WP-Safety

Web Stories Security & Risk Analysis

wordpress.org/plugins/web-stories

Web Stories are a visual storytelling format for the open web which immerses your readers in fast-loading, full-screen, and visually rich experiences.

70K active installs v1.42.0 PHP 7.4+ WP 6.6+ Updated May 15, 2025
ampgooglestoriesstorytellingweb-stories
95
A · Safe
CVEs total3
Unpatched0
Last CVEDec 11, 2024
Plugin page Download
Safety Verdict

Is Web Stories Safe to Use in 2026?

Generally Safe

Score 95/100

Web Stories has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Dec 11, 2024Updated 10mo ago
Risk Assessment

The web-stories plugin v1.42.0 demonstrates a generally strong security posture with no identified critical or high severity vulnerabilities in the static analysis or taint flows. The plugin implements robust SQL query preparation, a high percentage of output escaping, and a commendable number of capability checks, indicating a good effort to sanitize data and control access. The absence of unprotected entry points further bolsters its security foundation.

However, a significant concern arises from its vulnerability history. The plugin has a record of 3 known CVEs, including one critical and two medium severity issues. These past vulnerabilities cover critical areas such as Cross-site Scripting, Incorrect Authorization, and Server-Side Request Forgery. The presence of a critical vulnerability in its history, even if currently unpatched, warrants vigilance. While the current version appears clean, the recurring nature of these types of flaws suggests potential underlying architectural weaknesses that could be exploited if not continuously addressed.

In conclusion, while the current static analysis of v1.42.0 is promising and indicates good development practices, the historical prevalence of significant vulnerabilities cannot be ignored. Users should be aware of this past risk profile and ensure the plugin is always kept up-to-date with the latest security patches, as even well-intentioned code can have subtle flaws. The plugin exhibits strengths in secure coding practices but has a history that necessitates a cautious approach.

Key Concerns

  • Past critical vulnerability present
  • Past medium vulnerabilities present (2)
  • Bundled library (TinyMCE) may be outdated
  • File operations present
  • External HTTP requests present
Vulnerabilities
3

Web Stories Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
2

3 total CVEs

CVE-2024-54317medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Web Stories <= 1.37.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 11, 2024 Patched in 1.38.0 (9d)
CVE-2023-1979medium · 4.3Incorrect Authorization

Web Stories for WordPress <= 1.31.0 - Insufficient Authorization

May 8, 2023 Patched in 1.32.0 (282d)
CVE-2022-3708critical · 9.6Server-Side Request Forgery (SSRF)

Web Stories <= 1.24.0 - Server Side Request Forgery

Oct 26, 2022 Patched in 1.25.0 (454d)
Code Analysis
Analyzed Mar 16, 2026

Web Stories Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
25 prepared
Unescaped Output
30
289 escaped
Nonce Checks
1
Capability Checks
32
File Operations
8
External Requests
5
Bundled Libraries
1

