WP-Safety

Garden Gnome Package Security & Risk Analysis

wordpress.org/plugins/garden-gnome-package

Display panoramas, virtual tours or object movies created with Pano2VR and Object2VR.

4K active installs v2.4.1 PHP 7.2+ WP 5.0+ Updated Dec 11, 2025
360panoramavirtual-tourwebvrwebxr
69
C · Use Caution
CVEs total4
Unpatched1
Last CVEFeb 21, 2026
Plugin page Download
Safety Verdict

Is Garden Gnome Package Safe to Use in 2026?

Use With Caution

Score 69/100

Garden Gnome Package has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

4 known CVEs 1 unpatched Last CVE: Feb 21, 2026Updated 5mo ago
Risk Assessment

The 'garden-gnome-package' plugin v2.4.1 presents a mixed security posture. Static analysis reveals a relatively small attack surface, with no unprotected AJAX handlers or REST API routes, and a good percentage of output being properly escaped. The complete absence of raw SQL queries and a single nonce check are also positive indicators of secure coding practices.

However, the vulnerability history is a significant concern. The plugin has a history of 3 known CVEs, including high and medium severity vulnerabilities such as Unrestricted Upload of File with Dangerous Type and Cross-Site Scripting. While there are currently no unpatched vulnerabilities, this pattern suggests a recurring weakness in the plugin's security, potentially indicating a need for more rigorous security auditing and testing by the developers. The lack of any identified critical taint flows in the static analysis is a positive point, but the historical vulnerabilities outweigh this for the overall risk assessment.

In conclusion, while the current version of 'garden-gnome-package' shows some good security implementations in its static analysis, its past vulnerability record demands caution. Users should be aware of the potential for future vulnerabilities given the history of insecure code patterns, and developers should prioritize addressing the root causes of past issues.

Key Concerns

  • High number of past vulnerabilities (3 total)
  • Past high severity vulnerability (1)
  • Past medium severity vulnerabilities (2)
  • No capability checks on entry points
  • Some output not properly escaped (11%)
Vulnerabilities
4 published

Garden Gnome Package Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2026-39683medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Garden Gnome Package <= 2.4.1 - Authenticated (Author+) Stored Cross-Site Scripting

Feb 21, 2026Unpatched
CVE-2024-12854high · 8.8Unrestricted Upload of File with Dangerous Type

Garden Gnome Package <= 2.3.0 - Authenticated (Author+) Arbitrary File Upload

Jan 7, 2025 Patched in 2.4.0 (1d)
CVE-2024-8657medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Garden Gnome Package <= 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 23, 2024 Patched in 2.3.0 (1d)
CVE-2023-5664medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Garden Gnome Package <= 2.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Nov 6, 2023 Patched in 2.2.9 (78d)
Version History

Garden Gnome Package Release Timeline

v2.4.1Current1 CVE
CVE-2026-39683
v2.4.01 CVE
CVE-2026-39683
v2.3.02 CVEs
CVE-2026-39683 CVE-2024-12854
v2.2.93 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854
v2.2.84 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.2.74 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.2.64 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.2.54 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.2.44 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.2.34 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.2.24 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.2.14 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.2.04 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.1.34 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.1.24 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.1.14 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.1.04 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.0.14 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
v2.0.04 CVEs
CVE-2024-8657 CVE-2026-39683 CVE-2024-12854 +1 more
Code Analysis
Analyzed Mar 16, 2026

Garden Gnome Package Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
4
33 escaped
Nonce Checks
1
Capability Checks
0
File Operations
12
External Requests
1
Bundled Libraries
0

Output Escaping

89% escaped37 total outputs
Attack Surface

Garden Gnome Package Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[ggpkg] ggpkg.php:53
WordPress Hooks 16
actioninitggpkg.php:52
filterupload_mimesggpkg.php:56
filterwp_check_filetype_and_extggpkg.php:57
actionadd_attachmentggpkg.php:58
filterpost_mime_typesggpkg.php:59
actiondelete_attachmentggpkg.php:60
filterwp_get_attachment_image_attributesggpkg.php:61
filterwp_prepare_attachment_for_jsggpkg.php:62
filterwp_get_attachment_metadataggpkg.php:63
filterwp_mime_type_iconggpkg.php:64
filtermedia_send_to_editorggpkg.php:65
actionelementor/widgets/widgets_registeredggpkg.php:66
actionadmin_menuggpkg.php:79
actionadmin_initggpkg.php:80
actionadmin_print_scriptsggpkg.php:83
actionadmin_print_stylesggpkg.php:84
Maintenance & Trust

Garden Gnome Package Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.0
Last updatedDec 11, 2025
PHP min version7.2
Downloads52K

Community Trust

Rating84/100
Number of ratings5
Active installs4K
Alternatives

Garden Gnome Package Alternatives

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress

wpvr

A
91

Create stunning 360 virtual tours to impress visitors and get more clients using WPVR - the easiest virtual tour creator in WordPress.

10K 14 CVEs
iPanorama 360 – Advanced Virtual Tour Builder

iPanorama 360 – Advanced Virtual Tour Builder

ipanorama-360-virtual-tour-builder-lite

A
86

Let's create virtual tours for your site that empowers your visitors and clients!!! Build a live tour in just a few steps.

5K 6 CVEs
Panorama – 360 Virtual Tour, Panoramic image viewer and More

Panorama – 360 Virtual Tour, Panoramic image viewer and More

panorama

A
100

Panorama Viewer displays panoramic images/videos easily on your WordPress site. Supports various files like .png, .jpeg, .mp4, and more.

3K No CVEs
Photo Sphere Viewer – 360° Panorama, Virtual Tour & 360 Video for WordPress

Photo Sphere Viewer – 360° Panorama, Virtual Tour & 360 Video for WordPress

photo-sphere-viewer

A
100

Display 360° panoramas, virtual tours & 360 videos on WordPress with Elementor, Gutenberg, or shortcodes. No coding needed.

400 No CVEs
360 Viewer Light

360 Viewer Light

360-viewer-light-for-elementor-wpbakery

A
85

360 Photo Viewer

300 No CVEs
Developer Profile

Garden Gnome Package Developer Profile

Chief Gnome

1 plugin · 4K total installs

72
trust score
Avg Security Score
69/100
Avg Patch Time
27 days
View full developer profile
Detection Fingerprints

How We Detect Garden Gnome Package

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/garden-gnome-package/include/ggskin.css

HTML / DOM Fingerprints

CSS Classes
ggpkg-viewer
Data Attributes
data-ggpkg-id
Shortcode Output
No Garden Gnome Package selected!
FAQ

Frequently Asked Questions about Garden Gnome Package