Does Gmedia Photo Gallery have any unpatched vulnerabilities?

Yes — Gmedia Photo Gallery currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Gmedia Photo Gallery compatible with WordPress 6.9.4?

According to WordPress.org data, Gmedia Photo Gallery 1.25.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Gmedia Photo Gallery compatible with PHP 5.6+?

Gmedia Photo Gallery requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Gmedia Photo Gallery updated?

Gmedia Photo Gallery was last updated on Jan 16, 2026. Frequent updates are generally a positive security signal.

What is Gmedia Photo Gallery's security score?

Gmedia Photo Gallery has a WP-Safety security score of 42/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Gmedia Photo Gallery Security & Risk Analysis

wordpress.org/plugins/grand-media

Gmedia Gallery - photo gallery with comments, show EXIF & Metadata, gallery with map geolocation (GPS), private galleries.

8K active installs v1.25.0 PHP 5.6+ WP 5.4.0+ Updated Jan 16, 2026

best-gallery-plugingalleryimage-galleryphoto-gallerywordpress-gallery-plugin

D · High Risk

CVEs total10

Unpatched1

Last CVEDec 31, 2025

Plugin page Download

Safety Verdict

Is Gmedia Photo Gallery Safe to Use in 2026?

High Risk

Score 42/100

Gmedia Photo Gallery carries significant security risk with 10 known CVEs, 1 still unpatched. Consider switching to a maintained alternative.

10 known CVEs 1 unpatched Last CVE: Dec 31, 2025Updated 2mo ago

Risk Assessment

The 'grand-media' v1.25.0 plugin presents a mixed security posture. While it demonstrates strong adherence to secure coding practices, such as a high percentage of properly escaped output and prepared SQL statements, significant concerns remain. The presence of unprotected AJAX handlers is a notable weakness, creating potential entry points for attackers. The taint analysis also revealed critical severity flows with unsanitized paths, indicating direct risks of arbitrary file access or execution if exploited.

The plugin's vulnerability history is a major red flag. With 10 known CVEs and one critical, unpatched vulnerability, the plugin has a history of significant security flaws. The common vulnerability types, including RFI and XSS, are particularly concerning as they can lead to severe compromise. The frequency and severity of past vulnerabilities, coupled with the identified unprotected entry points and taint issues, suggest a persistent need for vigilant security oversight and prompt patching.

In conclusion, while 'grand-media' v1.25.0 benefits from generally good coding practices, the combination of unprotected AJAX handlers, critical taint flows, and a substantial history of severe, unpatched vulnerabilities necessitates a high degree of caution. Users should prioritize updating to a version that addresses all known vulnerabilities and be aware of the potential for further security issues.

Key Concerns

Unpatched CVE present
Critical severity taint flows
Unprotected AJAX handlers
Bundled outdated library (Freemius v1.0)
High number of total CVEs

Vulnerabilities

Gmedia Photo Gallery Security Vulnerabilities

CVEs by Year

2 CVEs in 2014

2014

4 CVEs in 2015

2015

1 CVE in 2020

2020

1 CVE in 2022

2022

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

10 total CVEs

CVE-2025-63014medium · 4.3Cross-Site Request Forgery (CSRF)

Gmedia Photo Gallery <= 1.24.1 - Cross-Site Request Forgery

Dec 31, 2025Unpatched

CVE-2025-53257high · 7.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Gmedia Photo Gallery <= 1.23.0 - Authenticated (Contributor+) Local File Inclusion

Jun 27, 2025 Patched in 1.24.0 (98d)

CVE-2022-0873medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gmedia Photo Gallery < 1.20.0 - Authenticated (Admin+) Stored Cross-Site Scripting

Apr 25, 2022 Patched in 1.20.0 (638d)

WF-2c9f657b-82a5-40da-9e9a-95ea6f62d895-grand-mediamedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gmedia Photo Gallery <= 1.18.4 - Cross-Site Scripting

Apr 27, 2020 Patched in 1.18.5 (1366d)

WF-0ad0eed1-777a-432b-a190-b8a7ed10d71a-grand-mediamedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gmedia Photo Gallery <= 1.6.4 - Cross-Site Scripting

May 27, 2015 Patched in 1.6.5 (3163d)

CVE-2015-4339medium · 5.8Unintended Proxy or Intermediary ('Confused Deputy')

Gmedia Photo Gallery <= 1.6.4 - Open Proxy

May 27, 2015 Patched in 1.6.5 (3163d)

WF-a161bd23-0b82-49ef-b3cc-a117823ec8a7-grand-mediahigh · 7.5Uncontrolled Resource Consumption

Gmedia Photo Gallery <= 1.6.4 - Denial of Service

May 27, 2015 Patched in 1.6.5 (3163d)

WF-adb4644c-6ef6-4899-b0f1-2629ffacd19c-grand-mediacritical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Gmedia Photo Gallery <= 1.6.4 - Local File Inclusion