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared25 total queries

Output Escaping

91% escaped319 total outputs
Attack Surface

Web Stories Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 157
actionadmin_enqueue_scriptsincludes\Admin\Activation_Notice.php:79
actionadmin_noticesincludes\Admin\Activation_Notice.php:80
actionnetwork_admin_noticesincludes\Admin\Activation_Notice.php:81
filteradmin_body_classincludes\Admin\Admin.php:77
filterdefault_contentincludes\Admin\Admin.php:78
filterdefault_titleincludes\Admin\Admin.php:79
filterdisplay_media_statesincludes\Admin\Admin.php:80
actionload-post.phpincludes\Admin\Cross_Origin_Isolation.php:77
actionload-post-new.phpincludes\Admin\Cross_Origin_Isolation.php:78
filterstyle_loader_tagincludes\Admin\Cross_Origin_Isolation.php:79
filterscript_loader_tagincludes\Admin\Cross_Origin_Isolation.php:80
filterget_avatarincludes\Admin\Cross_Origin_Isolation.php:81
actionwp_enqueue_mediaincludes\Admin\Cross_Origin_Isolation.php:82
actionadmin_footerincludes\Admin\Cross_Origin_Isolation.php:188
actioncustomize_registerincludes\Admin\Customizer.php:145
actionadmin_menuincludes\Admin\Dashboard.php:213
actionadmin_initincludes\Admin\Dashboard.php:214
actionadmin_enqueue_scriptsincludes\Admin\Dashboard.php:215
actionadmin_noticesincludes\Admin\Dashboard.php:216
actionload-web-story_page_stories-dashboardincludes\Admin\Dashboard.php:217
actionadmin_enqueue_scriptsincludes\Admin\Editor.php:205
filterreplace_editorincludes\Admin\Editor.php:206
filteruse_block_editor_for_post_typeincludes\Admin\Editor.php:207
actionwp_default_stylesincludes\Admin\Google_Fonts.php:66
filterplugin_row_metaincludes\Admin\PluginRowMeta.php:46
filterdebug_informationincludes\Admin\Site_Health.php:88
filtersite_status_test_php_modulesincludes\Admin\Site_Health.php:89
filtersite_status_test_resultincludes\Admin\Site_Health.php:90
actionwp_enqueue_editorincludes\Admin\TinyMCE.php:95
filtermce_buttonsincludes\Admin\TinyMCE.php:96
filtermce_external_pluginsincludes\Admin\TinyMCE.php:97
actionadmin_footerincludes\Admin\TinyMCE.php:98
filterscript_loader_tagincludes\Admin\TinyMCE.php:99
actionweb_stories_print_analyticsincludes\AdSense.php:62
actionweb_stories_print_analyticsincludes\Ad_Manager.php:62
actionwp_default_stylesincludes\AMP_Story_Player_Assets.php:51
actionwp_default_scriptsincludes\AMP_Story_Player_Assets.php:52
actionweb_stories_print_analyticsincludes\Analytics.php:60
actionadmin_initincludes\Database_Upgrader.php:105
actionweb_stories_story_headincludes\Discovery.php:78
actionweb_stories_story_headincludes\Discovery.php:79
actionweb_stories_story_headincludes\Discovery.php:80
actionweb_stories_story_headincludes\Discovery.php:81
actionweb_stories_story_headincludes\Discovery.php:82
actionweb_stories_story_headincludes\Discovery.php:84
actionwp_headincludes\Discovery.php:85
actionweb_stories_story_headincludes\Discovery.php:88
actionweb_stories_story_headincludes\Discovery.php:89
actionweb_stories_story_headincludes\Discovery.php:90
actionweb_stories_story_headincludes\Discovery.php:91
actionweb_stories_story_headincludes\Discovery.php:92
actionweb_stories_story_headincludes\Discovery.php:93
actionweb_stories_story_headincludes\Discovery.php:94
actionweb_stories_story_headincludes\Discovery.php:95
actionweb_stories_story_headincludes\Discovery.php:96
actionweb_stories_story_headincludes\Discovery.php:97
actionweb_stories_story_headincludes\Discovery.php:98
actionweb_stories_story_headincludes\Discovery.php:99
actionamp_post_template_cssincludes\Embed_Base.php:85
filterwp_kses_allowed_htmlincludes\Embed_Base.php:88
actionadmin_menuincludes\Experiments.php:76
actionadmin_initincludes\Experiments.php:77
filteroption_amp-optionsincludes\Integrations\AMP.php:111
filteramp_supportable_post_typesincludes\Integrations\AMP.php:112
filteramp_to_amp_linking_element_excludedincludes\Integrations\AMP.php:113
filteramp_content_sanitizersincludes\Integrations\AMP.php:114
filteramp_validation_error_sanitizedincludes\Integrations\AMP.php:115
filteramp_skip_postincludes\Integrations\AMP.php:116
filterweb_stories_amp_validation_error_sanitizedincludes\Integrations\AMP.php:119
filtercybocfi_enabled_for_post_typeincludes\Integrations\Conditional_Featured_Image.php:63
filterbody_classincludes\Integrations\Core_Themes_Support.php:156
actionwp_body_openincludes\Integrations\Core_Themes_Support.php:157
filterez_buffered_final_contentincludes\Integrations\Ezoic.php:86
filterwpcom_sitemap_post_typesincludes\Integrations\Jetpack.php:125
filterjetpack_sitemap_post_typesincludes\Integrations\Jetpack.php:127
filterjetpack_is_amp_requestincludes\Integrations\Jetpack.php:130
filterweb_stories_allowed_mime_typesincludes\Integrations\Jetpack.php:131
