Totally fuc…d up plugin

Resolved

(@keengamer)

Hi,

The Media Stream plugin is currently unusable on our site because it affects unrelated WordPress admin pages. It lacks the basics and I have no idea how this could have been even approved by WordPress. It's a complete mess which totally destroys your wordpress and made by an amateur.

Issues found:

The plugin enqueues admin CSS/JS globally via admin_enqueue_scripts, including on pages that have nothing to do with Media Stream.

It registers global admin hooks on every admin request, including wp_get_attachment_url, attachment_fields_to_edit, print_media_templates, admin_footer, admin_init, and media column filters.

The wp_get_attachment_url filter can return false for attachments outside Media Stream logic. This is dangerous because admin pages and theme option frameworks rely on valid attachment URLs.

The plugin injects popup HTML and media-related markup into unrelated admin screens via admin_footer.

The frontend CSS contains a global video { … } rule, affecting every video element on the site.

The frontend JS scans every <video> element and modifies data-src / src globally, which can interfere with themes, lazy loading, and other players.

Expected behavior:
Media Stream should only load assets and register media-specific hooks on its own settings page, Media Library/upload screens, editors, and relevant AJAX/REST requests. It must not affect unrelated admin pages or generic frontend video elements.

Right now it breaks our Huber/Redux theme options page and makes the settings UI unusable. The plugin needs proper asset scoping, hook scoping, and non-global CSS/JS selectors before it can be used safely.

This topic was modified 3 weeks, 6 days ago by keengamer.

Viewing 3 replies - 1 through 3 (of 3 total)

Thread Starter keengamer
(@keengamer)

3 weeks, 6 days ago

Jesus christe. it’s even worse. Totally not compatible with classic editor, security and permissions are totally wrong, it’s just nonce but not based on the user’s role so anyone could delete your content.

IF ANYBODY WANTS TO GET HIS SITE DESTROYED OR HACKED, THIS IS THE WAY TO GO.
Thread Starter keengamer
(@keengamer)

3 weeks, 6 days ago
1. Global admin asset loading
  The plugin loads its admin CSS/JS on unrelated WordPress admin pages. This broke our theme settings and editor UI.
2. Editor breakage
  The plugin was active on post.php / post-new.php, affecting the Classic Editor and causing missing editor controls / broken layout.
3. Global admin hooks
  The plugin registers hooks like wp_get_attachment_url, attachment_fields_to_edit, print_media_templates, admin_footer, and admin_init too broadly.
4. Unsafe wp_get_attachment_url behavior
  The plugin can alter attachment URLs globally and previously could return false, which can break themes, builders, embeds, and admin screens.
5. Frontend CSS too broad
  The plugin had a global video { … } CSS rule, affecting every video element on the site, not only Media Stream videos.
6. Frontend JS too broad
  The JS scans every <video> element and modifies data-src / src, which can conflict with themes, lazy loading, and other video players.
7. Possible frontend fatal error
  The plugin calls is_plugin_active() in frontend code without safely loading the WordPress plugin API first. This can cause blank posts/pages.
8. Weak AJAX authorization
  Many AJAX endpoints check only a nonce but not user capabilities. Some endpoints perform sensitive actions like deleting local video files, resetting settings, changing Bunny configuration, bulk offload/reencode, and updating stored content.
9. Risky file operations
  The plugin deletes local files via wp_delete_file() and restores files via direct file writes. Restore paths must be strictly validated to stay inside the uploads directory.
1. Risky database/content rewrites
  The plugin directly rewrites post_content, Elementor data, and Bricks data using direct SQL/string replacement. This can corrupt content if URLs or serialized/JSON data are not handled perfectly.
2. MU plugin fallback
  The plugin writes a fallback MU plugin into mu-plugins, which means some Media Stream behavior can persist even after normal plugin changes unless the MU file is also updated/removed.
Plugin Author Aryan Shirani Bid Abadi
(@aryans)

3 weeks ago

Thank you for the detailed review and for taking the time to test the plugin thoroughly.

We’ve already addressed several important concerns in the latest refinement update, including:

Added proper AJAX capability checks
Improved hook scoping for multiple global hooks
Added fatal error prevention safeguards
Prevented unnecessary global asset injections where possible
Some of the remaining behaviors are currently intentional due to how Media Stream works internally.

For example, certain admin assets still need to load globally because the WordPress attachment/media selector can be opened from many different admin screens, and the plugin integrates directly with that workflow.

Similarly, the frontend video handling currently modifies src / data-src attributes because features like dynamic format switching (.mp4 / .m3u8), CDN delivery, and playback optimization depend on runtime URL replacement based on plugin settings.

We completely understand the concerns around broader CSS/JS scope and content rewriting behavior. These areas require larger architectural changes to improve safely without breaking existing functionality or customer sites.

Our team is actively working on improving these systems in future updates while also maintaining backward compatibility and adding upcoming features.

We truly appreciate the feedback and patience. Reviews like this help us improve the plugin significantly, and we’ll continue refining Media Stream as much as possible in upcoming releases.

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.