WP-Safety

Video & Photo Gallery for Ultimate Member Security & Risk Analysis

wordpress.org/plugins/gallery-for-ultimate-member

Enhance Ultimate Member with a Photo/Video Gallery Addon: Easy media sharing & vibrant community engagement."

100 active installs v1.1.3 PHP 5.4+ WP 5.2+ Updated Jan 23, 2025
ultimate-memberultimate-member-galleryultimatememberum-galleryvideo-gallery-ultimate-member
63
C · Use Caution
CVEs total4
Unpatched1
Last CVEApr 4, 2025
Plugin page Download
Safety Verdict

Is Video & Photo Gallery for Ultimate Member Safe to Use in 2026?

Use With Caution

Score 63/100

Video & Photo Gallery for Ultimate Member has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

4 known CVEs 1 unpatched Last CVE: Apr 4, 2025Updated 1yr ago
Risk Assessment

The 'gallery-for-ultimate-member' plugin v1.1.3 exhibits a concerning security posture due to a significant number of unprotected entry points and a history of severe vulnerabilities. While the code shows some good practices like a high percentage of prepared SQL statements and properly escaped output, these strengths are overshadowed by critical weaknesses. The static analysis reveals 18 unprotected AJAX handlers out of 20, creating a large attack surface for potential unauthorized actions. Furthermore, the taint analysis identified 6 high-severity flows with unsanitized paths, indicating a risk of sensitive data exposure or manipulation.

The vulnerability history is particularly alarming, with 4 known CVEs, including one high-severity unpatched vulnerability. The common types of past vulnerabilities (SQL Injection, SSRF, Unrestricted Uploads, XSS) suggest a pattern of issues related to improper input validation and handling, which are exacerbated by the identified unsanitized paths in the current version. The most recent vulnerability being from April 2025 is also a red flag, hinting at potential ongoing or recurring security flaws.

In conclusion, while the plugin has some positive security attributes, the high number of unprotected entry points, critical taint flows, and a history of serious, often recurring, vulnerability types make this plugin a significant risk. The presence of an unpatched high-severity vulnerability further elevates the urgency for remediation. Users should exercise extreme caution and consider disabling or replacing this plugin until these issues are addressed.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows with unsanitized paths
  • Unpatched high severity CVE
  • Vulnerability history: SQL Injection
  • Vulnerability history: SSRF
  • Vulnerability history: Unrestricted Upload
  • Vulnerability history: Cross-site Scripting
  • Limited capability checks
Vulnerabilities
4

Video & Photo Gallery for Ultimate Member Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2025-32121medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Video & Photo Gallery for Ultimate Member <= 1.1.3 - Authenticated (Administrator+) SQL Injection

Apr 4, 2025Unpatched
CVE-2025-22672medium · 6.4Server-Side Request Forgery (SSRF)

Video & Photo Gallery for Ultimate Member <= 1.1.2 - Authenticated (Subscriber+) Server-Side Request Forgery

Feb 3, 2025 Patched in 1.1.3 (10d)
CVE-2024-54370high · 8.8Unrestricted Upload of File with Dangerous Type

Video & Photo Gallery for Ultimate Member <= 1.1.0 - Authenticated (Subscriber+) Arbitrary File Upload

Dec 11, 2024 Patched in 1.1.1 (8d)
CVE-2024-12162medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Video & Photo Gallery for Ultimate Member <= 1.1.1 - Reflected Cross-Site Scripting

Dec 11, 2024 Patched in 1.1.2 (1d)
Code Analysis
Analyzed Mar 16, 2026

Video & Photo Gallery for Ultimate Member Code Analysis

Dangerous Functions
0
Raw SQL Queries
14
36 prepared
Unescaped Output
47
312 escaped
Nonce Checks
7
Capability Checks
1
File Operations
5
External Requests
2
Bundled Libraries
1

Bundled Libraries

jQuery

SQL Query Safety

72% prepared50 total queries

Output Escaping

87% escaped359 total outputs
Data Flows
9 unsanitized

Data Flow Analysis

17 flows9 with unsanitized paths
search_box (includes\um-gallery-admin-list.php:306)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
18 unprotected

