WP-Safety

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Security & Risk Analysis

wordpress.org/plugins/envira-gallery-lite

Envira Gallery is a fast, easy and powerful gallery builder with lightbox, masonry and grid layouts, albums, videos, and responsive displays and more

100K active installs v1.12.4 PHP 7.0+ WP 5.5+ Updated Feb 19, 2026
best-gallery-plugingalleryimage-galleryphoto-gallerywordpress-gallery-plugin
95
A · Safe
CVEs total10
Unpatched0
Last CVEMar 3, 2026
Plugin page Download
Safety Verdict

Is Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Safe to Use in 2026?

Generally Safe

Score 95/100

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More has a strong security track record. Known vulnerabilities have been patched promptly.

10 known CVEsLast CVE: Mar 3, 2026Updated 1mo ago
Risk Assessment

The plugin "envira-gallery-lite" v1.12.4 exhibits a mixed security posture. While it demonstrates several good security practices, such as using prepared statements for all SQL queries and a high percentage of properly escaped output, there are significant areas of concern. The presence of one AJAX handler without authentication checks is a critical vulnerability that could allow unauthorized actions. Furthermore, the taint analysis revealed four flows with unsanitized paths, indicating potential for various injection vulnerabilities, although these are not classified as critical or high severity in this analysis. The plugin's vulnerability history is a major red flag, with a total of 10 known medium severity CVEs, including past instances of CSRF, Missing Authorization, and Cross-site Scripting. The fact that these are currently unpatched, despite the last vulnerability being reported in 2026, suggests a lack of timely security patching and a history of introducing exploitable flaws.

In conclusion, while the static code analysis highlights some positive security implementations, the combination of an unprotected entry point, unsanitized paths in taint flows, and a substantial history of medium-severity vulnerabilities, especially those related to authorization and input sanitization, presents a notable risk. The absence of currently unpatched critical or high vulnerabilities is a slight positive, but the recurring nature of medium vulnerabilities and the identified unprotected AJAX handler warrant careful consideration and immediate attention. The plugin's strengths lie in its SQL handling and output escaping, but its weaknesses in authorization and input validation, as evidenced by both static analysis and historical data, outweigh these benefits in the current assessment.

Key Concerns

  • AJAX handler without auth checks
  • Flows with unsanitized paths found
  • 10 medium severity CVEs historically
Vulnerabilities
10

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Security Vulnerabilities

CVEs by Year

2 CVEs in 2020
2020
1 CVE in 2022
2022
4 CVEs in 2024
2024
2 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
10

10 total CVEs

CVE-2026-1236medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Envira Gallery for WordPress <= 1.12.3 - Authenticated (Author+) Stored Cross-Site Scripting via 'justified_gallery_theme' Parameter via REST API

Mar 3, 2026 Patched in 1.12.4 (1d)
CVE-2025-12377medium · 4.3Missing Authorization

Gallery Plugin for WordPress – Envira Photo Gallery <= 1.12.0 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions

Nov 12, 2025 Patched in 1.12.1 (33d)
CVE-2025-11448medium · 4.3Missing Authorization

Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 - Missing Authorization to Authenticated (Contributor+) Gallery Conversion

Nov 7, 2025 Patched in 1.12.0 (1d)
CVE-2024-43925medium · 4.3Missing Authorization

Envira Photo Gallery <= 1.8.14 - Missing Authorization

Aug 26, 2024 Patched in 1.8.15 (10d)
CVE-2024-3899medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gallery Plugin for WordPress – Envira Photo Gallery <= 1.8.14 - Authenticated (Author+) Stored Cross-Site Scripting

Aug 20, 2024 Patched in 1.8.15 (32d)
CVE-2024-37095medium · 4.3Cross-Site Request Forgery (CSRF)

Envira Photo Gallery <= 1.8.7.3 - Cross-Site Request Forgery to Notice Dismissal

Jun 20, 2024 Patched in 1.8.8 (7d)
CVE-2023-6742medium · 4.3Missing Authorization

Envira Gallery Lite <= 1.8.7.2 - Missing Authorization to Gallery Modification via envira_gallery_insert_images

Jan 8, 2024 Patched in 1.8.7.3 (204d)
CVE-2022-2190medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gallery Plugin for WordPress – Envira Photo Gallery <= 1.8.4.6 - Reflected Cross-Site Scripting

Oct 10, 2022 Patched in 1.8.4.7 (470d)
CVE-2021-24126medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Envira Gallery Lite <= 1.8.3.2 - Cross-Site Scripting

