WP-Safety

Video Player Pro Security & Risk Analysis

wordpress.org/plugins/video-player-pro

Change all site videos with one click - Has YouTube skin - Create unlimited playlists - Subtitle Support (SRT) - Multi Quality Support - Video Element …

10 active installs v1.1.2 PHP 7.0+ WP 4.7+ Updated Mar 4, 2023
playervideovideo-playeryoutubeyoutube-player
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Video Player Pro Safe to Use in 2026?

Generally Safe

Score 85/100

Video Player Pro has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago
Risk Assessment

The 'video-player-pro' plugin v1.1.2 exhibits a concerning security posture primarily due to a large number of unprotected entry points, specifically AJAX handlers. While the plugin has no recorded vulnerability history, suggesting it has been relatively secure in the past, the static analysis reveals significant weaknesses. The presence of 18 AJAX handlers without authentication checks presents a substantial attack surface. Furthermore, the use of the `unserialize` function, without proper context or sanitization checks implied by the taint analysis, is a critical risk that could lead to remote code execution if attacker-controlled data is passed to it.

The taint analysis, while limited to only two flows, identified two flows with unsanitized paths, although they were not classified as critical or high severity. This, combined with the fact that 65% of output is properly escaped, suggests that while some efforts have been made to secure outputs, there's still room for improvement, and potential for XSS vulnerabilities. The lack of capability checks on any entry points is another significant concern. In summary, despite a clean vulnerability history, the plugin's architecture with numerous unprotected AJAX handlers, the dangerous `unserialize` function, and the taint analysis findings highlight a high potential for exploitation. Immediate attention is required to secure these entry points and address the identified coding practices.

Key Concerns

  • 18 AJAX handlers without auth checks
  • Dangerous function: unserialize
  • 2 flows with unsanitized paths (taint analysis)
  • 0 capability checks on entry points
  • 35% of output not properly escaped
Vulnerabilities
None known

Video Player Pro Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Video Player Pro Code Analysis

Dangerous Functions
1
Raw SQL Queries
4
3 prepared
Unescaped Output
203
377 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$serialize = @unserialize( $value );include\class\VPP_DATABASE.php:466

SQL Query Safety

43% prepared7 total queries

Output Escaping

65% escaped580 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
Shortcodes (include\studio\page\VPP_PAGE_VIDEO.php:68)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
18 unprotected

Video Player Pro Attack Surface

Entry Points19
Unprotected18

AJAX Handlers 18

authwp_ajax_vpp_auto_video_changeinclude\player\ajax\VPP_AJAX_AUTO_VIDEO_CHANGE.php:11
noprivwp_ajax_vpp_auto_video_changeinclude\player\ajax\VPP_AJAX_AUTO_VIDEO_CHANGE.php:12
authwp_ajax_ytpl_page_pro_versioninclude\studio\ajax\VPP_AJAX_PAGE_PRO_VERSION.php:8
noprivwp_ajax_ytpl_page_pro_versioninclude\studio\ajax\VPP_AJAX_PAGE_PRO_VERSION.php:9
authwp_ajax_vpp_popupinclude\studio\ajax\VPP_AJAX_POPUP.php:11
noprivwp_ajax_vpp_popupinclude\studio\ajax\VPP_AJAX_POPUP.php:12
authwp_ajax_vpp_save_settinginclude\studio\ajax\VPP_AJAX_SETTING_SAVE.php:8
noprivwp_ajax_vpp_save_settinginclude\studio\ajax\VPP_AJAX_SETTING_SAVE.php:9
authwp_ajax_ytpl_delete_videoinclude\studio\ajax\VPP_AJAX_VIDEO_DELETE.php:8
noprivwp_ajax_ytpl_delete_videoinclude\studio\ajax\VPP_AJAX_VIDEO_DELETE.php:9
authwp_ajax_ytpl_delete_group_videoinclude\studio\ajax\VPP_AJAX_VIDEO_DELETE_GROUP.php:8
noprivwp_ajax_ytpl_delete_group_videoinclude\studio\ajax\VPP_AJAX_VIDEO_DELETE_GROUP.php:9
authwp_ajax_ytpl_save_videoinclude\studio\ajax\VPP_AJAX_VIDEO_SAVE.php:8
noprivwp_ajax_ytpl_save_videoinclude\studio\ajax\VPP_AJAX_VIDEO_SAVE.php:9
authwp_ajax_ytpl_search_videoinclude\studio\ajax\VPP_AJAX_VIDEO_SEARCH.php:8
noprivwp_ajax_ytpl_search_videoinclude\studio\ajax\VPP_AJAX_VIDEO_SEARCH.php:9
authwp_ajax_ytpl_update_videoinclude\studio\ajax\VPP_AJAX_VIDEO_UPDATE.php:8
noprivwp_ajax_ytpl_update_videoinclude\studio\ajax\VPP_AJAX_VIDEO_UPDATE.php:9

