WP-Safety

Photo Gallery by Ays – Responsive Image Gallery Security & Risk Analysis

wordpress.org/plugins/gallery-photo-gallery

Photo Gallery is a cool responsive image gallery plugin with beautiful views

2K active installs v6.6.9 PHP + WP 4.0+ Updated Apr 15, 2026
galleryimage-galleryphoto-galleryresponsive-gallerywordpress-gallery-plugin
86
A · Safe
CVEs total10
Unpatched0
Last CVEDec 1, 2025
Plugin page Download
Safety Verdict

Is Photo Gallery by Ays – Responsive Image Gallery Safe to Use in 2026?

Generally Safe

Score 86/100

Photo Gallery by Ays – Responsive Image Gallery has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

10 known CVEsLast CVE: Dec 1, 2025Updated 1mo ago
Risk Assessment

The "gallery-photo-gallery" plugin version 6.6.4 exhibits a mixed security posture. While it demonstrates several good security practices, such as a high percentage of prepared SQL statements and a significant number of nonce and capability checks, there are notable areas of concern. The presence of 11 AJAX handlers without authentication checks presents a considerable attack surface, increasing the risk of unauthorized actions. The taint analysis reveals 3 high-severity flows with unsanitized paths, indicating potential vulnerabilities that could be exploited if user input is not properly handled. The plugin's historical vulnerability record is concerning, with 10 known CVEs, including past critical and high-severity issues like injection and XSS. The fact that the last recorded vulnerability was in 2025 suggests a recent history of security flaws, even if none are currently unpatched in this specific version. This history, coupled with the identified code signals, points to a plugin that requires careful attention to its security implementation and ongoing maintenance. The plugin shows strengths in database query security and authorization checks, but weaknesses in handling AJAX entry points and sanitizing data flows. Users should be aware of the potential risks associated with the exposed AJAX handlers and the implications of the plugin's past vulnerability trends.

Key Concerns

  • 11 unprotected AJAX handlers
  • 3 high severity unsanitized path flows
  • 47% of outputs properly escaped
  • 10 total known CVEs (historical)
  • Bundled library Select2 (potential outdatedness)
Vulnerabilities
10 published

Photo Gallery by Ays – Responsive Image Gallery Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
2 CVEs in 2021
2021
3 CVEs in 2023
2023
2 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
8

10 total CVEs

CVE-2025-13685medium · 4.3Cross-Site Request Forgery (CSRF)

Photo Gallery by Ays <= 6.4.8 - Cross-Site Request Forgery to Bulk Actions

Dec 1, 2025 Patched in 6.4.9 (1d)
CVE-2025-57947medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Photo Gallery by Ays <= 6.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025 Patched in 6.3.9 (17d)
CVE-2024-37442medium · 4.4Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Photo Gallery by Ays <= 5.7.0 - Authenticated (Administrator+) HTML Injection

Jun 28, 2024 Patched in 5.7.1 (5d)
CVE-2024-29919medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Photo Gallery by Ays <= 5.5.2 - Reflected Cross-Site Scripting

Mar 25, 2024 Patched in 5.5.3 (8d)
CVE-2023-39917medium · 4.3Cross-Site Request Forgery (CSRF)

Photo Gallery by Ays <= 5.2.6 - Cross-Site Request Forgery

Aug 7, 2023 Patched in 5.2.7 (169d)
CVE-2023-2568medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Photo Gallery by Ays <= 5.1.6 - Reflected Cross-Site Scripting

May 16, 2023 Patched in 5.1.7 (252d)
CVE-2023-32107medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Photo Gallery by Ays <= 5.1.3 - Reflected Cross-Site Scripting via ays_gpg_settings_tab

May 3, 2023 Patched in 5.1.4 (265d)
CVE-2021-24462high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Photo Gallery by Ays - Responsive Image Gallery <= 4.4.3 - Authenticated Blind SQL Injections

Jun 29, 2021 Patched in 4.4.4 (938d)
WF-4ec30511-40cb-433e-977c-df5be8c3d8f2-gallery-photo-gallerymedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Photo Gallery by Ays – Responsive Image Gallery <= 4.4.3 - Reflected Cross-Site Scripting

Jun 29, 2021 Patched in 4.4.4 (938d)
CVE-2016-10921critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Photo Gallery by Ays – Responsive Image Gallery < 1.0.1 - SQL Injection

Jul 11, 2016 Patched in 1.0.1 (2752d)
Version History

Photo Gallery by Ays – Responsive Image Gallery Release Timeline

v6.6.9Current
v6.6.8
v6.6.7
v6.6.6
v6.6.5
v6.6.4
v6.6.3
v6.6.2
v6.6.1
v6.6.0
v6.5.9
v6.5.8
v6.5.7
v6.5.6
v6.5.5
v6.5.4
v6.5.3
v6.5.2
v6.5.1
v6.5.0
Code Analysis
Analyzed Mar 16, 2026

