WP-Safety

MakeStories (for Google Web Stories) Security & Risk Analysis

wordpress.org/plugins/makestories-helper

MakeStories helper plugin to publish stories for your WordPress site

700 active installs v3.0.4 PHP 5.6+ WP 4.0+ Updated Jul 11, 2024
ampamp-storymakestoriesstoriesweb-stories
66
C · Use Caution
CVEs total4
Unpatched1
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is MakeStories (for Google Web Stories) Safe to Use in 2026?

Use With Caution

Score 66/100

MakeStories (for Google Web Stories) has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

4 known CVEs 1 unpatched Last CVE: Sep 22, 2025Updated 1yr ago
Risk Assessment

The "makestories-helper" v3.0.4 plugin presents a concerning security posture, despite some positive indicators. While it does not utilize dangerous functions and all SQL queries are properly prepared, the plugin exhibits a significant attack surface with 23 unprotected entry points, including 22 AJAX handlers and 1 REST API route without permission callbacks. This lack of authorization checks on a majority of its entry points is a critical weakness, making it highly susceptible to unauthorized actions and privilege escalation.

The static analysis also revealed 4 flows with unsanitized paths, though thankfully none reached critical or high severity in the taint analysis. However, the fact that some unsanitized paths exist, coupled with the large number of unprotected entry points, suggests a real risk of vulnerabilities like Cross-Site Scripting (XSS) or Server-Side Request Forgery (SSRF) if user-supplied data is not handled rigorously. The output escaping, at 73%, is also an area of concern, implying a portion of user-facing output may not be properly sanitized.

The plugin's vulnerability history is particularly troubling, with 4 known CVEs, one of which remains unpatched. The types of past vulnerabilities, including SSRF, Missing Authorization, CSRF, and XSS, directly correlate with the weaknesses identified in the code analysis. The consistent pattern of these vulnerability types indicates recurring security flaws. While the plugin demonstrates good practices in SQL preparation, the pervasive lack of authorization and potential for unescaped output, combined with a history of severe vulnerabilities and an unpatched CVE, necessitates immediate attention to mitigate significant risks to WordPress installations.

Key Concerns

  • Unpatched CVEs
  • Large attack surface without auth
  • Unprotected REST API routes
  • Flows with unsanitized paths
  • Output escaping not properly implemented (27%)
  • Missing nonce checks on AJAX handlers
  • Missing capability checks on AJAX handlers
Vulnerabilities
4

MakeStories (for Google Web Stories) Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-57984medium · 6.4Server-Side Request Forgery (SSRF)

MakeStories (for Google Web Stories) <= 3.0.4 - Authenticated (Author+) Server-Side Request Forgery

Sep 22, 2025Unpatched
CVE-2024-38746medium · 4.3Missing Authorization

MakeStories (for Google Web Stories) <= 3.0.3 - Authenticated (Subscriber+) Arbitrary File Download and Server-Side Request Forgery

Jul 11, 2024 Patched in 3.0.4 (6d)
CVE-2023-27448medium · 4.3Cross-Site Request Forgery (CSRF)

MakeStories (for Google Web Stories) <= 3.0.2 - Cross-Site Request Forgery via 'ms_set_options'

Aug 28, 2023 Patched in 3.0.3 (196d)
WF-98c9c9cb-ca35-461e-9ca6-733012332fd6-makestories-helpermedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MakeStories (for Web Stories) <= 2.6.4 - Cross-Ste Scripting

Jul 6, 2022 Patched in 2.6.5 (566d)
Code Analysis
Analyzed Mar 16, 2026

MakeStories (for Google Web Stories) Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
42
112 escaped
Nonce Checks
3
Capability Checks
5
File Operations
1
External Requests
4
Bundled Libraries
0

Output Escaping

73% escaped154 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

10 flows4 with unsanitized paths
ms_publish_post (api\publish.php:8)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
23 unprotected

MakeStories (for Google Web Stories) Attack Surface

Entry Points31
Unprotected23

AJAX Handlers 24

authwp_ajax_ms_get_categoriesapi\category.php:6
authwp_ajax_ms_get_storiesapi\category.php:43
authwp_ajax_ms_get_widgetapi\category.php:82
authwp_ajax_ms_get_mediaapi\media.php:2
authwp_ajax_ms_image_proxyapi\media.php:52
authwp_ajax_ms_publish_postapi\publish.php:2
authwp_ajax_ms_upload_image_to_media_libraryapi\publish.php:286
noprivwp_ajax_ms_upload_image_to_media_libraryapi\publish.php:287
authwp_ajax_ms_get_published_postsapi\publish.php:298
authwp_ajax_ms_get_published_posts_allapi\publish.php:354
authwp_ajax_ms_get_published_postapi\publish.php:406
authwp_ajax_ms_delete_postapi\publish.php:441
authwp_ajax_ms_change_story_slugapi\publish.php:474
authwp_ajax_ms_verify_media_in_storyapi\publish.php:614
authwp_ajax_ms_schedule_publish_postapi\publish.php:790
authwp_ajax_ms_wp_save_design_settingsapi\story-page.php:5
authwp_ajax_ms_wp_get_design_settingsapi\story-page.php:19
authwp_ajax_ms_publish_widgetapi\widget.php:3
noprivwp_ajax_more_post_ajaxhooks.php:315
authwp_ajax_more_post_ajaxhooks.php:316
noprivwp_ajax_ms_get_site_idhooks.php:341
authwp_ajax_ms_get_site_idhooks.php:342
noprivwp_ajax_load_post_data_ajaxhooks.php:356
authwp_ajax_load_post_data_ajaxhooks.php:357

