Does Starfish Review Generation & Marketing for WordPress have any unpatched vulnerabilities?

Yes — Starfish Review Generation & Marketing for WordPress currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Starfish Review Generation & Marketing for WordPress compatible with WordPress 6.9.4?

According to WordPress.org data, Starfish Review Generation & Marketing for WordPress 3.1.20 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Starfish Review Generation & Marketing for WordPress compatible with PHP 7.4+?

Starfish Review Generation & Marketing for WordPress requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

Starfish Review Generation & Marketing for WordPress Security & Risk Analysis

wordpress.org/plugins/starfish-reviews

The best WordPress plugin for generating 5-star customer reviews on Google, Facebook, Tripadvisor, and many more platforms.

200 active installs v3.1.20 PHP 7.4+ WP 5.0+ Updated Feb 23, 2026

5-star-reviewsreputation-managementreview-generationreview-marketingreviews

C · Use Caution

CVEs total3

Unpatched1

Last CVEFeb 13, 2026

Plugin page Download

Safety Verdict

Is Starfish Review Generation & Marketing for WordPress Safe to Use in 2026?

Use With Caution

Score 68/100

Starfish Review Generation & Marketing for WordPress has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

3 known CVEs 1 unpatched Last CVE: Feb 13, 2026Updated 1mo ago

Risk Assessment

The "starfish-reviews" plugin v3.1.20 presents a mixed security posture. While it demonstrates some good practices, such as a moderate use of prepared statements for SQL queries and a good number of nonce and capability checks, significant concerns remain. The static analysis reveals a considerable attack surface with 18 AJAX handlers, a concerning 7 of which lack proper authorization checks. This directly exposes the plugin to potential unauthorized actions.

Taint analysis indicates a flow with unsanitized paths, which, although not currently classified as critical or high severity, highlights a potential for vulnerabilities if exploited in conjunction with other issues. The plugin's vulnerability history is a major red flag, with 3 known high-severity CVEs, 2 of which are currently unpatched. The consistent pattern of "Missing Authorization" in past vulnerabilities strongly suggests a recurring weakness in the plugin's access control mechanisms.

Overall, the presence of unpatched high-severity vulnerabilities and a substantial number of unprotected AJAX endpoints outweigh the positive aspects of the code. This plugin requires immediate attention to address the outstanding security flaws. The risk is elevated due to the documented history of significant vulnerabilities.

Key Concerns

Unpatched High Severity CVEs
AJAX handlers without authentication
Taint flow with unsanitized paths
Low percentage of properly escaped output
Bundled outdated library (Freemius v1.0)

Vulnerabilities

Starfish Review Generation & Marketing for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2019

2019

1 CVE in 2025

2025

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

High

3 total CVEs

CVE-2025-15157high · 8.8Missing Authorization

Starfish Review Generation & Marketing for WordPress <= 3.1.19 - Authenticated (Subscriber+) Arbitrary Options Update via srm_restore_options_defaults

Feb 13, 2026Unpatched

CVE-2025-39533high · 8.8Missing Authorization

Starfish Review Generation & Marketing <= 3.1.19 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Apr 16, 2025 Patched in 3.1.20 (336d)

WF-3fda31fa-efc9-44b9-99ba-9e3e23aa2ee0-starfish-reviewshigh · 8.8Missing Authorization

Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update

Feb 25, 2019 Patched in 2.0.1 (1793d)

Code Analysis

Analyzed Mar 16, 2026

Starfish Review Generation & Marketing for WordPress Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

208

200 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Freemius1.0

SQL Query Safety

53% prepared15 total queries

Output Escaping

49% escaped408 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<starfish-admin-notices.action> (init\actions\starfish-admin-notices.action.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

