WP-Safety

Upcasted S3 Offload – AWS S3, DigitalOcean Spaces, Backblaze, MinIO Storage Integration Security & Risk Analysis

wordpress.org/plugins/upcasted-s3-offload

Easily migrate and manage WordPress Media Library files to AWS S3 or S3-compatible storage providers. Boost performance and reduce hosting costs.

200 active installs v3.1.0 PHP 7.4+ WP 4.9+ Updated Dec 15, 2025
aws-s3digitalocean-spacesmedia-libraryobject-storages3
99
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 3, 2025
Plugin page Download
Safety Verdict

Is Upcasted S3 Offload – AWS S3, DigitalOcean Spaces, Backblaze, MinIO Storage Integration Safe to Use in 2026?

Generally Safe

Score 99/100

Upcasted S3 Offload – AWS S3, DigitalOcean Spaces, Backblaze, MinIO Storage Integration has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 3, 2025Updated 3mo ago
Risk Assessment

The upcasted-s3-offload v3.1.0 plugin exhibits a mixed security posture. A significant concern is the presence of 9 AJAX handlers, all of which lack authentication checks. This creates a substantial attack surface where any authenticated user, potentially even a subscriber, could trigger these actions, leading to unintended consequences. While the plugin demonstrates good practices by having a high percentage of properly escaped outputs and no critical or high-severity taint flows, the lack of authorization on AJAX endpoints is a severe oversight. The vulnerability history indicates a past medium-severity Cross-Site Scripting (XSS) vulnerability, which, while currently patched, suggests a potential for similar input sanitization issues. The presence of bundled libraries like Guzzle and Freemius v1.0, while common, necessitates monitoring for vulnerabilities within those specific components. Overall, the plugin has strengths in output sanitization and a clean taint analysis, but the unprotected AJAX endpoints are a critical weakness that significantly elevates the risk.

Key Concerns

  • Unprotected AJAX handlers
  • SQL queries without prepared statements
  • Past medium severity XSS vulnerability
  • Bundled outdated Freemius library
Vulnerabilities
1

Upcasted S3 Offload – AWS S3, DigitalOcean Spaces, Backblaze, MinIO Storage Integration Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-22676medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Upcasted S3 Offload – AWS S3, Digital Ocean Spaces, Backblaze, Minio and more <= 3.0.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Feb 3, 2025 Patched in 3.0.4 (22d)
Code Analysis
Analyzed Mar 16, 2026

Upcasted S3 Offload – AWS S3, DigitalOcean Spaces, Backblaze, MinIO Storage Integration Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
8
59 escaped
Nonce Checks
6
Capability Checks
7
File Operations
2
External Requests
0
Bundled Libraries
2

Bundled Libraries

GuzzleFreemius1.0

SQL Query Safety

0% prepared1 total queries

Output Escaping

88% escaped67 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
set_s3_provider (admin\class-upcasted-offload-admin.php:81)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
9 unprotected

Upcasted S3 Offload – AWS S3, DigitalOcean Spaces, Backblaze, MinIO Storage Integration Attack Surface

Entry Points9
Unprotected9

AJAX Handlers 9

authwp_ajax_upcasted_initadmin\class-upcasted-offload-init.php:138
authwp_ajax_upcasted_create_bucketadmin\class-upcasted-offload-init.php:139
authwp_ajax_upcasted_update_behavior_settingsadmin\class-upcasted-offload-init.php:140
authwp_ajax_set_s3_providerincludes\class-upcasted-offload.php:170
authwp_ajax_save_auto_upload_settingincludes\class-upcasted-offload.php:171
authwp_ajax_upcasted_offload_connectincludes\class-upcasted-offload.php:172
authwp_ajax_upcasted_initincludes\class-upcasted-offload.php:173
authwp_ajax_upcasted_create_bucketincludes\class-upcasted-offload.php:174
authwp_ajax_dismiss_finished_cron_admin_noticeincludes\class-upcasted-offload.php:184
WordPress Hooks 26
actionadd_attachmentadmin\class-upcasted-offload-init.php:72
filterwp_generate_attachment_metadataadmin\class-upcasted-offload-init.php:79
filterwp_generate_attachment_metadataadmin\class-upcasted-offload-init.php:86
filterwp_update_attachment_metadataadmin\class-upcasted-offload-init.php:93
filterimage_make_intermediate_sizeadmin\class-upcasted-offload-init.php:100
filtersanitize_file_nameadmin\class-upcasted-offload-init.php:101
filterget_attached_fileadmin\class-upcasted-offload-init.php:107
filterwp_get_attachment_urladmin\class-upcasted-offload-init.php:114
filterwp_get_attachment_thumb_urladmin\class-upcasted-offload-init.php:121
filterwp_calculate_image_srcsetadmin\class-upcasted-offload-init.php:128
actiondelete_attachmentadmin\class-upcasted-offload-init.php:135
actionplugins_loadedincludes\class-upcasted-offload.php:147
actionadmin_enqueue_scriptsincludes\class-upcasted-offload.php:163
actionadmin_enqueue_scriptsincludes\class-upcasted-offload.php:164
actionadmin_menuincludes\class-upcasted-offload.php:165
actionadmin_initincludes\class-upcasted-offload.php:166
actionmanage_media_columnsincludes\class-upcasted-offload.php:167
actionmanage_media_custom_columnincludes\class-upcasted-offload.php:168
filterwp_prepare_attachment_for_jsincludes\class-upcasted-offload.php:169
filterpre_get_postsincludes\class-upcasted-offload.php:179
filterrestrict_manage_postsincludes\class-upcasted-offload.php:180
filtercron_schedulesincludes\class-upcasted-offload.php:181
actionadmin_noticesincludes\class-upcasted-offload.php:183
actionafter_uninstallincludes\class-upcasted-offload.php:188
actionadmin_initupcasted-s3-offload.php:183
actionafter_premium_version_activationupcasted-s3-offload.php:185
Maintenance & Trust