REST API Routes 1

GET/wp-json/widget/stories/(?P<id>\d+)api\publish.php:666

Shortcodes 6

[ms_get_published_post] shortcode.php:5
[ms_get_post_by_category] shortcode.php:71
[ms_get_single_post] shortcode.php:104
[ms_get_single_post_shortcode] shortcode.php:105
[ms_get_single_post_via_shortcode] shortcode.php:106
[ms_get_single_widget] shortcode.php:136
WordPress Hooks 30
filterposts_clausesapi\media.php:19
actionrest_api_initapi\publish.php:665
filterdetermine_current_userbasic-auth.php:23
filterdetermine_current_userbasic-auth.php:31
filterrest_authentication_errorsbasic-auth.php:40
actioninitgutenberg-block.php:37
actioninithooks.php:5
actionadmin_headhooks.php:98
actionadmin_footerhooks.php:99
actionwphooks.php:117
actionwp_enqueue_scriptshooks.php:166
actionadmin_enqueue_scriptshooks.php:184
filterpost_type_linkhooks.php:187
actioninithooks.php:227
filtermce_external_pluginshooks.php:230
filtermce_buttonshooks.php:231
filtertemplate_includehooks.php:243
filteradmin_urlhooks.php:359
actionadmin_menupages\index.php:28
actionadmin_menupages\index.php:61
actionadmin_initpages\index.php:64
filteradmin_body_classpages\index.php:90
actionadmin_headpages\index.php:101
actionadmin_footerpages\index.php:124
actionadmin_noticespages\index.php:146
actionuser_admin_noticespages\index.php:147
actionnetwork_admin_noticespages\index.php:148
actionall_admin_noticespages\index.php:149
actionadmin_enqueue_scriptspages\index.php:163
filterget_edit_post_linkpages\index.php:171
Maintenance & Trust

MakeStories (for Google Web Stories) Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedJul 11, 2024
PHP min version5.6
Downloads98K

Community Trust

Rating86/100
Number of ratings28
Active installs700
Alternatives

MakeStories (for Google Web Stories) Alternatives

Web Stories

Web Stories

web-stories

A
95

Web Stories are a visual storytelling format for the open web which immerses your readers in fast-loading, full-screen, and visually rich experiences.

70K 3 CVEs
Web Stories Widgets For Elementor

Web Stories Widgets For Elementor

shortcodes-for-amp-web-stories-and-elementor-widget

A
99

This addon will helps you to easily represent Google Web stories in the Page/Post using Elementor Widget and shortcodes.

1K 1 CVE
Web Stories Enhancer – Level Up Your Web Stories

Web Stories Enhancer – Level Up Your Web Stories

web-stories-enhancer

A
91

This is the Web Stories Enhancer Plugin for showing the web stories to the website with the help of a shortcode [web_stories_enhancer].

200 1 CVE
ZMOOZ Web Stories

ZMOOZ Web Stories

zmooz-stories

A
85

ZMOOZ Stories is a solution that allows publishers and bloggers to automatically transform their articles into Web Story format.

10 No CVEs
EmbedStories – Display social media stories

EmbedStories – Display social media stories

embedstories

A
85

EmbedStories allows you to easily embed Instagram Stories on your website

300 1 CVE
Developer Profile

MakeStories (for Google Web Stories) Developer Profile

Pratik Ghela

1 plugin · 700 total installs

55
trust score
Avg Security Score
66/100
Avg Patch Time
256 days
View full developer profile
Detection Fingerprints

How We Detect MakeStories (for Google Web Stories)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/makestories-helper/assets/css/ms-style.css/wp-content/plugins/makestories-helper/assets/js/ms-script.js/wp-content/plugins/makestories-helper/vendor/slick/slick-theme.css/wp-content/plugins/makestories-helper/vendor/slick/slick.css/wp-content/plugins/makestories-helper/vendor/slick/slick.min.js
Script Paths
/wp-content/plugins/makestories-helper/assets/js/ms-script.js/wp-content/plugins/makestories-helper/vendor/slick/slick.min.js
Version Parameters
makestories-helper/assets/css/ms-style.css?ver=makestories-helper/assets/js/ms-script.js?ver=makestories-helper/vendor/slick/slick-theme.css?ver=makestories-helper/vendor/slick/slick.css?ver=makestories-helper/vendor/slick/slick.min.js?ver=

HTML / DOM Fingerprints

JS Globals
ajaxurl
REST Endpoints
/wp-json/makestories_widgets/wp-json/makestories
FAQ

Frequently Asked Questions about MakeStories (for Google Web Stories)