WP-Safety

Social Media Auto Publish Security & Risk Analysis

wordpress.org/plugins/social-media-auto-publish

Publish posts automatically to social media networks like Facebook, Twitter, Instagram, Tumblr, LinkedIn, Threads and Telegram.

7K active installs v3.6.8 PHP 7.4+ WP 3.0+ Updated Feb 18, 2026
post-to-facebookpost-to-linkedinpost-to-twittersocial-media-auto-publishsocial-media-publishing
99
A · Safe
CVEs total1
Unpatched0
Last CVEDec 12, 2025
Plugin page Download
Safety Verdict

Is Social Media Auto Publish Safe to Use in 2026?

Generally Safe

Score 99/100

Social Media Auto Publish has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Dec 12, 2025Updated 1mo ago
Risk Assessment

The "social-media-auto-publish" plugin version 3.6.8 exhibits a mixed security posture. While it demonstrates several good security practices, such as a significant number of nonce and capability checks, and a good proportion of SQL queries using prepared statements, there are notable areas of concern. The presence of the `unserialize` function, a known dangerous function, without explicit context on its usage or sanitization is a significant red flag. Furthermore, the taint analysis indicates flows with unsanitized paths, although fortunately classified as not critical or high severity.

The plugin's vulnerability history shows one medium severity CVE in the past, indicating that past vulnerabilities have been addressed. However, the common vulnerability type being Cross-site Scripting is a persistent concern in web applications. The overall attack surface is primarily through AJAX handlers, and while all are reported to have auth checks, the sheer number could present a larger potential for misconfigurations or future vulnerabilities if not meticulously maintained. The output escaping is also a concern, with only 38% properly escaped, increasing the risk of XSS attacks. The bundled Guzzle library, while not inherently insecure, could pose a risk if it's outdated and has known vulnerabilities.

In conclusion, the plugin has strengths in its authentication and authorization checks for its entry points, and a good track record of patching vulnerabilities. However, the use of `unserialize`, a significant portion of improperly escaped output, and unsanitized paths in taint flows represent genuine risks that require careful attention and potential mitigation. The plugin's security can be considered moderate, with specific areas needing improvement to reach a more robust state.

Key Concerns

  • Dangerous function 'unserialize' used
  • Only 38% of outputs properly escaped
  • Flows with unsanitized paths found
  • Bundled library Guzzle
  • Past medium severity CVE exists
Vulnerabilities
1

Social Media Auto Publish Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-12076medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Social Media Auto Publish <= 3.6.5 - Reflected Cross-Site Scripting via PostMessage

Dec 12, 2025 Patched in 3.6.6 (1d)
Code Analysis
Analyzed Mar 16, 2026

Social Media Auto Publish Code Analysis

Dangerous Functions
6
Raw SQL Queries
3
6 prepared
Unescaped Output
468
284 escaped
Nonce Checks
31
Capability Checks
13
File Operations
8
External Requests
50
Bundled Libraries
1

Dangerous Functions Found

unserialize$arrval = unserialize($status);admin\logs.php:60
unserialize$xyz_smap_tggroup_id = unserialize($xyz_smap_tggroup_id);admin\publish.php:2099
unserialize$xyz_smap_tgchannel_id = unserialize($xyz_smap_tgchannel_id);admin\publish.php:2101
unserialize$xyz_smap_ln_company_names=unserialize(base64_decode(get_option('xyz_smap_ln_page_names')));admin\settings.php:2146
unserialize$xyz_smap_tgchannel_id=unserialize($xyz_smap_tgchannel_id);admin\settings.php:2679
unserialize$xyz_smap_tggroup_id=unserialize($xyz_smap_tggroup_id);admin\settings.php:2687

Bundled Libraries

Guzzle

SQL Query Safety

67% prepared9 total queries

Output Escaping

38% escaped752 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

17 flows2 with unsanitized paths
xyz_smap_addpostmetatags (admin\metabox.php:83)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Social Media Auto Publish Attack Surface

