WP-Safety

Control Shelly Devices Security & Risk Analysis

wordpress.org/plugins/wp-shelly-control

Control your Shelly devices from your WordPress site. Automatically import your devices and you can turn on, turn off and see their consumption.

10 active installs v1.2.3 PHP 7.0+ WP 4.6+ Updated Nov 15, 2024
automationdevicesiotshellyshelly-cloud
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Control Shelly Devices Safe to Use in 2026?

Generally Safe

Score 92/100

Control Shelly Devices has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The wp-shelly-control plugin version 1.2.3 exhibits a generally strong security posture, adhering to many best practices. The static analysis reveals a complete absence of unpatched known vulnerabilities, which is a significant positive indicator. Furthermore, the code demonstrates excellent security hygiene with 100% of SQL queries using prepared statements and all identified outputs being properly escaped. Nonce and capability checks are also prevalent across its entry points, indicating a good effort to protect against common attacks. However, the presence of three instances of the `unserialize` function, coupled with two identified taint flows involving unsanitized paths, introduces potential risks. While the taint analysis did not flag critical or high-severity issues, the use of `unserialize` on untrusted data is a known vector for remote code execution vulnerabilities if not handled with extreme care. The absence of external vulnerability history provides a degree of confidence, but the internal code signals warrant attention.

Key Concerns

  • Use of unserialize function
  • Taint flows with unsanitized paths
Vulnerabilities
None known

Control Shelly Devices Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Control Shelly Devices Code Analysis

Dangerous Functions
3
Raw SQL Queries
0
0 prepared
Unescaped Output
0
227 escaped
Nonce Checks
10
Capability Checks
42
File Operations
0
External Requests
5
Bundled Libraries
0

Dangerous Functions Found

unserialize$accounts = unserialize( get_option( 'mcisc_accounts' ) );accounts\models\Account.php:131
unserialize$devices = unserialize( get_option( 'mcisc_devices' ) );devices\models\Device.php:153
unserializereturn unserialize( $options );options\models\Option.php:86

Output Escaping

100% escaped227 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
activate (shared\check_premium\CheckLemon.php:53)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Control Shelly Devices Attack Surface

Entry Points6
Unprotected0

AJAX Handlers 5

authwp_ajax_mcisc_device_wpactivedevices\ajax\AjaxDeviceWpActive.php:51
authwp_ajax_mcisc_get_statusdevices\ajax\AjaxReloadStatus.php:77
noprivwp_ajax_mcisc_get_statusdevices\ajax\AjaxReloadStatus.php:78
authwp_ajax_mcisc_switchdevices\ajax\AjaxSwitch.php:61
noprivwp_ajax_mcisc_switchdevices\ajax\AjaxSwitch.php:64

Shortcodes 1

[mcisc_devices] devices\controllers\ShortcodeDevices.php:23
WordPress Hooks 18
actionadmin_initadmin\Admin.php:67
actionadmin_enqueue_scriptsadmin\Admin.php:69
actionadmin_enqueue_scriptsadmin\Admin.php:74
actionadmin_enqueue_scriptsadmin\Admin.php:76
actionadmin_enqueue_scriptsadmin\Admin.php:78
actionadmin_initadmin\wp\Menu.php:98
actionadmin_menuadmin\wp\Menu.php:99
actionadmin_enqueue_scriptsdevices\ajax\AjaxDeviceWpActive.php:50
actionwp_enqueue_scriptsdevices\ajax\AjaxReloadStatus.php:74
actionadmin_enqueue_scriptsdevices\ajax\AjaxReloadStatus.php:75
actionadmin_enqueue_scriptsdevices\ajax\AjaxSwitch.php:60
actionwp_enqueue_scriptsdevices\ajax\AjaxSwitch.php:63
actioninitfront\Front.php:57
actioninitfront\Front.php:58
actionwp_enqueue_scriptsfront\Front.php:60
actionadmin_initshared\check_premium\CheckMaster.php:110
actionadmin_initshared\check_premium\CheckMaster.php:111
actionadmin_initshared\DefaultValues.php:22
Maintenance & Trust

Control Shelly Devices Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedNov 15, 2024
PHP min version7.0
Downloads3K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Alternatives

Control Shelly Devices Alternatives

WP Shelly

WP Shelly

wp-shelly

A
85

Connects your WP site to Shelly cloud to turn your IoT devices on/off via Shelly HTTP API. Compatible with Elementor.

