.

10 No CVEs
MK Smart Player

MK Smart Player

mk-smart-player

A
85

MK Smart Player will allow you to play any video from the web or from Youtube.

10 No CVEs
All-in-One Video Gallery

All-in-One Video Gallery

all-in-one-video-gallery

A
88

The ultimate video player & video gallery plugin for YouTubers, Video Bloggers, Course Creators, Podcasters, and anyone embedding videos on websites.

20K 11 CVEs
FV Flowplayer Video Player

FV Flowplayer Video Player

fv-wordpress-flowplayer

A
87

WordPress's most reliable, easy to use and feature-rich video player. Supports responsive design, HTML5, playlists, ads, stats, Vimeo and YouTube.

20K 23 CVEs
Developer Profile

JW Player for WordPress Developer Profile

ilGhera

16 plugins · 2K total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
113 days
View full developer profile
Detection Fingerprints

How We Detect JW Player for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/jw-player-7-for-wp/admin/ilghera-notice/css/ilghera-notice.css/wp-content/plugins/jw-player-7-for-wp/admin/ilghera-notice/images/ilGhera-icon-40px.png/wp-content/plugins/jw-player-7-for-wp/admin/js/jwppp-admin.js/wp-content/plugins/jw-player-7-for-wp/admin/css/jwppp-admin-style.css/wp-content/plugins/jw-player-7-for-wp/jw-widget/jwppp-carousel-config.php
Script Paths
/wp-content/plugins/jw-player-7-for-wp/admin/js/jwppp-admin.js
Version Parameters
jwppp-admin.js?ver=jwppp-admin-style.css?ver=jwppp-carousel-config.php?ver=

HTML / DOM Fingerprints

CSS Classes
ilghera-notice-warningilghera-notice__contentilghera-notice__logoilghera-notice__messageilghera-notice__buttonsjwppp-admin-style
Data Attributes
data-domaindata-slugdata-namedata-sign
JS Globals
JWPPP_VERSION
FAQ

Frequently Asked Questions about JW Player for WordPress