Photo Gallery by Ays – Responsive Image Gallery Code Analysis

Dangerous Functions
0
Raw SQL Queries
6
59 prepared
Unescaped Output
764
690 escaped
Nonce Checks
28
Capability Checks
31
File Operations
2
External Requests
0
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

91% prepared65 total queries

Output Escaping

47% escaped1454 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

14 flows3 with unsanitized paths
deactivate_plugin_option (admin\class-gallery-photo-gallery-admin.php:843)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
11 unprotected

Photo Gallery by Ays – Responsive Image Gallery Attack Surface

Entry Points27
Unprotected11

AJAX Handlers 11

authwp_ajax_gen_ays_gpg_shortcodeincludes\class-gallery-photo-gallery.php:197
authwp_ajax_deactivate_plugin_option_pmincludes\class-gallery-photo-gallery.php:201
noprivwp_ajax_deactivate_plugin_option_pmincludes\class-gallery-photo-gallery.php:202
authwp_ajax_ays_gpg_author_user_searchincludes\class-gallery-photo-gallery.php:204
noprivwp_ajax_ays_gpg_author_user_searchincludes\class-gallery-photo-gallery.php:205
authwp_ajax_ays_gpg_dismiss_buttonincludes\class-gallery-photo-gallery.php:228
noprivwp_ajax_ays_gpg_dismiss_buttonincludes\class-gallery-photo-gallery.php:229
authwp_ajax_ays_gpg_install_pluginincludes\class-gallery-photo-gallery.php:231
noprivwp_ajax_ays_gpg_install_pluginincludes\class-gallery-photo-gallery.php:232
authwp_ajax_ays_gpg_activate_pluginincludes\class-gallery-photo-gallery.php:234
noprivwp_ajax_ays_gpg_activate_pluginincludes\class-gallery-photo-gallery.php:235

Shortcodes 16

[vc_gallery_p_gallery] pb_templates\gallery_photo_gallery_wpbvc.php:11
[gallery_p_gallery] public\class-gallery-photo-gallery-public.php:55
[ays_gallery_category_title] public\partials\class-gallery-photo-gallery-category-shortcode.php:61
[ays_gallery_general_category_title] public\partials\class-gallery-photo-gallery-category-shortcode.php:63
[ays_gallery_category_desctription] public\partials\class-gallery-photo-gallery-category-shortcode.php:65
[ays_gallery_general_category_desctription] public\partials\class-gallery-photo-gallery-category-shortcode.php:67
[ays_gallery_creation_date] public\partials\class-gallery-photo-gallery-extra-shortcode.php:61
[ays_gallery_current_author] public\partials\class-gallery-photo-gallery-extra-shortcode.php:62
[ays_gallery_images_count] public\partials\class-gallery-photo-gallery-extra-shortcode.php:63
[ays_gallery_images_count_by_category] public\partials\class-gallery-photo-gallery-extra-shortcode.php:64
[ays_gallery_user_first_name] public\partials\class-gallery-photo-gallery-extra-shortcode.php:65
[ays_gallery_user_last_name] public\partials\class-gallery-photo-gallery-extra-shortcode.php:66
[ays_gallery_user_display_name] public\partials\class-gallery-photo-gallery-extra-shortcode.php:67
[ays_gallery_user_email] public\partials\class-gallery-photo-gallery-extra-shortcode.php:68
[ays_gallery_user_nickname] public\partials\class-gallery-photo-gallery-extra-shortcode.php:69
[ays_gallery_user_wordpress_roles] public\partials\class-gallery-photo-gallery-extra-shortcode.php:70
WordPress Hooks 29
filterset-screen-optionadmin\class-gallery-photo-gallery-admin.php:58
actionadmin_noticesadmin\class-gallery-photo-gallery-admin.php:324
actionenqueue_block_editor_assetsgallery\gallery-photo-gallery-block.php:129
actioninitgallery\gallery-photo-gallery-block.php:130
actionplugins_loadedgallery-photo-gallery.php:82
actionadmin_noticesgallery-photo-gallery.php:102
actioninitincludes\class-gallery-photo-gallery-custom-post-type.php:33
actionplugins_loadedincludes\class-gallery-photo-gallery.php:173
actionadmin_enqueue_scriptsincludes\class-gallery-photo-gallery.php:189
actionadmin_enqueue_scriptsincludes\class-gallery-photo-gallery.php:190
actionadmin_enqueue_scriptsincludes\class-gallery-photo-gallery.php:191
actioncurrent_screenincludes\class-gallery-photo-gallery.php:192
actionadmin_menuincludes\class-gallery-photo-gallery.php:195
filtermce_external_pluginsincludes\class-gallery-photo-gallery.php:198
filtermce_buttonsincludes\class-gallery-photo-gallery.php:199
filterplugin_row_metaincludes\class-gallery-photo-gallery.php:212
actionvcv:apiincludes\class-gallery-photo-gallery.php:215
actionelementor/widgets/widgets_registeredincludes\class-gallery-photo-gallery.php:217
actionadmin_enqueue_scriptsincludes\class-gallery-photo-gallery.php:219
actionin_admin_footerincludes\class-gallery-photo-gallery.php:221
actionadmin_noticesincludes\class-gallery-photo-gallery.php:226
actioninitincludes\class-gallery-photo-gallery.php:251
actionwp_enqueue_scriptsincludes\class-gallery-photo-gallery.php:252
filterwp_img_tag_add_decoding_attrincludes\class-gallery-photo-gallery.php:254
actionadmin_noticesincludes\lists\class-gallery-photo-gallery-categories-list-table.php:15
actionadmin_noticesincludes\lists\class-gallery-photo-gallery-gpg-categories-list-table.php:15
actionadmin_noticesincludes\lists\class-gallery-photo-gallery-list-table.php:25
actioninitincludes\lists\class-gallery-photo-gallery-list-table.php:30
actioninitpb_templates\gallery_photo_gallery_wpbvc.php:10
Maintenance & Trust

