Album and Image Gallery Plus Lightbox Security & Risk Analysis

The 'album-and-image-gallery-plus-lightbox' plugin version 2.1.8 shows a mixed security posture. On the positive side, the static analysis indicates strong adherence to security best practices in several areas. All identified entry points, including AJAX handlers and shortcodes, appear to have authorization checks. SQL queries are exclusively handled via prepared statements, and a high percentage of output is properly escaped, minimizing risks of cross-site scripting. Nonce and capability checks are also present for most handlers. However, the presence of the `unserialize` function is a significant concern as it can lead to object injection vulnerabilities if not handled with extreme care and sanitization of the input data. Additionally, four out of five analyzed taint flows involved unsanitized paths, indicating potential for arbitrary file access or manipulation, even though no critical or high severity issues were flagged in the taint analysis.

The vulnerability history reveals a pattern of four medium-severity CVEs across various common types, including Cross-Site Scripting, Code Injection, CSRF, and Missing Authorization. While there are currently no unpatched vulnerabilities, the recurring nature of these issues suggests a potential for undiscovered or recurring flaws. The most recent vulnerability was recorded in early 2026, which is in the future, suggesting a potential data anomaly or an indication of past security improvements being tracked forward. The previous vulnerabilities, especially those related to code injection and missing authorization, are particularly concerning, even at a medium severity, as they can have significant impacts if exploited.

In conclusion, while the plugin demonstrates strengths in secure coding practices like prepared statements and output escaping, the use of `unserialize` and the history of diverse security vulnerabilities, particularly those involving code injection and authorization, present notable risks. The taint analysis also flags potential issues with unsanitized paths. Developers should prioritize auditing the usage of `unserialize` and thoroughly reviewing the code related to file operations and input handling to mitigate the risks identified. The plugin's past vulnerability record warrants careful monitoring and diligent patching.