Dec 19, 2020 Patched in 1.8.3.3 (1130d)
CVE-2020-9334medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Envira Photo Gallery <= 1.7.6 - Authenticated Stored Cross-Site Scripting

Feb 25, 2020 Patched in 1.7.7 (1428d)
Code Analysis
Analyzed Mar 16, 2026

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
50
1045 escaped
Nonce Checks
33
Capability Checks
40
File Operations
4
External Requests
5
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

95% escaped1095 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths
addons_content (includes\admin\addons.php:230)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Attack Surface

Entry Points34
Unprotected1

AJAX Handlers 30

authwp_ajax_envira_gallery_change_typeincludes\admin\ajax.php:15
authwp_ajax_envira_gallery_set_user_settingincludes\admin\ajax.php:51
authwp_ajax_envira_gallery_load_imageincludes\admin\ajax.php:78
authwp_ajax_envira_gallery_insert_imagesincludes\admin\ajax.php:146
authwp_ajax_envira_gallery_sort_imagesincludes\admin\ajax.php:235
authwp_ajax_envira_gallery_remove_imageincludes\admin\ajax.php:282
authwp_ajax_envira_gallery_remove_imagesincludes\admin\ajax.php:331
authwp_ajax_envira_gallery_save_metaincludes\admin\ajax.php:392
authwp_ajax_envira_gallery_save_bulk_metaincludes\admin\ajax.php:486
authwp_ajax_envira_gallery_refreshincludes\admin\ajax.php:572
authwp_ajax_envira_gallery_load_gallery_dataincludes\admin\ajax.php:609
authwp_ajax_envira_gallery_install_addonincludes\admin\ajax.php:631
authwp_ajax_envira_gallery_activate_addonincludes\admin\ajax.php:695
authwp_ajax_envira_gallery_deactivate_addonincludes\admin\ajax.php:724
authwp_ajax_envira_gallery_ajax_dismiss_noticeincludes\admin\ajax.php:840
authwp_ajax_envira_gallery_ajax_dismiss_topbarincludes\admin\ajax.php:843
authwp_ajax_envira_gallery_get_attachment_linksincludes\admin\ajax.php:863
authwp_ajax_envira_gallery_editor_get_galleriesincludes\admin\ajax.php:905
authwp_ajax_envira_gallery_move_mediaincludes\admin\ajax.php:1006
authwp_ajax_envira_activate_partnerincludes\admin\ajax.php:1073
authwp_ajax_envira_deactivate_partnerincludes\admin\ajax.php:1104
authwp_ajax_envira_install_partnerincludes\admin\ajax.php:1129
authwp_ajax_envira_connectincludes\admin\ajax.php:1205
authwp_ajax_envira_hide_admin_menu_tooltipincludes\admin\menu-nudge.php:54
authwp_ajax_envira_redirect_to_add_new_galleryincludes\admin\menu-nudge.php:58
authwp_ajax_envira_notification_dismissincludes\admin\notifications.php:55
authwp_ajax_save_onboarding_dataincludes\admin\onboarding-wizard.php:52
authwp_ajax_install_recommended_pluginsincludes\admin\onboarding-wizard.php:53
authwp_ajax_save_selected_addonsincludes\admin\onboarding-wizard.php:54
authwp_ajax_envira_dismiss_reviewincludes\admin\review.php:78

REST API Routes 3

POST/wp-json/envira-convert/v1/convert-galleryincludes\global\convert_gallery\Convert_Gallery_REST.php:27
POST/wp-json/envira-convert/v1/bulk-convertincludes\global\convert_gallery\Convert_Gallery_REST.php:38
POST/wp-json/envira-convert/v1/process-galleryincludes\global\convert_gallery\Convert_Gallery_REST.php:49

