Does Bulk Watermark have any unpatched vulnerabilities?

Yes — Bulk Watermark currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Bulk Watermark compatible with WordPress 4.1.42?

According to WordPress.org data, Bulk Watermark 1.6.10 has been tested up to WordPress 4.1.42. Check the plugin's changelog for the latest compatibility information.

How often is Bulk Watermark updated?

Bulk Watermark was last updated on Feb 15, 2015. Frequent updates are generally a positive security signal.

What is Bulk Watermark's security score?

Bulk Watermark has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Bulk Watermark Security & Risk Analysis

wordpress.org/plugins/bulk-watermark

Adds an image and/or text watermark to all uploaded images, using PNG images with transparency.

100 active installs v1.6.10 PHP + WP 3.3+ Updated Feb 15, 2015

imageimagespicturepictureswatermark

C · Use Caution

CVEs total1

Unpatched1

Last CVESep 5, 2025

Plugin page Download

Safety Verdict

Is Bulk Watermark Safe to Use in 2026?

Use With Caution

Score 63/100

Bulk Watermark has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Sep 5, 2025Updated 11yr ago

Risk Assessment

The "bulk-watermark" plugin v1.6.10 exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding SQL queries, exclusively using prepared statements, and implements nonce and capability checks on its entry points. The attack surface is relatively small, with only one AJAX handler identified, and importantly, all entry points appear to have authentication checks, which is a significant strength.

However, there are areas of concern. The static analysis reveals a concerning 2 out of 4 analyzed taint flows with unsanitized paths, indicating potential vulnerabilities related to how data is handled. Furthermore, a significant portion of output (75%) is not properly escaped, presenting a risk of Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is directly reflected in the output.

The vulnerability history is particularly worrying. The plugin has a known CVE, which is currently unpatched. The fact that the last vulnerability was recorded in 2025 and was of medium severity, and that it's still unpatched, suggests a potential for ongoing security issues and a lack of proactive maintenance. While the CVE type of Cross-Site Request Forgery (CSRF) is noted, the unescaped output is a more immediate and common risk. The combination of unsanitized paths, unescaped output, and an unpatched CVE indicates a moderate to high overall risk.

Key Concerns

Unsanitized paths in taint flows
Significant amount of unescaped output
Currently unpatched medium severity CVE

Vulnerabilities

Bulk Watermark Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-58845medium · 4.3Cross-Site Request Forgery (CSRF)

Bulk Watermark <= 1.6.10 - Cross-Site Request Forgery

Sep 5, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Bulk Watermark Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

16 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

25% escaped65 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths

bulk_watermark_manager (bulk-watermark-plugin.php:943)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Bulk Watermark Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_update_mwa_plugin_installer_menu_optionbulk-watermark-plugin-installer.php:419

WordPress Hooks 8

actioninstall_plugins_table_headerbulk-watermark-plugin-installer.php:97

actioninstall_plugins_favoritesbulk-watermark-plugin-installer.php:114

actionadmin_menubulk-watermark-plugin-installer.php:413

actionadmin_initbulk-watermark-plugin.php:59

actionadmin_initbulk-watermark-plugin.php:65

actionadmin_initbulk-watermark-plugin.php:68

actionadmin_menubulk-watermark-plugin.php:71

filterplugin_row_metabulk-watermark-plugin.php:80

Maintenance & Trust

Bulk Watermark Maintenance & Trust

Maintenance Signals

WordPress version tested4.1.42

Last updatedFeb 15, 2015

PHP min version

Downloads23K

Community Trust

Rating40/100

Number of ratings2

Active installs100

Alternatives

Bulk Watermark Alternatives

Signature Watermark

signature-watermark

Automatically watermark images as they are uploaded to the WordPress Media Library using Both Images and Text.

200 No CVEs

Transparent Image Watermark

transparent-image-watermark-plugin

Automatically watermark images as they are uploaded to the WordPress Media Library.

100 No CVEs

Simple Watermark

simple-watermark

Automatically watermark images as they are viewed

10 No CVEs

Watermark Hotlink Protection

watermark-hotlink-protection

Displays a watermark on images which have been hotlinked

10 No CVEs

FancyBox for WordPress

fancybox-for-wordpress

Seamlessly integrates FancyBox lightbox into your WordPress blog: Upload, activate, and you're done. Additional configuration optional.

40K 3 CVEs

Developer Profile

Bulk Watermark Developer Profile

ChrisHurst

19 plugins · 2K total installs

trust score

Avg Security Score

85/100

Avg Patch Time

2044 days

View full developer profile

Detection Fingerprints

How We Detect Bulk Watermark

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/bulk-watermark/assets/css/bw-admin-style.css/wp-content/plugins/bulk-watermark/assets/css/bw-frontend-style.css/wp-content/plugins/bulk-watermark/assets/js/bw-admin-script.js/wp-content/plugins/bulk-watermark/assets/js/bw-frontend-script.js

Version Parameters

bulk-watermark/assets/css/bw-admin-style.css?ver=bulk-watermark/assets/css/bw-frontend-style.css?ver=bulk-watermark/assets/js/bw-admin-script.js?ver=bulk-watermark/assets/js/bw-frontend-script.js?ver=

HTML / DOM Fingerprints

CSS Classes

bw-admin-settings-pagebw-add-text-overlaybw-add-image-overlaybw-overlay-image-previewbw-overlay-text-inputbw-overlay-text-colorbw-overlay-text-sizebw-overlay-text-opacity+4 more

HTML Comments

Data Attributes

data-bw-actiondata-bw-overlay-typedata-bw-overlay-iddata-bw-image-iddata-bw-image-path

JS Globals

bulk_watermark_admin_paramsbulk_watermark_frontend_params

REST Endpoints

/wp-json/bulk-watermark/v1/settings/wp-json/bulk-watermark/v1/add-watermark/wp-json/bulk-watermark/v1/delete-watermark

FAQ