7 unprotected

Starfish Review Generation & Marketing for WordPress Attack Surface

Entry Points19

Unprotected7

AJAX Handlers 18

authwp_ajax_starfish-execute-richreviews-migrationsinit\actions\ajax\starfish-ajax-callbacks-richreviews-migrate.action.php:104

authwp_ajax_srm-testimonial-hideinit\actions\ajax\starfish-ajax-callbacks-testimonial.action.php:63

authwp_ajax_srm-testimonial-submitinit\actions\ajax\starfish-ajax-callbacks-testimonial.action.php:95

noprivwp_ajax_srm-testimonial-submitinit\actions\ajax\starfish-ajax-callbacks-testimonial.action.php:96

authwp_ajax_starfish-execute-migrationsinit\actions\ajax\starfish-ajax-callbacks.action.php:36

authwp_ajax_starfish-execute-restore-default-optionsinit\actions\ajax\starfish-ajax-callbacks.action.php:78

authwp_ajax_srm-export-feedbackinit\actions\ajax\starfish-ajax-callbacks.action.php:141

authwp_ajax_srm-delete-feedback-exportinit\actions\ajax\starfish-ajax-callbacks.action.php:160

authwp_ajax_srm-settings-logs-purgeinit\actions\ajax\starfish-ajax-callbacks.action.php:184

authwp_ajax_srm-settings-logs-refreshinit\actions\ajax\starfish-ajax-callbacks.action.php:218

authwp_ajax_starfish-execute-plan-limit-refreshinit\actions\ajax\starfish-ajax-callbacks.action.php:256

authwp_ajax_starfish-get-transientinit\actions\ajax\starfish-ajax-callbacks.action.php:283

authwp_ajax_srm-create-feedbackinit\actions\starfish-feedback-process.action.php:53

noprivwp_ajax_srm-create-feedbackinit\actions\starfish-feedback-process.action.php:54

authwp_ajax_srm-update-feedbackinit\actions\starfish-feedback-process.action.php:109

noprivwp_ajax_srm-update-feedbackinit\actions\starfish-feedback-process.action.php:110

authwp_ajax_starfish_upload_imagesinit\actions\starfish-funnels.action.php:21

noprivwp_ajax_starfish_upload_imagesinit\actions\starfish-funnels.action.php:22

Shortcodes 1

[starfish] init\shortcodes\starfish-main.shortcode.php:49

WordPress Hooks 85

actionrest_api_initinit\actions\api\starfish-api-meta.action.php:3

actionadmin_bar_menuinit\actions\menu\starfish-admin-menu-bar.action.php:5

actionadmin_menuinit\actions\menu\starfish-admin-menu-parent.action.php:3

actionadmin_menuinit\actions\menu\starfish-admin-menu-settings.action.php:5

actionupdate_optioninit\actions\options\starfish-admin-options.action.php:8

actionadmin_noticesinit\actions\starfish-admin-notices.action.php:169

actionadmin_noticesinit\actions\starfish-admin-notices.action.php:203

actionadmin_noticesinit\actions\starfish-admin-notices.action.php:230

actionadmin_noticesinit\actions\starfish-admin-notices.action.php:256

actionadmin_noticesinit\actions\starfish-admin-notices.action.php:297

actionadmin_noticesinit\actions\starfish-admin-notices.action.php:361

actionadmin_noticesinit\actions\starfish-admin-notices.action.php:421

actionadmin_noticesinit\actions\starfish-admin-notices.action.php:476

actionadmin_noticesinit\actions\starfish-admin-notices.action.php:500

actionwp_enqueue_scriptsinit\actions\starfish-enqueue-scripts.action.php:40

actionadmin_enqueue_scriptsinit\actions\starfish-enqueue-scripts.action.php:41

actionadmin_enqueue_scriptsinit\actions\starfish-enqueue-scripts.action.php:140

filterwp_mail_content_typeinit\actions\starfish-feedback-process.action.php:214

actioninitinit\actions\starfish-feedback.action.php:7

actionmanage_starfish_feedback_posts_columnsinit\actions\starfish-feedback.action.php:88

actionmanage_edit-starfish_feedback_columnsinit\actions\starfish-feedback.action.php:109

actionmanage_starfish_feedback_posts_custom_columninit\actions\starfish-feedback.action.php:180

filtermanage_edit-starfish_feedback_sortable_columnsinit\actions\starfish-feedback.action.php:202

