WP-Safety

The Ultimate Video Player For WordPress – by Presto Player Security & Risk Analysis

wordpress.org/plugins/presto-player

The Ultimate WordPress Video Player.

100K active installs v4.1.3 PHP 7.3+ WP 6.3+ Updated Apr 13, 2026
audiolmsvideovimeoyoutube
99
A · Safe
CVEs total2
Unpatched0
Last CVEAug 16, 2024
Plugin page Download
Safety Verdict

Is The Ultimate Video Player For WordPress – by Presto Player Safe to Use in 2026?

Generally Safe

Score 99/100

The Ultimate Video Player For WordPress – by Presto Player has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Aug 16, 2024Updated 1mo ago
Risk Assessment

The Presto Player plugin v4.1.0 exhibits a generally positive security posture with several good practices in place, such as a high percentage of SQL queries using prepared statements and properly escaped output. The absence of critical or high-severity taint flows and dangerous functions is also reassuring. However, there are notable areas of concern that warrant attention. The presence of 4 unprotected AJAX handlers significantly expands the attack surface without proper authorization checks, creating a potential entry point for unauthorized actions.

The vulnerability history reveals a pattern of medium-severity issues, primarily related to Missing Authorization and Cross-site Scripting. While there are no currently unpatched vulnerabilities, the recurrence of these specific vulnerability types suggests potential for similar weaknesses to emerge if not thoroughly addressed in development practices. The most recent vulnerability was identified in August 2024, indicating an ongoing need for vigilance and regular security audits.

In conclusion, while Presto Player v4.1.0 benefits from strong code hygiene in many areas, the unprotected AJAX endpoints present a tangible risk. The historical trend of medium-severity vulnerabilities, particularly those related to authorization and XSS, underscores the importance of robust input validation and authorization checks across all entry points. Addressing the unprotected AJAX handlers should be a priority to strengthen the plugin's overall security.

Key Concerns

  • Unprotected AJAX handlers
  • Medium severity vulnerabilities in history (2)
  • Missing authorization vulnerability type in history
  • Improper neutralization of input (XSS) type in history
Vulnerabilities
2 published

The Ultimate Video Player For WordPress – by Presto Player Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-43285medium · 4.3Missing Authorization

Presto Player <= 3.0.2 - Missing Authorization

Aug 16, 2024 Patched in 3.0.3 (4d)
CVE-2024-2428medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The Ultimate Video Player For WordPress <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 20, 2024 Patched in 2.2.3 (10d)
Version History

The Ultimate Video Player For WordPress – by Presto Player Release Timeline

v4.1.3Current
v4.1.2
v4.1.110 files changed
v4.1.0
v4.0.826 files changed
v4.0.723 files changed
v4.0.69 files changed
v4.0.525 files changed
v4.0.47 files changed
v4.0.3
v4.0.270 files changed
v4.0.131 files changed
v4.0.0
v3.1.327 files changed
v3.1.25 files changed
v3.1.133 files changed
v3.1.0
v3.0.88 files changed
v3.0.79 files changed
v3.0.654 files changed
Code Analysis
Analyzed Mar 16, 2026

The Ultimate Video Player For WordPress – by Presto Player Code Analysis

Dangerous Functions
0
Raw SQL Queries
6
15 prepared
Unescaped Output
27
216 escaped
Nonce Checks
4
Capability Checks
17
File Operations
10
External Requests
5
Bundled Libraries
0

SQL Query Safety

71% prepared21 total queries

Output Escaping

89% escaped243 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

4 flows
dismiss (inc\Services\AdminNotices.php:147)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