Video & Photo Gallery for Ultimate Member Attack Surface

Entry Points26
Unprotected18

AJAX Handlers 20

authwp_ajax_um_gallery_admin_deleteincludes\um-gallery-admin.php:113
authwp_ajax_um_gallery_photo_detailsincludes\um-gallery-ajax.php:22
authwp_ajax_um_gallery_admin_update_photoincludes\um-gallery-ajax.php:23
authwp_ajax_um_gallery_album_updateincludes\um-gallery-ajax.php:29
authwp_ajax_um_gallery_delete_albumincludes\um-gallery-ajax.php:30
authwp_ajax_um_gallery_get_album_formincludes\um-gallery-ajax.php:31
authwp_ajax_um_gallery_photo_updateincludes\um-gallery-ajax.php:32
authwp_ajax_um_gallery_get_album_itemincludes\um-gallery-ajax.php:33
authwp_ajax_um_gallery_photo_uploadincludes\um-gallery-ajax.php:34
authwp_ajax_um_gallery_add_videosincludes\um-gallery-ajax.php:35
authwp_ajax_um_photo_infoincludes\um-gallery-ajax.php:36
noprivwp_ajax_um_photo_infoincludes\um-gallery-ajax.php:37
authwp_ajax_sp_gallery_um_deleteincludes\um-gallery-ajax.php:38
authwp_ajax_um_gallery_fetch_remote_thumbnailincludes\um-gallery-ajax.php:39
authwp_ajax_um_gallery_get_more_photosincludes\um-gallery-ajax.php:41
noprivwp_ajax_um_gallery_get_more_photosincludes\um-gallery-ajax.php:42
authwp_ajax_um_gallery_get_commentsincludes\um-gallery-comments.php:25
noprivwp_ajax_um_gallery_get_commentsincludes\um-gallery-comments.php:26
authwp_ajax_um_gallery_post_commentincludes\um-gallery-comments.php:27
authwp_ajax_um_gallery_delete_commentincludes\um-gallery-comments.php:28

Shortcodes 6

[um_gallery_albums] includes\um-gallery-shortcodes.php:7
[um_gallery_photos] includes\um-gallery-shortcodes.php:8
[um_gallery_recent_photos_grid] includes\um-gallery-shortcodes.php:9
[um_gallery_wall_activity] includes\um-gallery-shortcodes.php:10
[um_gallery_photo_count] includes\um-gallery-shortcodes.php:11
[um_gallery_album_count] includes\um-gallery-shortcodes.php:12
WordPress Hooks 24
actioninitgallery-for-ultimate-member.php:210
actionwp_enqueue_scriptsgallery-for-ultimate-member.php:219
actionwidgets_initgallery-for-ultimate-member.php:221
actionwpmu_new_bloggallery-for-ultimate-member.php:724
actionum_gallery_addon_updatedincludes\class-um-gallery-privacy.php:39
filterum_profile_tabsincludes\class-um-gallery-template.php:90
filterum_user_profile_tabsincludes\class-um-gallery-template.php:91
actionwp_footerincludes\class-um-gallery-template.php:95
actioninitincludes\class-um-gallery-template.php:96
actionadmin_initincludes\um-gallery-admin.php:104
actionadmin_initincludes\um-gallery-admin.php:105
actionadmin_initincludes\um-gallery-admin.php:106
actionadmin_initincludes\um-gallery-admin.php:107
actionadmin_noticesincludes\um-gallery-admin.php:108
actionadmin_menuincludes\um-gallery-admin.php:109
actionum_gallery_addon_updatedincludes\um-gallery-admin.php:110
actionum_gallery_action_tabincludes\um-gallery-admin.php:114
actionadmin_enqueue_scriptsincludes\um-gallery-admin.php:115
actioninitincludes\um-gallery-ajax.php:25
actionum_gallery_photo_deletedincludes\um-gallery-comments.php:29
actionwp_footerincludes\um-gallery-functions.php:1012
actionadmin_initincludes\um-gallery-settings.php:57
actionadmin_initincludes\um-gallery-settings.php:58
actionum_gallery_after_options_pageincludes\um-gallery-settings.php:59
Maintenance & Trust