Shortcodes 1

[envira-gallery] includes\global\shortcode.php:166
WordPress Hooks 111
actioninitenvira-gallery-lite.php:140
actionadmin_initenvira-gallery-lite.php:162
actionupgrader_process_completeenvira-gallery-lite.php:695
actionadmin_menuincludes\admin\addons.php:77
actionenvira_gallery_addons_sectionincludes\admin\addons.php:80
actionadmin_enqueue_scriptsincludes\admin\addons.php:137
actionadmin_enqueue_scriptsincludes\admin\addons.php:138
actionadmin_menuincludes\admin\albums.php:49
actionadmin_initincludes\admin\capabilities.php:37
filterpre_get_postsincludes\admin\capabilities.php:38
actioncurrent_screenincludes\admin\capabilities.php:39
actionadmin_initincludes\admin\common.php:72
actionadmin_initincludes\admin\common.php:75
actionadmin_initincludes\admin\common.php:78
actionadmin_enqueue_scriptsincludes\admin\common.php:81
actionadmin_enqueue_scriptsincludes\admin\common.php:82
actiondelete_attachmentincludes\admin\common.php:85
actiondelete_attachmentincludes\admin\common.php:86
actionwp_trash_postincludes\admin\common.php:89
actionuntrash_postincludes\admin\common.php:90
actionbefore_delete_postincludes\admin\common.php:93
filteradmin_footer_textincludes\admin\common.php:95
actionin_admin_footerincludes\admin\common.php:96
actionadmin_footerincludes\admin\common.php:97
actionadmin_menuincludes\admin\common.php:98
actionadmin_menuincludes\admin\common.php:99
actionadmin_headincludes\admin\common.php:100
actionadmin_footerincludes\admin\common.php:101
actionadmin_footerincludes\admin\common.php:104
actionadmin_noticesincludes\admin\common.php:412
actionadmin_print_scriptsincludes\admin\Deactivation_Survey.php:72
actionadmin_print_scriptsincludes\admin\Deactivation_Survey.php:73
actionadmin_footerincludes\admin\Deactivation_Survey.php:74
actionmedia_buttonsincludes\admin\editor.php:70
actionsave_postincludes\admin\editor.php:71
actionbefore_delete_postincludes\admin\editor.php:72
actionadmin_menuincludes\admin\Envira_Lite_Support.php:41
actionenqueue_block_editor_assetsincludes\admin\gutenberg.php:71
actioncurrent_screenincludes\admin\gutenberg.php:72
actionadmin_menuincludes\admin\import-galleries.php:49
filterenvira_gallery_media_view_stringsincludes\admin\media-view.php:61
actionprint_media_templatesincludes\admin\media-view.php:62
filterwp_handle_uploadincludes\admin\media.php:60
actionadminmenuincludes\admin\menu-nudge.php:52
actionadmin_enqueue_scriptsincludes\admin\menu-nudge.php:56
actionadmin_noticesincludes\admin\metaboxes.php:65
actionadmin_enqueue_scriptsincludes\admin\metaboxes.php:69
actionadmin_enqueue_scriptsincludes\admin\metaboxes.php:70
actionadmin_enqueue_scriptsincludes\admin\metaboxes.php:73
actionwp_print_scriptsincludes\admin\metaboxes.php:74
actionadd_meta_boxes_enviraincludes\admin\metaboxes.php:77
actionpost_edit_form_tagincludes\admin\metaboxes.php:80
filtermedia_view_stringsincludes\admin\metaboxes.php:83
actionenvira_gallery_tab_imagesincludes\admin\metaboxes.php:86
actionenvira_gallery_tab_configincludes\admin\metaboxes.php:87
actionenvira_gallery_tab_lightboxincludes\admin\metaboxes.php:88
actionenvira_gallery_tab_miscincludes\admin\metaboxes.php:89
filterenvira_gallery_tab_navincludes\admin\metaboxes.php:91
actionenvira_gallery_tab_mobileincludes\admin\metaboxes.php:92
actionenvira_gallery_tab_videosincludes\admin\metaboxes.php:93
actionenvira_gallery_tab_socialincludes\admin\metaboxes.php:94
actionenvira_gallery_tab_tagsincludes\admin\metaboxes.php:95
actionenvira_gallery_tab_animationsincludes\admin\metaboxes.php:96
actionenvira_gallery_tab_paginationincludes\admin\metaboxes.php:97
actionenvira_gallery_tab_commentsincludes\admin\metaboxes.php:98
actionenvira_gallery_tab_searchincludes\admin\metaboxes.php:99
actionsave_postincludes\admin\metaboxes.php:102
filterplupload_initincludes\admin\metaboxes.php:270
actionadmin_headincludes\admin\metaboxes.php:329
actionpost-plupload-upload-uiincludes\admin\metaboxes.php:447
actionpost-html-upload-uiincludes\admin\metaboxes.php:448
actionenvira_admin_notifications_updateincludes\admin\notifications.php:56
actionadmin_menuincludes\admin\onboarding-wizard.php:48
actionadmin_headincludes\admin\onboarding-wizard.php:49
actionadmin_initincludes\admin\onboarding-wizard.php:50
actionenvira_permissions_updateincludes\admin\permissions.php:37
filterpost_updated_messagesincludes\admin\posttype.php:71
actionadmin_headincludes\admin\posttype.php:74
actionin_admin_headerincludes\admin\posttype.php:77
actionadmin_noticesincludes\admin\review.php:77
actionadmin_menuincludes\admin\settings.php:38
actionenvira_gallery_tab_settings_generalincludes\admin\settings.php:39
actionenvira_gallery_tab_settings_permissionsincludes\admin\settings.php:40
actionenvira_gallery_tab_settings_licensingincludes\admin\settings.php:41
actionenvira_gallery_tab_settings_convert_to_enviraincludes\admin\settings.php:42
actionenvira_gallery_settings_permissions_tab_noticeincludes\admin\settings.php:230
actionenvira_gallery_settings_permissions_tab_noticeincludes\admin\settings.php:252
actionadmin_enqueue_scriptsincludes\admin\table.php:73
actionadmin_enqueue_scriptsincludes\admin\table.php:74
filtermanage_edit-envira_columnsincludes\admin\table.php:77
actionmanage_envira_posts_custom_columnincludes\admin\table.php:78
actionadmin_footerincludes\admin\table.php:81
actionadmin_menuincludes\admin\welcome.php:70
filteradmin_body_classincludes\admin\welcome.php:73
actionadmin_enqueue_scriptsincludes\admin\welcome.php:76
actionadmin_enqueue_scriptsincludes\admin\welcome.php:77
actionadmin_print_scriptsincludes\admin\welcome.php:80
filterwp_get_attachment_urlincludes\global\common.php:68
filterenvira_image_srcincludes\global\common.php:69
filterenvira_output_srcincludes\global\common.php:70
actionrest_api_initincludes\global\convert_gallery\Convert_Gallery_Main.php:28
actionadmin_initincludes\global\Envira_Tracking.php:55
filtercron_schedulesincludes\global\Envira_Tracking.php:56
actionenvira_usage_tracking_cronincludes\global\Envira_Tracking.php:57
filter_admin_menuincludes\global\posttype.php:124
actionrest_api_initincludes\global\rest.php:52
filterwidget_textincludes\global\shortcode.php:167
filterstyle_loader_tagincludes\global\shortcode.php:169
actionwp_footerincludes\global\shortcode.php:269
filterenvira_minify_strip_double_forward_slashesincludes\global\shortcode.php:1334
actionenable-media-replace-upload-doneincludes\global\shortcode.php:1981