filterweb_stories_rest_prepare_attachmentincludes\Integrations\Jetpack.php:132
filterajax_query_attachments_argsincludes\Integrations\Jetpack.php:133
actionadded_post_metaincludes\Integrations\Jetpack.php:134
filterwp_prepare_attachment_for_jsincludes\Integrations\Jetpack.php:210
filterrun_ngg_resource_managerincludes\Integrations\NextGen_Gallery.php:44
filtershortpixel_image_urlsincludes\Integrations\ShortPixel.php:44
filtergooglesitekit_amp_gtag_optincludes\Integrations\Site_Kit.php:96
filtergooglesitekit_analytics-4_tag_amp_blockedincludes\Integrations\Site_Kit.php:98
actionweb_stories_print_analyticsincludes\Integrations\Site_Kit.php:111
filterwp_insert_post_dataincludes\KSES.php:90
filterwp_prepare_attachment_for_jsincludes\Media\Base_Color.php:53
filterwp_prepare_attachment_for_jsincludes\Media\Blurhash.php:53
actiondelete_attachmentincludes\Media\Cropping.php:52
filterwp_prepare_attachment_for_jsincludes\Media\Image_Sizes.php:75
actionrest_api_initincludes\Media\Media_Source_Taxonomy.php:83
filterwp_prepare_attachment_for_jsincludes\Media\Media_Source_Taxonomy.php:84
filterajax_query_attachments_argsincludes\Media\Media_Source_Taxonomy.php:87
actionpre_get_postsincludes\Media\Media_Source_Taxonomy.php:89
filterweb_stories_rest_attachment_queryincludes\Media\Media_Source_Taxonomy.php:91
filterweb_stories_allowed_mime_typesincludes\Media\SVG.php:99
filtermime_typesincludes\Media\SVG.php:103
filterupload_mimesincludes\Media\SVG.php:107
filtermime_typesincludes\Media\SVG.php:108
filterwp_handle_upload_prefilterincludes\Media\SVG.php:109
filterwp_generate_attachment_metadataincludes\Media\SVG.php:110
filterwp_check_filetype_and_extincludes\Media\SVG.php:111
filtersite_option_upload_filetypesincludes\Media\SVG.php:112
filtersite_option_upload_filetypesincludes\Media\Video\Captions.php:43
actiondelete_attachmentincludes\Media\Video\Muting.php:65
actionrest_api_initincludes\Media\Video\Muting.php:66
filterwp_prepare_attachment_for_jsincludes\Media\Video\Muting.php:67
actiondelete_attachmentincludes\Media\Video\Optimization.php:52
actionrest_api_initincludes\Media\Video\Poster.php:76
actiondelete_attachmentincludes\Media\Video\Poster.php:77
filterwp_prepare_attachment_for_jsincludes\Media\Video\Poster.php:78
filterwp_prepare_attachment_for_jsincludes\Media\Video\Trimming.php:58
actionweb_stories_print_analyticsincludes\Mgid.php:62
actionwp_initialize_siteincludes\namespace.php:84
actionwp_validate_site_deletionincludes\namespace.php:108
actionwpincludes\namespace.php:147
actioninitincludes\namespace.php:158
actionplugins_loadedincludes\namespace.php:264
actiondelete_postincludes\Page_Template_Post_Type.php:71
actionwidgets_initincludes\Register_Widget.php:61
filterwidget_types_to_hide_from_legacy_widget_blockincludes\Register_Widget.php:62
filterbody_classincludes\Register_Widget.php:63
filterthe_contentincludes\Renderer\Archives.php:87
filterthe_excerptincludes\Renderer\Archives.php:88
filterthe_content_feedincludes\Renderer\Feed.php:48
filterthe_excerpt_rssincludes\Renderer\Feed.php:49
filterembed_templateincludes\Renderer\Oembed.php:46
filterembed_htmlincludes\Renderer\Oembed.php:47
filteroembed_response_dataincludes\Renderer\Oembed.php:49
filtersingle_templateincludes\Renderer\Single.php:63
filtertemplate_includeincludes\Renderer\Single.php:64
filtershow_admin_barincludes\Renderer\Single.php:66
actionwp_footerincludes\Renderer\Stories\Renderer.php:256
actionamp_post_template_footerincludes\Renderer\Stories\Renderer.php:257
actionamp_post_template_cssincludes\Renderer\Stories\Renderer.php:276
actionhttp_api_curlincludes\REST_API\Hotlinking_Controller.php:259
actionhttp_api_curlincludes\REST_API\Hotlinking_Controller.php:376
actionhttp_api_curlincludes\REST_API\Hotlinking_Controller.php:677
filterposts_clausesincludes\REST_API\Stories_Controller.php:415
filterposts_resultsincludes\REST_API\Stories_Controller.php:416
filterrest_user_queryincludes\REST_API\Stories_Users_Controller.php:157
actioninitincludes\Settings.php:449
filterpre_handle_404includes\Story_Archive.php:74
filterdisplay_post_statesincludes\Story_Archive.php:81
actionpre_get_postsincludes\Story_Archive.php:82
actionwp_trash_postincludes\Story_Archive.php:83
actiondelete_postincludes\Story_Archive.php:84
filterwp_insert_post_dataincludes\Story_Post_Type.php:100
filterwp_insert_post_empty_contentincludes\Story_Post_Type.php:101
filterbulk_post_updated_messagesincludes\Story_Post_Type.php:102
actionclean_post_cacheincludes\Story_Post_Type.php:103
filter_wp_post_revision_fieldsincludes\Story_Revisions.php:85
filterwp_get_revision_ui_diffincludes\Story_Revisions.php:86
actionadmin_print_footer_scripts-revision.phpincludes\Story_Revisions.php:88
actionshutdownuninstall.php:93
actionadmin_noticesweb-stories.php:157
Maintenance & Trust