The Ultimate Video Player For WordPress – by Presto Player Attack Surface

Entry Points16
Unprotected4

AJAX Handlers 7

authwp_ajax_presto_player_load_user_videoinc\Attachment.php:24
authwp_ajax_presto_get_media_attributesinc\Integrations\Divi\Divi.php:23
authwp_ajax_presto_fetch_videosinc\Services\AjaxActions.php:19
authwp_ajax_presto_player_progress_percentinc\Services\Player.php:11
noprivwp_ajax_presto_player_progress_percentinc\Services\Player.php:12
noprivwp_ajax_presto_refresh_progress_nonceinc\Services\Player.php:14
authwp_ajax_presto_refresh_progress_nonceinc\Services\Player.php:15

Shortcodes 9

[presto_player_chapter] inc\Services\Shortcodes.php:34
[presto_playlist_item] inc\Services\Shortcodes.php:35
[presto_player_overlay] inc\Services\Shortcodes.php:36
[presto_player_track] inc\Services\Shortcodes.php:37
[presto_player] inc\Services\Shortcodes.php:38
[presto_timestamp] inc\Services\Shortcodes.php:39
[pptime] inc\Services\Shortcodes.php:40
[presto_playlist] inc\Services\Shortcodes.php:41
[presto_popup] inc\Services\Shortcodes.php:42
WordPress Hooks 108
actionadmin_noticesinc\Attachment.php:18
actionwp_get_attachment_urlinc\Attachment.php:20
actionquery_varsinc\Attachment.php:21
actiongenerate_rewrite_rulesinc\Attachment.php:22
actiontemplate_redirectinc\Attachment.php:23
actioninitinc\Blocks\MediaHubBlock.php:21
actioninitinc\Blocks\PopupBlock.php:22
actioninitinc\Blocks\PopupMediaBlock.php:23
filterenqueue_empty_block_content_assetsinc\Blocks\PopupMediaBlock.php:24
actionwp_footerinc\Blocks\PopupMediaBlock.php:85
actioninitinc\Blocks\PopupTriggerBlock.php:22
actioninitinc\Blocks\ReusableEditBlock.php:21
actioninitinc\Blocks\ReusableVideoBlock.php:29
filterupload_dirinc\Files.php:41
filterwp_prepare_attachment_for_jsinc\Files.php:42
filterwp_generate_attachment_metadatainc\Files.php:43
actionajax_query_attachments_argsinc\Files.php:44
actionadmin_noticesinc\Files.php:222
actioninitinc\Integrations\BeaverBuilder\BeaverBuilder.php:12
actionfl_builder_ui_enqueue_scriptsinc\Integrations\BeaverBuilder\ReusableVideoModule\Module.php:44
actiondivi_extensions_initinc\Integrations\Divi\Divi.php:22
actionwp_enqueue_scriptsinc\Integrations\Divi\Divi.php:34
filterscript_loader_taginc\Integrations\Divi\Divi.php:37
filterpresto_player_get_block_from_contentinc\Integrations\Divi\Divi.php:40
actionelementor/widgets/registerinc\Integrations\Elementor\Elementor.php:8
filterpresto_player_default_colorinc\Integrations\Kadence.php:8
actionplugins_loadedinc\Integrations\LearnDash\LearnDash.php:12
filterlearndash_settings_fieldsinc\Integrations\LearnDash\LearnDash.php:19
filterld_video_providerinc\Integrations\LearnDash\LearnDash.php:20
filterpresto-settings-block-js-optionsinc\Integrations\LearnDash\LearnDash.php:21
filterget_post_metadatainc\Integrations\LearnDash\LearnDash.php:22
filterpresto_player/block/default_attributesinc\Integrations\LearnDash\LearnDash.php:24
filterpresto_player/templates/player_taginc\Integrations\LearnDash\LearnDash.php:25
actionplugins_loadedinc\Integrations\Lifter\Lifter.php:19
filterpresto_player_load_jsinc\Integrations\Lifter\Lifter.php:20
filterllms_table_get_data_student-courseinc\Integrations\Lifter\Lifter.php:43
filterpresto-settings-block-js-optionsinc\Integrations\Lifter\Lifter.php:46
filterpresto_player/block/default_attributesinc\Integrations\Lifter\Lifter.php:49
filtertutor_course/single/videoinc\Integrations\Tutor\Tutor.php:8
filtertutor_lesson/single/videoinc\Integrations\Tutor\Tutor.php:9
actionadmin_initinc\Seeds\Seeder.php:15
actionadmin_initinc\Services\AdminNotices.php:41
actioninitinc\Services\AdminNotices.php:42
actionadmin_footerinc\Services\AdminNotices.php:43