actionpre_get_postsinit\actions\starfish-feedback.action.php:203

filterpre_get_postsinit\actions\starfish-feedback.action.php:278

actionrestrict_manage_postsinit\actions\starfish-feedback.action.php:312

actionadmin_head-edit.phpinit\actions\starfish-feedback.action.php:348

actionadmin_footerinit\actions\starfish-footer.action.php:7

actioninitinit\actions\starfish-funnels.action.php:13

actionadd_meta_boxes_funnelinit\actions\starfish-funnels.action.php:14

actionsave_post_funnelinit\actions\starfish-funnels.action.php:15

actionsave_post_funnelinit\actions\starfish-funnels.action.php:16

actionsave_post_funnelinit\actions\starfish-funnels.action.php:17

actionadmin_noticesinit\actions\starfish-funnels.action.php:18

actionsave_post_funnelinit\actions\starfish-funnels.action.php:19

actionsave_post_funnelinit\actions\starfish-funnels.action.php:20

filterredirect_post_locationinit\actions\starfish-funnels.action.php:842

filterredirect_post_locationinit\actions\starfish-funnels.action.php:850

filterredirect_post_locationinit\actions\starfish-funnels.action.php:860

filterredirect_post_locationinit\actions\starfish-funnels.action.php:868

actionadmin_initinit\actions\starfish-pluginloaded.action.php:13

actionplugins_loadedinit\actions\starfish-pluginloaded.action.php:29

actionwp_loadedinit\actions\starfish-pluginloaded.action.php:75

filtersingle_templateinit\actions\starfish-templates.action.php:40

actioninitinit\actions\starfish-testimonials.action.php:14

actionadd_meta_boxes_starfish_testimonialinit\actions\starfish-testimonials.action.php:15

actionsave_post_starfish_testimonialinit\actions\starfish-testimonials.action.php:16

actionadmin_footer-post.phpinit\actions\starfish-testimonials.action.php:192

actionadmin_footer-post-new.phpinit\actions\starfish-testimonials.action.php:193

actionadmin_footer-edit.phpinit\actions\starfish-testimonials.action.php:244

filtermanage_edit-funnel_columnsinit\filters\starfish-admin-funnel-columns.filter.php:3

actionmanage_posts_custom_columninit\filters\starfish-admin-funnel-columns.filter.php:9

filtermanage_edit-starfish_testimonial_columnsinit\filters\starfish-admin-testimonial-columns.filter.php:5

actionmanage_starfish_testimonial_posts_custom_columninit\filters\starfish-admin-testimonial-columns.filter.php:17

filtermanage_edit-starfish_testimonial_sortable_columnsinit\filters\starfish-admin-testimonial-columns.filter.php:59

filtermanage_starfish_testimonial_posts_columnsinit\filters\starfish-admin-testimonial-columns.filter.php:68

filterrest_starfish_feedback_queryinit\filters\starfish-api.filter.php:6

filterparse_queryinit\filters\starfish-feedback-admin.filter.php:30

filterviews_edit-starfish_testimonialinit\filters\starfish-testimonials.filter.php:3

filterpost_date_column_statusinit\filters\starfish-testimonials.filter.php:17

filterwp_insert_post_datainit\filters\starfish-testimonials.filter.php:28

filterwp_untrash_post_statusinit\filters\starfish-testimonials.filter.php:38

filterbulk_actions-edit-starfish_testimonialinit\filters\starfish-testimonials.filter.php:45

filterhandle_bulk_actions-edit-starfish_testimonialinit\filters\starfish-testimonials.filter.php:51