Upcasted S3 Offload – AWS S3, DigitalOcean Spaces, Backblaze, MinIO Storage Integration Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 15, 2025
PHP min version7.4
Downloads12K

Community Trust

Rating68/100
Number of ratings10
Active installs200
Alternatives

Upcasted S3 Offload – AWS S3, DigitalOcean Spaces, Backblaze, MinIO Storage Integration Alternatives

Advanced Media Offloader

Advanced Media Offloader

advanced-media-offloader

A
100

Save server space & speed up your site by automatically offloading media to Amazon S3, Cloudflare R2 & more.

3K No CVEs
Cloud S3 Storage

Cloud S3 Storage

cloud-s3-storage

A
100

Manage your WordPress media files with ease using S3-compatible object storage services.

10 No CVEs
Ultimate Media On The Cloud Lite

Ultimate Media On The Cloud Lite

ultimate-media-on-the-cloud-lite

A
85

With Ultimate Media On The Cloud plugin, you can easy migrate/ move and mange wordpress medias on the Cloud Storage Platforms like Amazon S3, Google C &hellip;

10 No CVEs
WC Download Products from AWS S3

WC Download Products from AWS S3

wc-download-products-from-aws-s3

A
85

Allows using Amazon S3 to upload and download Woocommerce digital products.

10 No CVEs
Articla media offload lite for oracle cloud infrastructure

Articla media offload lite for oracle cloud infrastructure

articla-media-offload-lite-for-oracle-cloud-infrastructure

A
100

Offload your Media Library to Oracle Cloud (OCI) via S3. Supports private and public buckets.

0 No CVEs
Developer Profile

Upcasted S3 Offload – AWS S3, DigitalOcean Spaces, Backblaze, MinIO Storage Integration Developer Profile

upcasted

2 plugins · 400 total installs

91
trust score
Avg Security Score
96/100
Avg Patch Time
22 days
View full developer profile
Detection Fingerprints

How We Detect Upcasted S3 Offload – AWS S3, DigitalOcean Spaces, Backblaze, MinIO Storage Integration

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/upcasted-s3-offload/assets/css/upload.css/wp-content/plugins/upcasted-s3-offload/assets/js/upload.js/wp-content/plugins/upcasted-s3-offload/includes/freemius/assets/css/freemius-sdk.css/wp-content/plugins/upcasted-s3-offload/includes/freemius/assets/js/freemius-sdk.js
Script Paths
/wp-content/plugins/upcasted-s3-offload/assets/js/upload.js/wp-content/plugins/upcasted-s3-offload/includes/freemius/assets/js/freemius-sdk.js
Version Parameters
upcasted-s3-offload/assets/css/upload.css?ver=upcasted-s3-offload/assets/js/upload.js?ver=upcasted-s3-offload/includes/freemius/assets/css/freemius-sdk.css?ver=upcasted-s3-offload/includes/freemius/assets/js/freemius-sdk.js?ver=

HTML / DOM Fingerprints

CSS Classes
uso_settings_rowuso_section_titleuso_field_labeluso_field_inputuso_field_descriptionupcasted_s3_offload_bulk_action
HTML Comments
<!-- DO NOT REMOVE THIS IF, IT IS ESSENTIAL FOR THE `function_exists` CALL ABOVE TO PROPERLY WORK. --><!-- Requires the Freemius SDK --><!-- Begin Freemius SDK --><!-- End Freemius SDK -->+10 more
Data Attributes
data-upcasted-s3-offload-settingdata-option-namedata-option-value
JS Globals
upcasted_s3_offload_ajax_object
FAQ

Frequently Asked Questions about Upcasted S3 Offload – AWS S3, DigitalOcean Spaces, Backblaze, MinIO Storage Integration