Does WP Shelly have any unpatched vulnerabilities?

No. All known vulnerabilities in WP Shelly have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Shelly compatible with WordPress 6.1.10?

According to WordPress.org data, WP Shelly 2.0.0 has been tested up to WordPress 6.1.10. Check the plugin's changelog for the latest compatibility information.

Is WP Shelly compatible with PHP 7.4+?

WP Shelly requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WP Shelly updated?

WP Shelly was last updated on Dec 5, 2022. Frequent updates are generally a positive security signal.

What is WP Shelly's security score?

WP Shelly has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Shelly Security & Risk Analysis

wordpress.org/plugins/wp-shelly

Connects your WP site to Shelly cloud to turn your IoT devices on/off via Shelly HTTP API. Compatible with Elementor.

10 active installs v2.0.0 PHP 7.4+ WP 5.3.0+ Updated Dec 5, 2022

iot-deviceshellyshelly-cloudshelly-cloud-apishelly-relay

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is WP Shelly Safe to Use in 2026?

Generally Safe

Score 85/100

WP Shelly has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago

Risk Assessment

The "wp-shelly" v2.0.0 plugin exhibits a generally strong security posture based on the provided static analysis and vulnerability history. The absence of any identified CVEs, critical taint flows, or unprotected entry points is highly commendable and suggests diligent development practices. The high percentage of SQL queries using prepared statements and the majority of output being properly escaped are excellent indicators of defense-in-depth. However, there are minor areas for improvement. The presence of file operations and external HTTP requests, while not inherently dangerous, warrants careful review to ensure they are handled securely and do not introduce vulnerabilities, especially if any user-supplied data could influence their behavior. Similarly, while nonce and capability checks are present, their distribution and application across all functions interacting with sensitive data should be thoroughly vetted.

Key Concerns

File operations without specific context
External HTTP requests without specific context
Limited number of capability checks observed
Limited number of nonce checks observed

Vulnerabilities

None known

WP Shelly Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

WP Shelly Code Analysis

Dangerous Functions

Raw SQL Queries

15 prepared

Unescaped Output

56 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

94% prepared16 total queries

Output Escaping

73% escaped77 total outputs

Attack Surface

WP Shelly Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 25

actionplugins_loadedform\base.php:22

actionwp_enqueue_scriptssos\wp\asset.php:44

actionadmin_enqueue_scriptssos\wp\asset.php:56

actionadmin_enqueue_scriptssos\wp\asset.php:77

actioncurrent_screensos\wp\data\form.php:47

actionthe_postsos\wp\data\form.php:49

actionplugins_loadedsos\wp\data\wpdatabase.php:80

actionadmin_noticessos\wp\message.php:44

actionsave_postsos\wp\metabox.php:67

actionadmin_noticessos\wp\metabox.php:76

actioninitsos\wp\plugin.php:333

actionplugins_loadedsos\wp\plugin.php:386

actionenqueue_block_editor_assetssos\wp\plugin.php:398

actionelementor/widgets/widgets_registeredsos\wp\plugin.php:453

filterquery_varssos\wp\plugin.php:499

actionrest_api_initsos\wp\plugin.php:512

actionadmin_initsos\wp\plugin.php:520

actionadd_meta_boxessos\wp\plugin.php:523

actionedit_form_after_titlesos\wp\plugin.php:529

actionadmin_menusos\wp\plugin.php:541

actionadmin_menusos\wp\plugin.php:544

filterplugin_row_metasos\wp\plugin.php:558

actionthe_postssos\wp\plugin.php:571

actionplugins_loadedsos\wp\plugin.php:577

actionplugins_loadedsos\wp\translation.php:69

Maintenance & Trust

WP Shelly Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10

Last updatedDec 5, 2022

PHP min version7.4

Downloads2K

Community Trust

Rating100/100

Number of ratings1

Active installs10

Alternatives

WP Shelly Alternatives

Control Shelly Devices

wp-shelly-control

Control your Shelly devices from your WordPress site. Automatically import your devices and you can turn on, turn off and see their consumption.

10 No CVEs

Developer Profile

WP Shelly Developer Profile

sosidee

5 plugins · 6K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WP Shelly

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-shelly/css/admin.css/wp-content/plugins/wp-shelly/css/button.css/wp-content/plugins/wp-shelly/js/admin.js/wp-content/plugins/wp-shelly/js/common.js

Script Paths

/wp-content/plugins/wp-shelly/js/admin.js/wp-content/plugins/wp-shelly/js/common.js

Version Parameters

wp-shelly/css/admin.css?ver=wp-shelly/css/button.css?ver=wp-shelly/js/admin.js?ver=wp-shelly/js/common.js?ver=

HTML / DOM Fingerprints

CSS Classes

shelly-device-controlsshelly-device-status

HTML Comments

Data Attributes

data-shelly-btn-id

JS Globals

shelly_localize

REST Endpoints

/wp-json/sos-shelly/shelly/chk/wp-json/sos-shelly/shelly/swt

Shortcode Output

<pre><em>we've had a problem here</em>

FAQ