Security Issues Audited

Toolkit Integration for Youtube

by highprrrr · 0 active installations · v1.1.3

critical

high

1215

medium

low

info

1274 total findings · ai, phpcs ·⚠ Contains security findings — details embargoed until disclosure deadline

⏱ Disclosure Timeline

Audited & Notified

May 1, 2026

Security Summary (Day 30)

May 31, 2026

Full Disclosure (Day 90)

Jul 30, 2026

Findings

2 issues

medium 1 issue ▼

ai blocks/simple-youtube-feed/simple-youtube-feed.php:58

get_block_wrapper_attributes() Incorrectly Wrapped with esc_attr()

The block render function calls echo esc_attr(get_block_wrapper_attributes()), but get_block_wrapper_attributes() already returns a fully-formed HTML attribute string such as class="foo" id="bar". Passing this through esc_attr() double-encodes embedded quotes into ", breaking all block wrapper CSS classes and data attributes in the rendered output. Not a security issue, but it silently corrupts block output on the frontend.

low 1 issue ▼

ai includes/admin-settings.php:20

Pervasive error_log() Debug Calls Left in Production Code

The plugin contains over 20 error_log() calls scattered across admin-settings.php and block files, logging encryption errors, API key decryption failures, and raw API responses to the server error log. While not directly exploitable, this leaks internal implementation details and is simply sloppy production code that the developer forgot to remove before shipping.

🔒 Security Findings

4 issues

🔒

Security Findings — Restricted Access

Security details are shared with the plugin developer during the 90-day disclosure period.
If you received a notification email, use the magic link or enter your password below.

Embargoed until Jul 30, 2026

Are you the plugin developer? Request access →

Enter your name and email and we'll review your request.

PHP_CodeSniffer

1268 coding standard violations

What is PHP_CodeSniffer?

PHP_CodeSniffer (PHPCS) is a static analysis tool that checks your PHP code against a set of coding standards. The violations below were caught using the WordPress Coding Standards ruleset — the official style guide for WordPress plugins. These aren't security issues, but they affect code consistency, readability, and long-term maintainability.

Run it yourself & auto-fix

Install PHPCS and the WordPress ruleset via Composer:

composer require --dev squizlabs/php_codesniffer wp-coding-standards/wpcs
./vendor/bin/phpcs --config-set installed_paths vendor/wp-coding-standards/wpcs

Then check your plugin:

./vendor/bin/phpcs --standard=WordPress toolkit-integration-for-youtube/

Many violations can be fixed automatically with phpcbf (PHP Code Beautifier, bundled with PHPCS):

./vendor/bin/phpcbf --standard=WordPress toolkit-integration-for-youtube/

phpcbf will auto-fix whitespace, indentation, and many formatting issues. Review the diff before committing.

1268 violations found — run PHPCS locally (see above) to view the full list.

Notification Log

✅ email
May 1, 2026

✅ github_issue
May 1, 2026

✅ github_advisory
May 1, 2026

✅ email
May 1, 2026

✅ github_advisory
May 1, 2026

Addressed the Issues?

If you've fixed the security issues flagged in this audit, request a focused re-scan. We'll verify the fixes and — if all security findings are resolved — publish the full details publicly and award your plugin a Hall of Fame badge.

Re-scans focus only on the original security findings. You'll receive an email with the results.

WP.org	View Plugin ↗
GitHub	Repository ↗
Installs	0+
Version	1.1.3
Last Updated	Dec 2024
Developer contacted	❌ Could not locate