WP-Safety

Canvas Portfolio Security & Risk Analysis

wordpress.org/plugins/canvas-portfolio

Showcase your work with Canvas Portfolio the way it’s meant to be seen. Canvas Portfolio is an extension built with photographers, artists, and design …

10 active installs v1.0.2 PHP 5.4+ WP 4.0+ Updated Jul 16, 2020
canvasgalleryimageportfolioprojects
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Canvas Portfolio Safe to Use in 2026?

Generally Safe

Score 85/100

Canvas Portfolio has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The "canvas-portfolio" plugin version 1.0.2 exhibits a generally positive security posture, with strong adherence to several best practices. The static analysis reveals no dangerous functions, no file operations, and no external HTTP requests, all of which are excellent signs. Notably, 100% of SQL queries utilize prepared statements, and an impressive 99% of output is properly escaped, significantly mitigating risks like SQL injection and cross-site scripting. The presence of nonces and capability checks further bolsters its defenses.

However, there are areas of concern that prevent a perfect security rating. The plugin exposes one REST API route without permission callbacks, creating a direct attack vector that could be exploited by unauthenticated users. While taint analysis found no issues, this unprotected REST API route represents a significant oversight in access control. The plugin's vulnerability history is currently clear, with no known CVEs, which is a positive indicator. However, this absence of historical vulnerabilities does not negate the risks identified in the current static analysis.

In conclusion, "canvas-portfolio" v1.0.2 has a strong foundation in secure coding practices, particularly regarding data handling and output sanitization. The primary weakness lies in the unprotected REST API endpoint, which requires immediate attention. Addressing this single vulnerability would significantly improve the plugin's overall security. Continued vigilance regarding potential vulnerabilities in future versions is also advisable.

Key Concerns

  • REST API route without permission callback
Vulnerabilities
None known

Canvas Portfolio Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Canvas Portfolio Release Timeline

v1.0.1
v1.0.0
Code Analysis
Analyzed Apr 16, 2026

Canvas Portfolio Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
3
218 escaped
Nonce Checks
5
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

99% escaped221 total outputs
Attack Surface
1 unprotected

Canvas Portfolio Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 2

authwp_ajax_cnvsport_portfolio_ajax_load_moreincludes/portfolio-load-more.php:237
noprivwp_ajax_cnvsport_portfolio_ajax_load_moreincludes/portfolio-load-more.php:238

REST API Routes 1

GET/wp-json/cnvsport/v1/portfolio-more-postsincludes/portfolio-load-more.php:263
WordPress Hooks 19
actionadmin_noticesincludes/class-canvas-portfolio-installer.php:26
actionplugins_loadedincludes/class-canvas-portfolio.php:163
actionadmin_enqueue_scriptsincludes/class-canvas-portfolio.php:178
actionadmin_enqueue_scriptsincludes/class-canvas-portfolio.php:179
actionadmin_enqueue_scriptsincludes/class-canvas-portfolio.php:194
actionwp_enqueue_scriptsincludes/class-canvas-portfolio.php:195
filterexcerpt_lengthincludes/plugin-functions.php:223
actionrest_api_initincludes/portfolio-load-more.php:272
actioncnvsport-categories_add_form_fieldsincludes/register-category-fields.php:21
actioncnvsport-categories_edit_form_fieldsincludes/register-category-fields.php:22
actioncreated_cnvsport-categoriesincludes/register-category-fields.php:23
actionedited_cnvsport-categoriesincludes/register-category-fields.php:24
actionadmin_enqueue_scriptsincludes/register-category-fields.php:25
actionadd_meta_boxesincludes/register-post-fields.php:14
actionsave_postincludes/register-post-fields.php:95
actioninitincludes/register-post-types.php:50
actioninitincludes/register-post-types.php:93
actioninitpublic/class-canvas-portfolio-block.php:21
filtercanvas_register_block_typepublic/class-canvas-portfolio-block.php:22
Maintenance & Trust

Canvas Portfolio Maintenance & Trust

Maintenance Signals

WordPress version tested5.4.19
Last updatedJul 16, 2020
PHP min version5.4
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Canvas Portfolio Alternatives

WPZOOM Portfolio Lite – Filterable Portfolio Plugin

WPZOOM Portfolio Lite – Filterable Portfolio Plugin

wpzoom-portfolio

A
99

Portfolio plugin for WordPress. Create filterable portfolio grids with masonry layouts and lightbox. Ideal for photographers, designers, agencies.

20K 2 CVEs
Sight – Professional Image Gallery and Portfolio

Sight – Professional Image Gallery and Portfolio

sight

A
99

Introducing Sight — a fast & simple way to create professional looking portfolios and neatly stunning image and video galleries — all with zero co …

4K 1 CVE
Visual Portfolio, Photo Gallery & Post Grid

Visual Portfolio, Photo Gallery & Post Grid

visual-portfolio

A
93

Powerful WordPress gallery plugin for stunning photo, video & album galleries with advanced layouts and flexible block editing.

60K 4 CVEs
Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery

Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery

gallery-videos

A
95

Gallery is a user-friendly plugin to display user or hashtag-based gallery feeds as a responsive customizable gallery.

10K 5 CVEs
PowerFolio – Portfolio & Image Gallery for Elementor

PowerFolio – Portfolio & Image Gallery for Elementor

portfolio-elementor

A
96

A powerful portfolio and gallery plugin for WP, Elementor and Gutenberg. Create portfolio and image galleries in seconds using any page builder!

10K 4 CVEs
Developer Profile

Canvas Portfolio Developer Profile

codesupplyco

6 plugins · 91K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
1041 days
View full developer profile
Detection Fingerprints

How We Detect Canvas Portfolio

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/canvas-portfolio/admin/js/canvas-portfolio-admin.js/wp-content/plugins/canvas-portfolio/includes/js/canvas-portfolio-public.js/wp-content/plugins/canvas-portfolio/includes/css/canvas-portfolio-public.css
Script Paths
/wp-content/plugins/canvas-portfolio/admin/js/canvas-portfolio-admin.js/wp-content/plugins/canvas-portfolio/includes/js/canvas-portfolio-public.js
Version Parameters
canvas-portfolio/admin/js/canvas-portfolio-admin.js?ver=canvas-portfolio/includes/js/canvas-portfolio-public.js?ver=canvas-portfolio/includes/css/canvas-portfolio-public.css?ver=

HTML / DOM Fingerprints

CSS Classes
canvas-portfolio-entrycanvas-portfolio-itemcanvas-portfolio-gridcanvas-portfolio-layout-gridcanvas-portfolio-layout-masonrycanvas-portfolio-layout-listcanvas-portfolio-filtercanvas-portfolio-filter-item+1 more
Data Attributes
data-portfolio-layoutdata-portfolio-columnsdata-portfolio-gap
JS Globals
cnvsportVideo
Shortcode Output
[canvas_portfolio[canvas_portfolio_categories
FAQ

Frequently Asked Questions about Canvas Portfolio