filtercron_schedulessrc\Cron.class.php:38

filterplugin_iconsrc\Freemius.class.php:121

filterlicense_keysrc\Freemius.class.php:122

filterlicense_key_maxlengthsrc\Freemius.class.php:123

filterhide_license_keysrc\Freemius.class.php:124

filterconnect_urlsrc\Freemius.class.php:125

filterafter_skip_urlsrc\Freemius.class.php:126

filterafter_connect_urlsrc\Freemius.class.php:127

filterafter_pending_connect_urlsrc\Freemius.class.php:128

filterupload_and_install_video_urlsrc\Freemius.class.php:129

filterhide_freemius_powered_bysrc\Freemius.class.php:130

filterhide_billing_and_payments_infosrc\Freemius.class.php:131

filterfreemius_pricing_js_pathsrc\Freemius.class.php:132

actionafter_premium_version_activationsrc\Freemius.class.php:133

actionafter_free_version_reactivationsrc\Freemius.class.php:134

actionafter_license_changesrc\Freemius.class.php:135

actionadmin_initsrc\Settings.class.php:85

actionadmin_initsrc\Settings.class.php:87

actionshutdownsrc\Settings.class.php:89

actioninitsrc\StarfishReviews.class.php:30

filterwp_mail_content_typesrc\Testimonials.class.php:595

Maintenance & Trust

Starfish Review Generation & Marketing for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 23, 2026

PHP min version7.4

Downloads29K

Community Trust

Rating92/100

Number of ratings25

Active installs200

Alternatives

Starfish Review Generation & Marketing for WordPress Alternatives

Redbrick Digital Core

redbrick-digital-core

Bring your Review Engine reviews into your WordPress website via shortcodes and widgets.

30 No CVEs

BreezeView

breezeview

100

BreezeView is a plugin that allows users to display Google Reviews for their business with a 5-star rating.

10 No CVEs

Reputation Saver Lite

reputation-saver

Reputation Saver will allow you to manage your online reputation by catching the bad reviews and feedback before it hits your social platforms.

10 No CVEs

Widgets for Google Reviews

wp-reviews-plugin-for-google

Embed Google reviews fast and easily into your WordPress site. Increase SEO, trust and sales using Google reviews.

900K 4 CVEs

Reviews Feed – Add Testimonials and Customer Reviews From Google Reviews, Yelp, TripAdvisor, and More

reviews-feed

No API key required. Display Yelp and Google reviews for any business in a clean, customizable feed on your site.

100K 2 CVEs

Developer Profile

Starfish Review Generation & Marketing for WordPress Developer Profile

Starfish Reviews

1 plugin · 200 total installs

trust score

Avg Security Score

68/100

Avg Patch Time

1065 days

View full developer profile

Detection Fingerprints

How We Detect Starfish Review Generation & Marketing for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/starfish-reviews/css/starfish-main.css/wp-content/plugins/starfish-reviews/js/starfish-main.js/wp-content/plugins/starfish-reviews/css/starfish-admin-main.css/wp-content/plugins/starfish-reviews/js/starfish-admin-main.js/wp-content/plugins/starfish-reviews/css/starfish-settings.css/wp-content/plugins/starfish-reviews/js/starfish-admin-freemius-account.js/wp-content/plugins/starfish-reviews/css/starfish-funnel-admin.css/wp-content/plugins/starfish-reviews/js/starfish-admin-funnel.js+1 more

Script Paths

/wp-content/plugins/starfish-reviews/js/starfish-main.js/wp-content/plugins/starfish-reviews/js/starfish-admin-main.js/wp-content/plugins/starfish-reviews/js/starfish-admin-freemius-account.js/wp-content/plugins/starfish-reviews/js/starfish-admin-funnel.js/wp-content/plugins/starfish-reviews/js/starfish-admin-funnel-multidestinations.js

Version Parameters

starfish-reviews/css/starfish-main.css?ver=starfish-reviews/js/starfish-main.js?ver=starfish-reviews/css/starfish-admin-main.css?ver=starfish-reviews/js/starfish-admin-main.js?ver=starfish-reviews/css/starfish-settings.css?ver=starfish-reviews/js/starfish-admin-freemius-account.js?ver=starfish-reviews/css/starfish-funnel-admin.css?ver=starfish-reviews/js/starfish-admin-funnel.js?ver=starfish-reviews/js/starfish-admin-funnel-multidestinations.js?ver=

HTML / DOM Fingerprints

CSS Classes

srm-noticesrm-notice-iconsrm-notice-contentsrm-mainsrm-admin-mainsrm-settingssrm-togglesrm-confirm+2 more

JS Globals

fa_datafunnel_varssettings

FAQ