actionrest_api_initinc\Services\API\RestAudioPresetsController.php:47
actionrest_api_initinc\Services\API\RestPresetsController.php:45
actionrest_api_initinc\Services\API\RestSettingsController.php:24
filterrest_pre_update_settinginc\Services\API\RestSettingsController.php:25
actionrest_api_initinc\Services\API\RestVideosController.php:37
filterrender_block_core/buttoninc\Services\Blocks\PopupTriggerService.php:18
filterregister_block_type_argsinc\Services\Blocks\PopupTriggerService.php:19
actionwp_get_attachment_urlinc\Services\Blocks\VimeoBlockService.php:8
actionwp_get_attachment_urlinc\Services\Blocks\YoutubeBlockService.php:8
filterblock_categories_allinc\Services\Blocks.php:18
filterblock_categoriesinc\Services\Blocks.php:20
actionrocket_exclude_jsinc\Services\Compatibility.php:9
actionsgo_js_minify_excludeinc\Services\Compatibility.php:12
actionadmin_enqueue_scriptsinc\Services\Compatibility.php:15
filterwp_kses_allowed_htmlinc\Services\Compatibility.php:18
filtersafe_style_cssinc\Services\Compatibility.php:21
actionadmin_menuinc\Services\Menu.php:14
actioninitinc\Services\NpsSurvey.php:28
actionwp_headinc\Services\PreloadService.php:43
actionwp_footerinc\Services\PreloadService.php:44
actionadmin_noticesinc\Services\ProCompatibility.php:14
actionadmin_noticesinc\Services\ReusableVideos.php:16
actionadmin_initinc\Services\ReusableVideos.php:17
actionadmin_initinc\Services\RewriteRulesManager.php:26
actionenqueue_block_assetsinc\Services\Scripts.php:29
actioninitinc\Services\Scripts.php:30
filterscript_loader_taginc\Services\Scripts.php:31
actionenqueue_block_editor_assetsinc\Services\Scripts.php:34
actionenqueue_block_assetsinc\Services\Scripts.php:35
actionadmin_enqueue_scriptsinc\Services\Scripts.php:38
actionelementor/frontend/before_enqueue_scriptsinc\Services\Scripts.php:41
actionelementor/frontend/before_enqueue_scriptsinc\Services\Scripts.php:42
actionadmin_print_scripts-presto-player_page_presto_licenseinc\Services\Scripts.php:45
actionpresto_player_pro_register_license_pageinc\Services\Scripts.php:46
actionafter_setup_themeinc\Services\Scripts.php:48
actionwp_enqueue_scriptsinc\Services\Scripts.php:51
actionwp_enqueue_scriptsinc\Services\Scripts.php:53
actionwp_footerinc\Services\Scripts.php:439
actionadmin_initinc\Services\Settings.php:24
actionrest_api_initinc\Services\Settings.php:25
actionload_script_textdomain_relative_pathinc\Services\Translation.php:31
filterpresto_player/presto_player_presets/datainc\Services\Translation.php:32
actioninitinc\Services\Translation.php:33
actioninitinc\Services\Translation.php:34
filterbsf_core_statsinc\Services\Usage.php:42
actioninitinc\Services\VideoPostType.php:38
actioninitinc\Services\VideoPostType.php:39
filterallowed_block_types_allinc\Services\VideoPostType.php:42
filterallowed_block_typesinc\Services\VideoPostType.php:44
filterenter_title_hereinc\Services\VideoPostType.php:47
actionrestrict_manage_postsinc\Services\VideoPostType.php:54
actionparse_queryinc\Services\VideoPostType.php:55
actionuse_block_editor_for_postinc\Services\VideoPostType.php:58
filterpre_get_postsinc\Services\VideoPostType.php:61
actiontemplate_redirectinc\Services\VideoPostType.php:64
filtersingle_templateinc\Services\VideoPostType.php:67
actionadmin_enqueue_scriptsinc\Services\VideoPostType.php:70
filterpost_thumbnail_idinc\Services\VideoPostType.php:72
filterthe_titleinc\Services\VideoPostType.php:74
actiontransition_post_statusinc\Services\VideoPostType.php:78
filterposts_whereinc\Services\VideoPostType.php:80
actioninitinc\Support\Block.php:128
filterpresto_player/scripts/load_iframe_fallbackinc\Support\Block.php:663
filterpresto_player_load_videoinc\Support\Integration.php:13
Maintenance & Trust