Web Stories Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMay 15, 2025
PHP min version7.4
Downloads2.8M

Community Trust

Rating84/100
Number of ratings85
Active installs70K
Alternatives

Web Stories Alternatives

Web Stories Enhancer – Level Up Your Web Stories

Web Stories Enhancer – Level Up Your Web Stories

web-stories-enhancer

A
91

This is the Web Stories Enhancer Plugin for showing the web stories to the website with the help of a shortcode [web_stories_enhancer].

200 1 CVE
Web Stories Widgets For Elementor

Web Stories Widgets For Elementor

shortcodes-for-amp-web-stories-and-elementor-widget

A
99

This addon will helps you to easily represent Google Web stories in the Page/Post using Elementor Widget and shortcodes.

1K 1 CVE
ZMOOZ Web Stories

ZMOOZ Web Stories

zmooz-stories

A
85

ZMOOZ Stories is a solution that allows publishers and bloggers to automatically transform their articles into Web Story format.

10 No CVEs
MakeStories (for Google Web Stories)

MakeStories (for Google Web Stories)

makestories-helper

C
66

MakeStories helper plugin to publish stories for your WordPress site

700 1 unpatched
Pixel & tracking codes for Google Web stories (formerly AMP Stories)

Pixel & tracking codes for Google Web stories (formerly AMP Stories)

pixel-for-web-stories

A
100

Pixel for Web Stories (Google) allows you to (re)add easily your tracking codes |Pixel (Facebook, Linkedin, Pinterest, Tiktok, Twitter, Yandex, Snapc &hellip;

30 No CVEs
Developer Profile

Web Stories Developer Profile

Google

3 plugins · 5.1M total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
522 days
View full developer profile
Detection Fingerprints

How We Detect Web Stories

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/web-stories/assets/js/web-stories-dashboard.js/wp-content/plugins/web-stories/assets/js/web-stories-editor.js/wp-content/plugins/web-stories/assets/js/web-stories-block.js/wp-content/plugins/web-stories/assets/css/web-stories-admin.css/wp-content/plugins/web-stories/assets/css/web-stories-editor.css/wp-content/plugins/web-stories/assets/css/web-stories-dashboard.css
Script Paths
/wp-content/plugins/web-stories/assets/js/web-stories-editor.js/wp-content/plugins/web-stories/assets/js/web-stories-dashboard.js/wp-content/plugins/web-stories/assets/js/web-stories-block.js
Version Parameters
web-stories/assets/css/web-stories-admin.css?ver=web-stories/assets/css/web-stories-editor.css?ver=web-stories/assets/css/web-stories-dashboard.css?ver=web-stories/assets/js/web-stories-editor.js?ver=web-stories/assets/js/web-stories-dashboard.js?ver=web-stories/assets/js/web-stories-block.js?ver=

HTML / DOM Fingerprints

CSS Classes
web-stories-editor-contentweb-stories-dashboardweb-stories-editorweb-stories-editor-wrapperweb-stories-block-editor__editable-block
HTML Comments
This plugin requires PHP 7.4 or higher.This plugin requires WordPress 6.6 or higher.Web Stories plugin could not be initialized.This plugin requires the DOM extension.+4 more
Data Attributes
data-edit-modedata-story-iddata-post-iddata-auto-advancedata-media-iddata-story-theme
JS Globals
webStoriesWebStoriesPluginwebStoriesEditor
REST Endpoints
/wp-json/web-stories/v1/stories/wp-json/web-stories/v1/settings/wp-json/web-stories/v1/media/wp-json/web-stories/v1/fonts/wp-json/web-stories/v1/templates
Shortcode Output
[web_stories][web_stories_list]
FAQ

Frequently Asked Questions about Web Stories