Does Fancy Image Show have any unpatched vulnerabilities?

Yes — Fancy Image Show currently has 1 published unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Fancy Image Show compatible with WordPress 6.4.8?

According to WordPress.org data, Fancy Image Show 9.1 has been tested up to WordPress 6.4.8. Check the plugin's changelog for the latest compatibility information.

How often is Fancy Image Show updated?

Fancy Image Show was last updated on Oct 29, 2023. Frequent updates are generally a positive security signal.

What is Fancy Image Show's security score?

Fancy Image Show has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Fancy Image Show Security & Risk Analysis

wordpress.org/plugins/fancy-image-show

This is a simple image rotation plugin. The image rotation happens with five different fancy effects, so it is named fancy image show.

80 active installs v9.1 PHP + WP 5.8+ Updated Oct 29, 2023

fancyimagesslideshow

C · Use Caution

CVEs total1

Unpatched1

Last CVEMay 11, 2026

Plugin page Download

Safety Verdict

Is Fancy Image Show Safe to Use in 2026?

Use With Caution

Score 63/100

Fancy Image Show has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: May 11, 2026Updated 2yr ago

Risk Assessment

The "fancy-image-show" v9.1 plugin exhibits a generally positive security posture with some areas for concern. Its attack surface is minimal, with only one shortcode and no unprotected entry points identified. The code employs prepared statements for the vast majority of its SQL queries, which is a strong indicator of good database security practices. Furthermore, the absence of known CVEs and historical vulnerabilities suggests a well-maintained and secure codebase. However, a significant area for improvement lies in output escaping, with only 42% of outputs being properly escaped. This indicates a potential risk of Cross-Site Scripting (XSS) vulnerabilities, especially if user-supplied data is involved in these unescaped outputs. The presence of two taint flows with unsanitized paths, although not rated critical or high severity, warrants attention as it suggests potential pathways for malicious input to reach sensitive functions without proper sanitization.

Key Concerns

Low output escaping rate
Taint flows with unsanitized paths

Vulnerabilities

1 published

Fancy Image Show Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2026-5340medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Fancy Image Show <= 9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

May 11, 2026Unpatched

Version History

Fancy Image Show Release Timeline

No version history available.

Code Analysis

Analyzed Mar 16, 2026

Fancy Image Show Code Analysis

Dangerous Functions

Raw SQL Queries

19 prepared

Unescaped Output

22 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

95% prepared20 total queries

Output Escaping

42% escaped52 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

FancyImg_control (fancy-image-show.php:231)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Fancy Image Show Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[fancy-img-show] fancy-image-show.php:315

WordPress Hooks 4

actionadmin_menufancy-image-show.php:204

actionplugins_loadedfancy-image-show.php:314

actionwp_enqueue_scriptsfancy-image-show.php:316

actionadmin_enqueue_scriptsfancy-image-show.php:320

Maintenance & Trust

Fancy Image Show Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8

Last updatedOct 29, 2023

PHP min version

Downloads31K

Community Trust

Rating0/100

Number of ratings0

Active installs80

Alternatives

Fancy Image Show Alternatives

FancyBox for WordPress

fancybox-for-wordpress

Seamlessly integrates FancyBox lightbox into your WordPress blog: Upload, activate, and you're done. Additional configuration optional.

40K 3 CVEs

WP Header Images

wp-header-images

A great WordPress plugin which helps you to choose a unique image for each menu page.

6K 1 CVE

FancyBox

fancy-box

Enables fancybox on all image links including BMP, GIF, JPG, JPEG, and PNG links.

4K 1 unpatched

WP-Cycle

wp-cycle

This plugin creates an image slideshow in your theme, using the jQuery Cycle plugin. You can upload/delete images via the administration panel, and di …

3K No CVEs

PhotoSwipe

photo-swipe

A very light implementation of PhotoSwipe javascript plugin for WordPress

1K No CVEs

Developer Profile

Fancy Image Show Developer Profile

gopi_plus

8 plugins · 1K total installs

trust score

Avg Security Score

82/100

Avg Patch Time

1046 days

View full developer profile

Detection Fingerprints

How We Detect Fancy Image Show

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/fancy-image-show/js/fancy-image-show.js

Script Paths

http://www.gopiplus.com/work/2011/11/06/fancy-image-show-wordpress-plugin/

HTML / DOM Fingerprints

Data Attributes

FancyImg_GalleryFancyImg_WidthFancyImg_HeightFancyImg_EffectFancyImg_delayFancyImg_Strips+7 more

JS Globals

FancyImgFancyImgShowFancyImg_installFancyImg_admin_optionsFancyImg_shortcodeFancyImg_deactivation+5 more

Shortcode Output

<script> $j(function() { $j(document).ready(function(){ $j("#GALLERY[0-9]+").FancyImageShow({ width: [0-9]+, height: [0-9]+, effect: '.*', delay: [0-9]+, strips: [0-9]+, stripDelay: [0-9]+ }); }); }); </script>

<div id="GALLERY[0-9]+">.*</div>

FAQ