10 No CVEs
MailPoet – Newsletters, Email Marketing, and Automation

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

A
98

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs
OttoKit: All-in-One Automation Platform

OttoKit: All-in-One Automation Platform

suretriggers

A
91

Experience the power of automation within WordPress: Connect 1,300+ apps, automate manual tasks, and unlock your full potential. Get started now!

100K 4 CVEs
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

email-subscribers

B
76

Add subscription forms on the website and send newsletters & automatically send post notification about new blog posts once it gets published.

60K 42 CVEs
Blog2Social: Social Media Auto Post & Scheduler

Blog2Social: Social Media Auto Post & Scheduler

blog2social

B
76

Automatically share and schedule your WordPress content on top social platforms like Facebook, Instagram, LinkedIn, TikTok, and more.

50K 22 CVEs
Developer Profile

Control Shelly Devices Developer Profile

MCI Desarrollo

4 plugins · 500 total installs

90
trust score
Avg Security Score
94/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Control Shelly Devices

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-shelly-control/admin/css/admin_general.css/wp-content/plugins/wp-shelly-control/admin/css/admin_panel_control.css/wp-content/plugins/wp-shelly-control/admin/css/admin_panel_settings.css/wp-content/plugins/wp-shelly-control/admin/css/admin_panel_help.css/wp-content/plugins/wp-shelly-control/devices/js/mcisc_device_wpactive.js/wp-content/plugins/wp-shelly-control/devices/js/mcisc_get_status.js/wp-content/plugins/wp-shelly-control/devices/js/mcisc_switch.js/wp-content/plugins/wp-shelly-control/devices/js/mcisc_device.js+1 more
Script Paths
/wp-content/plugins/wp-shelly-control/devices/js/mcisc_device_wpactive.js/wp-content/plugins/wp-shelly-control/devices/js/mcisc_get_status.js/wp-content/plugins/wp-shelly-control/devices/js/mcisc_switch.js/wp-content/plugins/wp-shelly-control/devices/js/mcisc_device.js/wp-content/plugins/wp-shelly-control/shared/js/mcisc_shared.js
Version Parameters
/wp-content/plugins/wp-shelly-control/admin/css/admin_general.css?ver=/wp-content/plugins/wp-shelly-control/admin/css/admin_panel_control.css?ver=/wp-content/plugins/wp-shelly-control/admin/css/admin_panel_settings.css?ver=/wp-content/plugins/wp-shelly-control/admin/css/admin_panel_help.css?ver=/wp-content/plugins/wp-shelly-control/devices/js/mcisc_device_wpactive.js?ver=/wp-content/plugins/wp-shelly-control/devices/js/mcisc_get_status.js?ver=/wp-content/plugins/wp-shelly-control/devices/js/mcisc_switch.js?ver=/wp-content/plugins/wp-shelly-control/devices/js/mcisc_device.js?ver=/wp-content/plugins/wp-shelly-control/shared/js/mcisc_shared.js?ver=

HTML / DOM Fingerprints

CSS Classes
mcisc_device_wpactivemcisc_get_statusmcisc_switchmcisc_devicemcisc_shared
Data Attributes
data-wp-nonce
JS Globals
mcisc_wpactivemcisc_get_statusmcisc_switchmcisc_devicemcisc_shared
REST Endpoints
/wp-json/mcisc/v1/device/wp_active/wp-json/mcisc/v1/device/reload_status/wp-json/mcisc/v1/device/switch
FAQ

Frequently Asked Questions about Control Shelly Devices