Entry Points11
Unprotected0

AJAX Handlers 11

authwp_ajax_xyz_smap_ajax_backlinkadmin\ajax-actions.php:3
authwp_ajax_xyz_smap_selected_pages_auto_updateadmin\ajax-actions.php:29
authwp_ajax_xyz_smap_selected_ig_pages_auto_updateadmin\ajax-actions.php:58
authwp_ajax_xyz_smap_xyzscripts_accinfo_auto_updateadmin\ajax-actions.php:86
authwp_ajax_xyz_smap_del_entriesadmin\ajax-actions.php:107
authwp_ajax_xyz_smap_ln_selected_pages_auto_updateadmin\ajax-actions.php:145
authwp_ajax_xyz_smap_del_ln_entriesadmin\ajax-actions.php:191
authwp_ajax_xyz_smap_del_ig_entriesadmin\ajax-actions.php:230
authwp_ajax_xyz_smap_del_fb_entriesadmin\ajax-actions.php:269
authwp_ajax_xyz_smap_del_lnuser_entriesadmin\ajax-actions.php:291
authwp_ajax_xyz_smap_del_iguser_entriesadmin\ajax-actions.php:314
WordPress Hooks 16
actionadmin_noticesadmin\admin-notices.php:71
actionadmin_noticesadmin\admin-notices.php:182
actionadmin_noticesadmin\admin-notices.php:183
actionadmin_initadmin\admin-notices.php:185
actionadmin_menuadmin\menu.php:3
actionadmin_enqueue_scriptsadmin\menu.php:35
actionwp_headadmin\menu.php:94
filtercron_schedulesadmin\menu.php:187
actionxyz_smap_tw_auto_reauthadmin\menu.php:193
actionadd_meta_boxesadmin\metabox.php:3
actionsave_postadmin\publish.php:3
actiontransition_post_statusadmin\publish.php:67
actioninitsocial-media-auto-publish.php:38
actionwp_footersocial-media-auto-publish.php:90
actionadmin_initsocial-media-auto-publish.php:106
filterplugin_row_metaxyz-functions.php:165

Scheduled Events 1

xyz_smap_tw_auto_reauth
Maintenance & Trust

Social Media Auto Publish Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 18, 2026
PHP min version7.4
Downloads641K

Community Trust

Rating94/100
Number of ratings344
Active installs7K
Alternatives

Social Media Auto Publish Alternatives

WP Twitter Auto Publish

WP Twitter Auto Publish

twitter-auto-publish

A
99

Publish posts automatically to Twitter.

4K 1 CVE
WP to LinkedIn Auto Publish

WP to LinkedIn Auto Publish

linkedin-auto-publish

A
99

Publish posts automatically to LinkedIn.

1K 1 CVE
Social Web Suite – Social Media Auto Post, Social Media Auto Publish

Social Web Suite – Social Media Auto Post, Social Media Auto Publish

social-web-suite

A
90

Social media auto post, social media auto publish, schedule, share, and promote your new, and re-share your old posts to Instagram, X(Twitter), Facebo &hellip;

600 1 CVE
Auto Post for Twitter

Auto Post for Twitter

auto-post-for-twitter

A
85

Publish posts automatically to Twitter.

10 No CVEs
Oktopost Future Posts

Oktopost Future Posts

oktopost-future-posts

A
85

Easily include link attachments, in your social content, to blog posts that have not yet been published.

10 No CVEs
Developer Profile

Social Media Auto Publish Developer Profile

f1logic

15 plugins · 142K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
352 days
View full developer profile
Detection Fingerprints

How We Detect Social Media Auto Publish

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/social-media-auto-publish/css/font-awesome.min.css/wp-content/plugins/social-media-auto-publish/css/style.css/wp-content/plugins/social-media-auto-publish/js/notice.js
Script Paths
/wp-content/plugins/social-media-auto-publish/js/notice.js
Version Parameters
social-media-auto-publish/css/font-awesome.min.css?ver=social-media-auto-publish/css/style.css?ver=

HTML / DOM Fingerprints

CSS Classes
xyz_smap_credit_link
Data Attributes
xyz_smap_var
JS Globals
XYZ_SMAP_CONSTxyz_script_smap_var
FAQ

Frequently Asked Questions about Social Media Auto Publish