Campaign Security & Risk Analysis

wordpress.org/plugins/rss-campaign

This Plugin adds Campaign Infos to the RSS URL and a option for a twitterable URL to tracking in Google Analytics or Piwik And now a Option to add a Q …

10 active installs v1.4 PHP + WP 2.0+ Updated Jun 20, 2011
bit-lycampaigngooglegoogle-analyticspiwik
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Campaign Safe to Use in 2026?

Generally Safe

Score 85/100

Campaign has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 15yr ago
Risk Assessment

The rss-campaign plugin version 1.4 exhibits a mixed security posture. On the positive side, it boasts zero known CVEs and a clean vulnerability history, suggesting a generally well-maintained codebase. The absence of direct SQL queries without prepared statements and file operations is also a strong indicator of good security practices in these areas. However, significant concerns arise from the static analysis of its code.

The most critical issue identified is the complete lack of output escaping across all 27 detected output instances. This represents a serious vulnerability, as it leaves the plugin susceptible to Cross-Site Scripting (XSS) attacks. Any data rendered to the user without proper escaping can be manipulated by an attacker to inject malicious scripts. Furthermore, the taint analysis revealed two flows with unsanitized paths, which, although not classified as critical or high severity in this report, indicate potential pathways for malicious input to be processed insecurely.

While the plugin has a good historical record, the current analysis highlights a glaring oversight in output sanitization. The absence of capability checks and nonce checks, coupled with zero protected entry points (AJAX, REST API, shortcodes, cron), further amplifies the risk associated with the unescaped output. These missing checks mean that even if an attacker cannot directly exploit a code vulnerability, they might be able to trigger unescaped output through crafted requests if the entry points were present.

Key Concerns

  • 0% of 27 outputs properly escaped
  • 2 taint flows with unsanitized paths
  • 0 Nonce checks found
  • 0 Capability checks found
Vulnerabilities
None known

Campaign Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Campaign Release Timeline

v1.4Current
v1.3
v1.2.2
v1.2.1
v1.2
v1.1
v1.0
Code Analysis
Analyzed Mar 17, 2026

Campaign Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
27
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped27 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
rss_campaign_admin_show (campaign.php:84)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Campaign Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 5
filterwp_headcampaign.php:355
filterpost_linkcampaign.php:356
actionadmin_menucampaign.php:357
filterexcerpt_morecampaign.php:358
actionadmin_initcampaign.php:359
Maintenance & Trust

Campaign Maintenance & Trust

Maintenance Signals

WordPress version tested3.1.4
Last updatedJun 20, 2011
PHP min version
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

Campaign Developer Profile

sebat

3 plugins · 30 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Campaign

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

CSS Classes
rssc-headrssc-optionenrssc-namerssc-value
HTML Comments
<!-- OpenGraph QR Image -->
Data Attributes
name="rssc-rss-piwik_campaign"name="rssc-rss-piwik_kwd"name="rssc-rss-utm_source"name="rssc-rss-utm_medium"name="rssc-rss-utm_campaign"name="rssc-twitter-piwik_campaign"+14 more
FAQ

Frequently Asked Questions about Campaign