The Ultimate Video Player For WordPress – by Presto Player Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 13, 2026
PHP min version7.3
Downloads4.0M

Community Trust

Rating96/100
Number of ratings334
Active installs100K
Alternatives

The Ultimate Video Player For WordPress – by Presto Player Alternatives

Lean Video and Audio Player

Lean Video and Audio Player

lean-video-and-audio-player

A
100

Simple shortcode-based video and audio player supporting HTML5, YouTube, Vimeo and MP3 files with clean, modern interface.

0 No CVEs
All-in-One Video Gallery

All-in-One Video Gallery

all-in-one-video-gallery

A
88

The ultimate video player & video gallery plugin for YouTubers, Video Bloggers, Course Creators, Podcasters, and anyone embedding videos on websites.

20K 11 CVEs
WP Video Popup – WordPress Video Lightbox for YouTube, Rumble & Vimeo

WP Video Popup – WordPress Video Lightbox for YouTube, Rumble & Vimeo

responsive-youtube-vimeo-popup

A
100

WP Video Popup lets you add a responsive YouTube, Rumble or Vimeo video lightbox to any page, post or custom post type of your website.

9K No CVEs
Automatic Featured Images from Videos

Automatic Featured Images from Videos

automatic-featured-images-from-videos

A
98

If a YouTube or Vimeo video embed exists near the start of a post, we'll automatically set the post's featured image to a thumbnail of the video.

7K 2 CVEs
WPC Product Videos for WooCommerce

WPC Product Videos for WooCommerce

wpc-product-videos

A
100

WPC Product Videos helps you add many videos for a product and linked to the feature image or product gallery images.

3K No CVEs
Developer Profile

The Ultimate Video Player For WordPress – by Presto Player Developer Profile

Andre Gagnon

2 plugins · 100K total installs

94
trust score
Avg Security Score
92/100
Avg Patch Time
7 days
View full developer profile
Detection Fingerprints

How We Detect The Ultimate Video Player For WordPress – by Presto Player

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/presto-player/dist/beaver-builder.css/wp-content/plugins/presto-player/dist/beaver-builder.js/wp-content/plugins/presto-player/src/admin/blocks/blocks/hosted
Script Paths
hls.js
Version Parameters
presto-player/dist/beaver-builder.css?ver=presto-player/dist/beaver-builder.js?ver=

HTML / DOM Fingerprints

CSS Classes
presto-playerpresto-builder--custom-video-controlspresto-builder--selector-menupresto-builder--menupresto-builder--dropdown-searchpresto-bb--video-container
Data Attributes
data-presto-playerx-data="window.prestoBBDropdown({nonce: 'x-init="init"x-text="video.name || 'Select media'"x-show="isOpen()"x-on:click.away="close"+2 more
JS Globals
prestoBBDropdown
REST Endpoints
/wp-json/presto-player/v1/media
Shortcode Output
[presto_playerpresto_player
FAQ

Frequently Asked Questions about The Ultimate Video Player For WordPress – by Presto Player