WP-Safety

WP Story Security & Risk Analysis

wordpress.org/plugins/wp-story

Create your own custom Instagram style stories. Show them on any part of your site by adding custom links, text and images.

1K active installs v2.1.2 PHP 5.6.0+ WP 5.0.0+ Updated Feb 23, 2021
hikayeinstagramstoriesstorywordpress-story
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is WP Story Safe to Use in 2026?

Generally Safe

Score 85/100

WP Story has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The "wp-story" plugin v2.1.2 presents a generally strong security posture with several good practices in place. The absence of dangerous functions, file operations, external HTTP requests, and SQL queries that are not prepared statements are all positive indicators. Furthermore, the plugin has no recorded vulnerability history, which suggests a stable and likely secure past.

However, there are specific areas that warrant attention. The static analysis reveals one unprotected REST API route, representing a potential entry point for unauthorized access or manipulation. While the plugin implements nonce and capability checks, the single unprotected REST API endpoint bypasses these crucial security mechanisms, creating a significant concern. The output escaping, while at 72%, still leaves room for potential cross-site scripting (XSS) vulnerabilities if the remaining 28% of outputs are not properly sanitized.

In conclusion, while the plugin demonstrates good foundational security, the unprotected REST API route is a critical flaw that significantly elevates the risk. Addressing this specific vulnerability should be the immediate priority to improve the plugin's overall security. The moderate percentage of unescaped outputs also suggests a need for further code review to ensure all outputs are adequately protected.

Key Concerns

  • Unprotected REST API route
  • Unescaped output (28%)
Vulnerabilities
None known

WP Story Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

WP Story Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
5
13 escaped
Nonce Checks
2
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

72% escaped18 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
wp_story_stories_ajax (admin\class-wp-story-admin.php:295)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

WP Story Attack Surface

Entry Points2
Unprotected1

REST API Routes 1

GET/wp-json/wp-story/v1/freepublic\class-wp-story-public.php:212

Shortcodes 1

[wp-story] public\class-wp-story-public.php:132
WordPress Hooks 15
actionedit_form_after_titleadmin\class-wp-story-meta-box.php:10
actionadd_meta_boxesadmin\class-wp-story-meta-box.php:11
actionsave_postadmin\class-wp-story-meta-box.php:12
actionplugins_loadedincludes\class-wp-story.php:147
actionadmin_enqueue_scriptsincludes\class-wp-story.php:162
actionadmin_enqueue_scriptsincludes\class-wp-story.php:163
actionadmin_menuincludes\class-wp-story.php:164
actioninitincludes\class-wp-story.php:165
actionadmin_initincludes\class-wp-story.php:166
actionafter_setup_themeincludes\class-wp-story.php:170
actionwp_enqueue_scriptsincludes\class-wp-story.php:185
actionwp_enqueue_scriptsincludes\class-wp-story.php:186
actionwp_enqueue_scriptsincludes\class-wp-story.php:187
actionrest_api_initincludes\class-wp-story.php:188
actioninitincludes\class-wp-story.php:189
Maintenance & Trust

WP Story Maintenance & Trust

Maintenance Signals

WordPress version tested5.6.17
Last updatedFeb 23, 2021
PHP min version5.6.0
Downloads25K

Community Trust

Rating78/100
Number of ratings18
Active installs1K
Alternatives

WP Story Alternatives

My Story

My Story

my-story

A
100

Create your own custom Instagram style stories. ✌

400 No CVEs
Web Stories

Web Stories

web-stories

A
95

Web Stories are a visual storytelling format for the open web which immerses your readers in fast-loading, full-screen, and visually rich experiences.

70K 3 CVEs
MakeStories (for Google Web Stories)

MakeStories (for Google Web Stories)

makestories-helper

C
66

MakeStories helper plugin to publish stories for your WordPress site

700 1 unpatched
EmbedStories – Display social media stories

EmbedStories – Display social media stories

embedstories

A
85

EmbedStories allows you to easily embed Instagram Stories on your website

300 1 CVE
Web Stories Enhancer – Level Up Your Web Stories

Web Stories Enhancer – Level Up Your Web Stories

web-stories-enhancer

A
91

This is the Web Stories Enhancer Plugin for showing the web stories to the website with the help of a shortcode [web_stories_enhancer].

200 1 CVE
Developer Profile

WP Story Developer Profile

wpuzman

1 plugin · 1K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect WP Story

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-story/css/selectize.min.css/wp-content/plugins/wp-story/css/wp-story-admin.css/wp-content/plugins/wp-story/js/selectize.min.js/wp-content/plugins/wp-story/js/wp-story-admin.js
Script Paths
/wp-content/plugins/wp-story/js/selectize.min.js/wp-content/plugins/wp-story/js/wp-story-admin.js
Version Parameters
wp-story-admin.css?ver=wp-story-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
story-posts
Data Attributes
name="wp-story_stories[]"id="wp-story_stories"
JS Globals
wpStoryObject
FAQ

Frequently Asked Questions about WP Story