Gallery by BestWebSoft – Customizable Image and Photo Galleries for WordPress Security & Risk Analysis

The 'gallery-plugin' v4.7.7 exhibits a mixed security posture. While the static analysis reveals a relatively small attack surface with no unprotected AJAX handlers or REST API routes, and a strong emphasis on output escaping (97%) and nonce checks (31), there are underlying concerns. The presence of 26 SQL queries, with 38% not using prepared statements, is a significant risk for potential SQL injection vulnerabilities, despite the absence of critical taint flows in the current analysis. Furthermore, the plugin's history of 5 known CVEs, including 2 high severity vulnerabilities (SQL Injection and Cross-Site Scripting, and Deserialization of Untrusted Data), indicates a pattern of historical weaknesses that, even if currently patched, suggest a recurring need for vigilant maintenance and potentially deeper code scrutiny. The last vulnerability being in 2025 also suggests a relatively recent discovery, implying that the plugin might still be actively targeted or has had persistent issues.

While the current static analysis shows no critical or high severity issues, and all previous CVEs are reported as patched, the high percentage of non-prepared SQL statements and the historical trend of significant vulnerabilities are substantial weaknesses. The plugin has demonstrated an ability to develop critical flaws in the past, and the static analysis does not fully mitigate the risk associated with the 38% of SQL queries that are not prepared. The absence of critical taint flows is a positive sign for the current version, but the overall historical context and the identified code signals warrant caution.