Photo Gallery by Ays – Responsive Image Gallery Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedApr 15, 2026
PHP min version
Downloads182K

Community Trust

Rating96/100
Number of ratings18
Active installs2K
Alternatives

Photo Gallery by Ays – Responsive Image Gallery Alternatives

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

photo-gallery

B
75

Photo Gallery is a powerful image gallery plugin with a list of advanced options for creating responsive image galleries with beautiful lightbox.

200K 62 CVEs
Robo Gallery – Photo & Image Slider

Robo Gallery – Photo & Image Slider

robo-gallery

B
83

Robo Gallery is a powerful image gallery and photo gallery plugin with advanced features to create responsive galleries with a beautiful lightbox

40K 19 CVEs
Photo gallery lightbox – 📱 mobile friendly gallery plugin –– Story Show Gallery

Photo gallery lightbox – 📱 mobile friendly gallery plugin –– Story Show Gallery

story-show-gallery

A
100

Full screen photo gallery lightbox for delightful display of your photos, with a lot of features, fully customizable, free.

200 No CVEs
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

nextgen-gallery

B
76

The most popular gallery plugin that lets you create galleries and albums in seconds.

400K 38 CVEs
Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

envira-gallery-lite

A
95

Envira Gallery is a fast, easy and powerful gallery builder with lightbox, masonry and grid layouts, albums, videos, and responsive displays and more

100K 11 CVEs
Developer Profile

Photo Gallery by Ays – Responsive Image Gallery Developer Profile

Ays Pro

18 plugins · 111K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
203 days
View full developer profile
Detection Fingerprints

How We Detect Photo Gallery by Ays – Responsive Image Gallery

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/gallery-photo-gallery/admin/css/gallery-photo-gallery-admin.css/wp-content/plugins/gallery-photo-gallery/admin/js/gallery-photo-gallery-admin.js/wp-content/plugins/gallery-photo-gallery/assets/css/owl.carousel.min.css/wp-content/plugins/gallery-photo-gallery/assets/css/owl.theme.default.min.css/wp-content/plugins/gallery-photo-gallery/assets/css/photo-gallery-frontend.css/wp-content/plugins/gallery-photo-gallery/assets/js/jquery.min.js/wp-content/plugins/gallery-photo-gallery/assets/js/owl.carousel.min.js/wp-content/plugins/gallery-photo-gallery/assets/js/photo-gallery-frontend.js
Version Parameters
gallery-photo-gallery/admin/css/gallery-photo-gallery-admin.css?ver=gallery-photo-gallery/admin/js/gallery-photo-gallery-admin.js?ver=gallery-photo-gallery/assets/css/owl.carousel.min.css?ver=gallery-photo-gallery/assets/css/owl.theme.default.min.css?ver=gallery-photo-gallery/assets/css/photo-gallery-frontend.css?ver=gallery-photo-gallery/assets/js/jquery.min.js?ver=gallery-photo-gallery/assets/js/owl.carousel.min.js?ver=gallery-photo-gallery/assets/js/photo-gallery-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
ays-notice-bannerays-gpg-logo-container-upgradeays-gpg-logo-containergpg-logoays-gpg-upgrade-containerays-gpg-logo-container-one-time-textmodile-ddmenu-lgmodile-ddmenu-lg-custom+3 more
HTML Comments
<!-- START: Gallery - Photo Gallery ->Admin Notice--><!-- END: Gallery - Photo Gallery ->Admin Notice--><!-- Gallery - Photo Gallery -> START: Owl Carousel --><!-- Gallery - Photo Gallery -> END: Owl Carousel -->
Data Attributes
data-carusel="gallery-photo-gallery"
FAQ

Frequently Asked Questions about Photo Gallery by Ays – Responsive Image Gallery