Scheduled Events 2

envira_admin_notifications_update
envira_usage_tracking_cron
Maintenance & Trust

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 19, 2026
PHP min version7.0
Downloads7.5M

Community Trust

Rating94/100
Number of ratings1,588
Active installs100K
Alternatives

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Alternatives

Gmedia Photo Gallery

Gmedia Photo Gallery

grand-media

D
42

Gmedia Gallery - photo gallery with comments, show EXIF & Metadata, gallery with map geolocation (GPS), private galleries.

8K 1 unpatched
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

nextgen-gallery

B
76

The most popular gallery plugin that lets you create galleries and albums in seconds.

400K 37 CVEs
Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

photo-gallery

D
39

Photo Gallery is a powerful image gallery plugin with a list of advanced options for creating responsive image galleries with beautiful lightbox.

200K 1 unpatched
Robo Gallery – Photo & Image Slider

Robo Gallery – Photo & Image Slider

robo-gallery

A
87

Robo Gallery is a powerful image gallery and photo gallery plugin with advanced features to create responsive galleries with a beautiful lightbox

40K 17 CVEs
Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

gt3-photo-video-gallery

A
95

GT3 Image Gallery - create photo gallery, video gallery, block gallery, slider and more with ease. All photo galleries are responsive and loading fast

10K 4 CVEs
Developer Profile

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
795 days
View full developer profile
Detection Fingerprints

How We Detect Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/envira-gallery-lite/assets/css/envira-gallery.css/wp-content/plugins/envira-gallery-lite/assets/js/envira-gallery.js
Generator Patterns
Envira Gallery - Image Photo Gallery, Albums, Video Gallery, Slideshows & More 1.12.4
Script Paths
/wp-content/plugins/envira-gallery-lite/assets/js/envira-gallery.js
Version Parameters
envira-gallery-lite/assets/css/envira-gallery.css?ver=envira-gallery-lite/assets/js/envira-gallery.js?ver=

HTML / DOM Fingerprints

CSS Classes
envira-gallery-lite
Data Attributes
data-envira-gallery-id
JS Globals
envira_gallery_lite
REST Endpoints
/wp-json/envira-gallery-lite/v1
Shortcode Output
[envira-gallery
FAQ

Frequently Asked Questions about Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More