Before After Pictures Security & Risk Analysis

wordpress.org/plugins/beforeafter-pictures

Before After Pictures plugin integrates [jQuery Before/After Plugin](http://www.catchmyfame.com/2009/06/25/jquery-beforeafter-plugin/ "jQuery Bef …

10 active installs v0.2.1 PHP + WP 2.9+ Updated Feb 25, 2011
afterbeforeimagesphoto-effectsphotos
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Before After Pictures Safe to Use in 2026?

Generally Safe

Score 85/100

Before After Pictures has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 15yr ago
Risk Assessment

The "beforeafter-pictures" plugin version 0.2.1 presents a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all its SQL queries and shows no history of reported vulnerabilities (CVEs) or critical taint flows. It also has a limited attack surface, with only one shortcode and no AJAX handlers or REST API routes exposed without proper authorization checks. Furthermore, the absence of file operations and external HTTP requests reduces potential attack vectors.

However, a significant concern arises from the complete lack of output escaping. With 24 outputs identified and 0% properly escaped, this indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities. Any dynamic data displayed to users, if not sanitized before rendering, could be exploited by attackers to inject malicious scripts. Additionally, the absence of nonce checks on its single entry point (the shortcode) could potentially leave it vulnerable to Cross-Site Request Forgery (CSRF) attacks, though the overall impact depends on the functionality of the shortcode itself. The plugin also lacks explicit capability checks on its shortcode, further increasing the risk if the shortcode performs sensitive actions.

In conclusion, while the plugin avoids common pitfalls like raw SQL or known vulnerabilities, the pervasive issue of unescaped output is a critical weakness that demands immediate attention. The lack of nonce and capability checks on the shortcode are also areas of concern. Addressing the output escaping deficiency is paramount to mitigating significant XSS risks.

Key Concerns

  • All outputs are unescaped
  • Shortcode lacks capability checks
  • Shortcode entry point lacks nonce checks
Vulnerabilities
None known

Before After Pictures Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Before After Pictures Release Timeline

v0.2.1Current
v0.2
v0.1
Code Analysis
Analyzed Apr 16, 2026

Before After Pictures Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
24
0 escaped
Nonce Checks
0
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

0% escaped24 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<beforeafterpics_import_admin> (admin/beforeafterpics_import_admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Before After Pictures Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[beforeafterpics] beforeafterpic.php:312
WordPress Hooks 9
actioninitbeforeafterpic.php:43
filtermce_external_pluginsbeforeafterpic.php:96
filtermce_buttonsbeforeafterpic.php:97
filtertiny_mce_versionbeforeafterpic.php:118
actioninitbeforeafterpic.php:119
actionadmin_menubeforeafterpic.php:136
actionwp_headbeforeafterpic.php:194
actioninitbeforeafterpic.php:209
actionadmin_footerbeforeafterpic.php:339
Maintenance & Trust

Before After Pictures Maintenance & Trust

Maintenance Signals

WordPress version tested3.1.4
Last updatedFeb 25, 2011
PHP min version
Downloads6K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Developer Profile

Before After Pictures Developer Profile

host1967

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Before After Pictures

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/beforeafter-pictures/editor_plugin.js/wp-content/plugins/beforeafter-pictures/js/jquery.min-1.4.4.js/wp-content/plugins/beforeafter-pictures/js/jquery-ui.min-1.8.5.js/wp-content/plugins/beforeafter-pictures/js/jquery.beforeafter-1.2.js
Script Paths
/wp-content/plugins/beforeafter-pictures/editor_plugin.js
Version Parameters
beforeafter-pictures/editor_plugin.js?ver=beforeafter-pictures/js/jquery.min-1.4.4.js?ver=beforeafter-pictures/js/jquery-ui.min-1.8.5.js?ver=beforeafter-pictures/js/jquery.beforeafter-1.2.js?ver=

HTML / DOM Fingerprints

CSS Classes
bflinksbalinks
Data Attributes
data-iddata-image_beforedata-image_afterdata-img_widthdata-img_heightdata-animateintro+3 more
Shortcode Output
<div id="ba-container"></div><div class="balinks"></div>
FAQ

Frequently Asked Questions about Before After Pictures