Shortcodes 1

[vlnd_player] include\player\include\VPP_SHORTCODE.php:11
WordPress Hooks 13
filtervpp-skininclude\player\VPP_SKIN_MANAGEMENT.php:39
actionvpp_studio_popup_about_meinclude\studio\ajax\VPP_AJAX_POPUP_ABOUT_ME.php:11
actionvpp_studio_popup_createinclude\studio\ajax\VPP_AJAX_POPUP_CREATE.php:11
actionvpp_studio_popup_settinginclude\studio\ajax\VPP_AJAX_POPUP_SETTING.php:11
actionvpp_studio_menuinclude\studio\page\VPP_PAGE_PRO_VERSION.php:15
actionvpp_studio_menuinclude\studio\page\VPP_PAGE_VIDEO.php:15
actioninitinclude\VPP_APP.php:11
actionactivated_plugininclude\VPP_REGISTER_PLUGIN.php:12
actiondeactivated_plugininclude\VPP_REGISTER_PLUGIN.php:13
actioninitinclude\VPP_STUDIO.php:18
actionadmin_menuinclude\VPP_STUDIO.php:32
actionplugins_loadedmain.php:43
filterplugin_row_metamain.php:45
Maintenance & Trust

Video Player Pro Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10
Last updatedMar 4, 2023
PHP min version7.0
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Alternatives

Video Player Pro Alternatives

Gosign – Youtube Video Player Block

Gosign – Youtube Video Player Block

gosign-youtube-video-player-block

A
85

Fügen Sie einmal einen Youtube-Videoplayerblock mit benutzerdefiniertem Splash-Bild anstelle des Youtube-Standards hinzu und können Sie auch Optionen …

40 No CVEs
Chromeless YouTube

Chromeless YouTube

chromeless-youtube

A
85

This chromeless YouTube player enables you to easily display videos on your site. Each player instance displays a different video and can be resized.

20 No CVEs
AutoCraft Player

AutoCraft Player

autocraft-player

A
100

AutoCraft Player: The Ultimate Customizable Audio & Video Experience for WordPress

0 No CVEs
All-in-One Video Gallery

All-in-One Video Gallery

all-in-one-video-gallery

A
88

The ultimate video player & video gallery plugin for YouTubers, Video Bloggers, Course Creators, Podcasters, and anyone embedding videos on websites.

20K 11 CVEs
Wonder Video Embed

Wonder Video Embed

wonderplugin-video-embed

A
91

Embed MP4, Youtube, Vimeo, Wistia videos to the sidebar widget, WordPress posts and pages.

5K 2 CVEs
Developer Profile

Video Player Pro Developer Profile

Idea Land

2 plugins · 20 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Video Player Pro

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/video-player-pro/assets/css/template/vpp-skin-youtube-style.css/wp-content/plugins/video-player-pro/assets/js/template/vpp-skin-youtube-script.js
Script Paths
/wp-content/plugins/video-player-pro/assets/js/template/vpp-skin-youtube-script.js
Version Parameters
video-player-pro/assets/css/template/vpp-skin-youtube-style.css?ver=video-player-pro/assets/js/template/vpp-skin-youtube-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
ytpl-renderytpl-skin-youtube
Data Attributes
data-vpp
JS Globals
VPP_LOCALIZE
FAQ

Frequently Asked Questions about Video Player Pro