Does WPCOS腾讯云对象存储COS have any unpatched vulnerabilities?

No. All known vulnerabilities in WPCOS腾讯云对象存储COS have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is WPCOS腾讯云对象存储COS compatible with WordPress 6.9.4?

According to WordPress.org data, WPCOS腾讯云对象存储COS 4.8 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WPCOS腾讯云对象存储COS compatible with PHP 7.4+?

WPCOS腾讯云对象存储COS requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is WPCOS腾讯云对象存储COS updated?

WPCOS腾讯云对象存储COS was last updated on Feb 8, 2026. Frequent updates are generally a positive security signal.

What is WPCOS腾讯云对象存储COS's security score?

WPCOS腾讯云对象存储COS has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPCOS腾讯云对象存储COS Security & Risk Analysis

wordpress.org/plugins/wpcos

WordPress COS（简称:WPCOS），基于腾讯云COS存储与WordPress实现静态资源到COS存储中。提高网站项目的访问速度，以及静态资源的安全存储功能。

300 active installs v4.8 PHP 7.4+ WP 6.0.1+ Updated Feb 8, 2026

%e8%85%be%e8%ae%af%e4%ba%91cos%e8%85%be%e8%ae%af%e4%ba%91wordpress%e8%85%be%e8%ae%af%e4%ba%91%e5%ad%98%e5%82%a8%e8%85%be%e8%ae%af%e4%ba%91%e5%ad%98%e5%82%a8%e5%88%86%e7%a6%bb%e8%85%be%e8%ae%af%e4%ba%91%e5%af%b9%e8%b1%a1%e5%ad%98%e5%82%a8

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is WPCOS腾讯云对象存储COS Safe to Use in 2026?

Generally Safe

Score 100/100

WPCOS腾讯云对象存储COS has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The "wpcos" plugin v4.8 presents a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and has no recorded vulnerability history (CVEs), suggesting a generally well-maintained codebase. The limited attack surface, with zero unprotected entry points across AJAX, REST API, shortcodes, and cron events, further strengthens its security profile.

However, the static analysis reveals significant areas of concern. The presence of the `exec()` function is a critical red flag, as it can be exploited for remote code execution if not handled with extreme care and robust input sanitization. Furthermore, a very low percentage (22%) of output escaping is a substantial risk for cross-site scripting (XSS) vulnerabilities, particularly given the number of file operations and other code signals that might involve user-supplied data. While taint analysis shows no critical or high-severity unsanitized flows, this could be due to the limited number of flows analyzed or that the `exec()` function is not directly reachable by user input in the analyzed paths.

In conclusion, while the plugin's clean vulnerability history and secure handling of SQL queries are commendable, the identified dangerous function (`exec`) and the high rate of unescaped output represent serious potential security weaknesses. The plugin's strengths lie in its minimal attack surface and good SQL practices, but these are overshadowed by the risks associated with arbitrary code execution and XSS. Further investigation into the usage of `exec` and the context of all outputs is strongly recommended.

Key Concerns

Dangerous function detected (exec)
Low output escaping rate (22%)
High number of file operations without detailed sanitization context

Vulnerabilities

None known

WPCOS腾讯云对象存储COS Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

WPCOS腾讯云对象存储COS Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

16 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

execexec("dd if=/dev/urandom of=". $filename. " bs=1 count=". (string)$size);sdk\cos-php-sdk-v5\src\Qcloud\Cos\Tests\Test.php:41

Output Escaping

22% escaped74 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

wpcos_setting_page (wpcos_setting_page.php:2)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WPCOS腾讯云对象存储COS Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 15

filterbig_image_size_thresholdwpcos.php:16

filterwp_handle_upload_prefilterwpcos.php:18

filterwp_handle_uploadwpcos.php:19

actionupgrader_process_completewpcos.php:21

filtersanitize_file_namewpcos.php:22

filterwp_handle_uploadwpcos.php:24

filterwp_update_attachment_metadatawpcos.php:26

filterwp_generate_attachment_metadatawpcos.php:28

filterwp_save_image_editor_filewpcos.php:29

filterwp_unique_filenamewpcos.php:32

actiondelete_attachmentwpcos.php:33

actionadmin_menuwpcos.php:34

filterplugin_action_linkswpcos.php:35

filterwp_update_attachment_metadatawpcos.php:60

actionadmin_enqueue_scriptswpcos_actions.php:263

Maintenance & Trust

WPCOS腾讯云对象存储COS Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 8, 2026

PHP min version7.4

Downloads16K

Community Trust

Rating74/100

Number of ratings6

Active installs300

Alternatives

WPCOS腾讯云对象存储COS Alternatives

Sync QCloud COS

sync-qcloud-cos

100

使用腾讯云对象存储服务 COS 作为附件存储空间。(Using Tencent Cloud Object Storage Service COS as Attachment Storage Space.)

400 1 CVE

Developer Profile

WPCOS腾讯云对象存储COS Developer Profile

老蒋和他的小伙伴

12 plugins · 4K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect WPCOS腾讯云对象存储COS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpcos/sdk/cos-php-sdk-v5/vendor/autoload.php

Version Parameters

wpcos/style.css?ver=

HTML / DOM Fingerprints

FAQ