Does OSS Aliyun have any unpatched vulnerabilities?

No. All known vulnerabilities in OSS Aliyun have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is OSS Aliyun compatible with WordPress 6.9.4?

According to WordPress.org data, OSS Aliyun 1.5.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is OSS Aliyun compatible with PHP 7.1+?

OSS Aliyun requires PHP 7.1 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is OSS Aliyun updated?

OSS Aliyun was last updated on Dec 5, 2025. Frequent updates are generally a positive security signal.

What is OSS Aliyun's security score?

OSS Aliyun has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

OSS Aliyun Security & Risk Analysis

wordpress.org/plugins/oss-aliyun

使用阿里云对象存储 OSS 作为附件存储空间。(This is a plugin that uses Aliyun Object Storage Service for attachments remote saving.)

3K active installs v1.5.1 PHP 7.1+ WP 4.6+ Updated Dec 5, 2025

aliyun%e9%98%bf%e9%87%8c%e4%ba%91oss%e5%af%b9%e8%b1%a1%e5%ad%98%e5%82%a8

A · Safe

CVEs total1

Unpatched0

Last CVEMar 28, 2024

Plugin page Download

Safety Verdict

Is OSS Aliyun Safe to Use in 2026?

Generally Safe

Score 98/100

OSS Aliyun has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 28, 2024Updated 4mo ago

Risk Assessment

The oss-aliyun plugin v1.5.1 exhibits a mixed security posture. On the positive side, static analysis reveals no identified dangerous functions, all SQL queries are properly prepared, and a high percentage of output is correctly escaped. The plugin also implements at least one nonce and capability check, indicating some adherence to WordPress security best practices. The attack surface appears minimal, with no exposed AJAX handlers, REST API routes, shortcodes, or cron events without authentication checks, and no external HTTP requests were detected. The taint analysis also shows no flows with unsanitized paths, further suggesting careful handling of input.

However, a significant concern arises from the plugin's vulnerability history. It has a past critical vulnerability related to SQL injection, and its last known vulnerability was very recent (March 2024). While currently unpatched CVEs are zero, the existence of a critical past vulnerability, especially one that was SQL injection related, is a red flag that warrants caution. This history suggests that while current code might be cleaner, the plugin has had significant security flaws in the past, which could indicate potential for new vulnerabilities to emerge or for the past vulnerability to be reintroduced if not managed diligently. The presence of a file operation and the inclusion of the Guzzle library as a bundled dependency also merit attention for potential security implications, though no specific issues are flagged in the static analysis for these components.

In conclusion, the plugin has made progress in securing its codebase, as evidenced by the static analysis findings. The absence of immediate exploitable flaws in the current version's code is reassuring. Nevertheless, the critical historical vulnerability, particularly the SQL injection type, necessitates ongoing vigilance. Users should ensure they are on the latest version, monitor for future updates, and be aware of the plugin's past security record. The low number of identified issues in static analysis is good, but the historical context requires a slightly elevated level of caution.

Key Concerns

Critical severity CVE history
Bundled library (Guzzle)
File operations detected

Vulnerabilities

OSS Aliyun Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

1 total CVE

CVE-2024-30494critical · 9.1Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

OSS Aliyun <= 1.4.10 - Authenticated (Administrator+) SQL Injection

Mar 28, 2024 Patched in 1.4.11 (7d)

Code Analysis

Analyzed Mar 16, 2026

OSS Aliyun Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

50 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Guzzle

SQL Query Safety

100% prepared4 total queries

Output Escaping

86% escaped58 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

oss_setting_page (aliyun-oss-wordpress.php:771)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

OSS Aliyun Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 18

filterwp_update_attachment_metadataaliyun-oss-wordpress.php:372

filterwp_handle_uploadaliyun-oss-wordpress.php:387

filterwp_generate_attachment_metadataaliyun-oss-wordpress.php:388

filterwp_save_image_editor_filealiyun-oss-wordpress.php:389

actiondelete_attachmentaliyun-oss-wordpress.php:453

filterwp_get_attachment_urlaliyun-oss-wordpress.php:463

filtersanitize_file_namealiyun-oss-wordpress.php:479

filterplugin_action_linksaliyun-oss-wordpress.php:528

filterwp_calculate_image_srcsetaliyun-oss-wordpress.php:551

filterwp_prepare_attachment_for_jsaliyun-oss-wordpress.php:553

filterthe_contentaliyun-oss-wordpress.php:570

filterpost_thumbnail_htmlaliyun-oss-wordpress.php:595

filterwp_get_attachment_urlaliyun-oss-wordpress.php:679

filterwp_get_attachment_thumb_urlaliyun-oss-wordpress.php:680

filterwp_get_original_image_urlaliyun-oss-wordpress.php:681

filterwp_prepare_attachment_for_jsaliyun-oss-wordpress.php:682

filterimage_get_intermediate_sizealiyun-oss-wordpress.php:683

actionadmin_menualiyun-oss-wordpress.php:768

Maintenance & Trust

OSS Aliyun Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 5, 2025

PHP min version7.1

Downloads34K

Community Trust

Rating96/100

Number of ratings5

Active installs3K

Alternatives

OSS Aliyun Alternatives

WPOSS阿里云对象存储

wposs

100

WordPress阿里云对象存储插件（简称:WPOSS），基于阿里云OSS对象存储与WordPress实现静态资源到OSS存储。支持阿里云OSS图片编辑，水印、裁剪、压缩等。

900 No CVEs

[凹凸曼]自动同步阿里云对象存储OSS

apoyl-aliyunoss

100

设计理念，这是绿色无任何污染，可以随时关闭插件，实现手动同步和自动同步，让网站图片和附件自动同步到阿里云对象存储OSS,实现图片附件和网站代码分离，流量分流让网站打开速度更快.

0 No CVEs

云推荐

yun-tui-jian

100

云推荐 — 最聪明的个性化推荐系统

10 No CVEs

ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution

shopengine

WooCommerce builder for Elementor and Gutenberg. It offers product templates, product sliders, shopping cart, quick view, Woo wishlist, product filter …

90K 4 CVEs

Blog2Social: Social Media Auto Post & Scheduler

blog2social

Automatically share and schedule your WordPress content on top social platforms like Facebook, Instagram, LinkedIn, TikTok, and more.

50K 22 CVEs

Developer Profile

OSS Aliyun Developer Profile

沈唁

13 plugins · 4K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

143 days

View full developer profile

Detection Fingerprints

How We Detect OSS Aliyun

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/oss-aliyun/sdk/vendor/aliyuncs/oss-sdk-php/src/OSS/Core/OssException.php/wp-content/plugins/oss-aliyun/sdk/vendor/autoload.php

HTML / DOM Fingerprints

Data Attributes

oss_options

FAQ