Video & Photo Gallery for Ultimate Member Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJan 23, 2025
PHP min version5.4
Downloads17K

Community Trust

Rating46/100
Number of ratings12
Active installs100
Alternatives

Video & Photo Gallery for Ultimate Member Alternatives

Login Widget for Ultimate Member

Login Widget for Ultimate Member

login-widget-for-ultimate-member

A
90

Easily add a login widget that works with Ultimate Member

700 1 CVE
Ultimate Member Custom Tab Builder Lite

Ultimate Member Custom Tab Builder Lite

um-custom-tab-builder-lite

A
92

An easy way to add custom profile tabs to Ultimate Member Profile. Ultimate Member 2.0 compatible

500 No CVEs
User List for Ultimate Member

User List for Ultimate Member

um-user-list

A
85

A plugin for Ultimate member that allows users to display user suggestions in a simple widget.

20 No CVEs
UM Events

UM Events

um-events-lite-for-ultimate-member

A
85

Easy to use Events Uploader for Ultimate Member. Give your users the option to create events

10 No CVEs
UM Navigation Menu

UM Navigation Menu

um-navigation-menu

A
100

An easy way to add Ultimate Member navigation to admin bar. Ultimate Member 2.0 compatible

10 No CVEs
Developer Profile

Video & Photo Gallery for Ultimate Member Developer Profile

SuitePlugins

17 plugins · 2K total installs

90
trust score
Avg Security Score
86/100
Avg Patch Time
7 days
View full developer profile
Detection Fingerprints

How We Detect Video & Photo Gallery for Ultimate Member

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/gallery-for-ultimate-member/assets/css/jquery.fancybox.css/wp-content/plugins/gallery-for-ultimate-member/assets/js/um-gallery-admin.js/wp-content/plugins/gallery-for-ultimate-member/assets/js/um-gallery-ajax.js/wp-content/plugins/gallery-for-ultimate-member/assets/js/um-gallery-frontend.js/wp-content/plugins/gallery-for-ultimate-member/assets/js/um-gallery-functions.js/wp-content/plugins/gallery-for-ultimate-member/assets/js/um-gallery-template.js/wp-content/plugins/gallery-for-ultimate-member/assets/js/zoom.js
Script Paths
/wp-content/plugins/gallery-for-ultimate-member/assets/js/um-gallery-admin.js/wp-content/plugins/gallery-for-ultimate-member/assets/js/um-gallery-ajax.js/wp-content/plugins/gallery-for-ultimate-member/assets/js/um-gallery-frontend.js/wp-content/plugins/gallery-for-ultimate-member/assets/js/um-gallery-functions.js/wp-content/plugins/gallery-for-ultimate-member/assets/js/um-gallery-template.js/wp-content/plugins/gallery-for-ultimate-member/assets/js/zoom.js
Version Parameters
gallery-for-ultimate-member/assets/css/jquery.fancybox.css?ver=gallery-for-ultimate-member/assets/js/um-gallery-admin.js?ver=gallery-for-ultimate-member/assets/js/um-gallery-ajax.js?ver=gallery-for-ultimate-member/assets/js/um-gallery-frontend.js?ver=gallery-for-ultimate-member/assets/js/um-gallery-functions.js?ver=gallery-for-ultimate-member/assets/js/um-gallery-template.js?ver=gallery-for-ultimate-member/assets/js/zoom.js?ver=

HTML / DOM Fingerprints

CSS Classes
um-gallery-itemum-gallery-upload-wrapum-gallery-browse-wrapgallery-for-ultimate-memberum-gallery-item-footer
Data Attributes
data-gallery-iddata-photo-id
JS Globals
um_gallery_ajax_objum_gallery_frontend_objum_gallery_template_obj
Shortcode Output
[ultimate_user_gallery]
FAQ

Frequently Asked Questions about Video & Photo Gallery for Ultimate Member