May 27, 2015 Patched in 1.6.5 (3163d)

WF-094c5011-41f6-420b-b566-e77fd55d9011-grand-mediacritical · 9.8Unrestricted Upload of File with Dangerous Type

Gmedia Photo Gallery < 1.2.2 - Arbitrary File Upload

Aug 2, 2014 Patched in 1.2.2 (3461d)

WF-f787e299-21f8-4662-935a-ff1e25c7d275-grand-mediamedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gmedia Photo Gallery < 0.9.4 - Reflected Cross-Site Scripting

May 25, 2014 Patched in 0.9.4 (3530d)

Code Analysis

Analyzed Mar 16, 2026

Gmedia Photo Gallery Code Analysis

Dangerous Functions

Raw SQL Queries

104 prepared

Unescaped Output

105

2276 escaped

Nonce Checks

Capability Checks

139

File Operations

External Requests

Bundled Libraries

jQueryFreemius1.0

SQL Query Safety

68% prepared152 total queries

Output Escaping

96% escaped2381 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

10 flows6 with unsanitized paths

gmedia_module_interaction (admin\ajax.php:2426)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

5 unprotected

Gmedia Photo Gallery Attack Surface

Entry Points38

Unprotected5

AJAX Handlers 32

authwp_ajax_gmedia_update_dataadmin\ajax.php:2

authwp_ajax_gmedit_saveadmin\ajax.php:146

authwp_ajax_gmedit_restoreadmin\ajax.php:335

authwp_ajax_gmedia_get_modaladmin\ajax.php:352

authwp_ajax_gmedia_tag_editadmin\ajax.php:1044

authwp_ajax_gmedia_module_preset_deleteadmin\ajax.php:1086

authwp_ajax_gmedia_module_installadmin\ajax.php:1120

authwp_ajax_gmedia_import_wpmedia_modaladmin\ajax.php:1194

authwp_ajax_gmedia_relimageadmin\ajax.php:1359

authwp_ajax_gmedia_ftp_browseradmin\ajax.php:1459

authwp_ajax_gmedia_set_post_thumbnailadmin\ajax.php:1516

authwp_ajax_gmedia_upload_handleradmin\ajax.php:1605

authwp_ajax_gmedia_import_handleradmin\ajax.php:1677

authwp_ajax_gmedia_applicationadmin\ajax.php:1906

authwp_ajax_gmedia_share_pageadmin\ajax.php:1950

authwp_ajax_gmedia_add_custom_fieldadmin\ajax.php:2037

authwp_ajax_gmedia_delete_custom_fieldadmin\ajax.php:2085

authwp_ajax_gmedia_term_add_custom_fieldadmin\ajax.php:2128

authwp_ajax_gmedia_term_delete_custom_fieldadmin\ajax.php:2177

authwp_ajax_gmedia_term_sortorderadmin\ajax.php:2222

authwp_ajax_gmedia_upgrade_processadmin\ajax.php:2261

authwp_ajax_gmedia_hash_filesadmin\ajax.php:2291

authwp_ajax_gmedia_recreate_imagesadmin\ajax.php:2338

authwp_ajax_gmedia_feedbackadmin\ajax.php:2375

authwp_ajax_gmedia_save_waveformadmin\ajax.php:2400

noprivwp_ajax_gmedia_save_waveformadmin\ajax.php:2401

authwp_ajax_gmedia_module_interactionadmin\ajax.php:2424

noprivwp_ajax_gmedia_module_interactionadmin\ajax.php:2425

authwp_ajax_load_commentsadmin\ajax.php:2512

noprivwp_ajax_load_commentsadmin\ajax.php:2513

authwp_ajax_gmedia_get_dataadmin\ajax.php:2541

noprivwp_ajax_gmedia_get_dataadmin\ajax.php:2542

Shortcodes 6

[gmedia] inc\shortcodes.php:7

[gm] inc\shortcodes.php:8

[gmedia] inc\shortcodes.php:470

[gm] inc\shortcodes.php:471

[gmedia] inc\sitemap.php:44

[gm] inc\sitemap.php:45

WordPress Hooks 123

actionadmin_headadmin\admin.php:16

actionadmin_menuadmin\admin.php:19

actionadmin_enqueue_scriptsadmin\admin.php:22

actionadmin_print_scripts-widgets.phpadmin\admin.php:23

actionenqueue_block_editor_assetsadmin\admin.php:25

filterscreen_settingsadmin\admin.php:27

filterset-screen-optionadmin\admin.php:28

filterset_screen_option_gm_screen_optionsadmin\admin.php:29

actionadmin_initadmin\admin.php:47

actionadmin_footeradmin\admin.php:50

filteradmin_body_classadmin\admin.php:61

filterwp_redirectadmin\class.processor.php:32

filterget_comment_textadmin\class.processor.php:35

actioninitadmin\class.processor.php:38

actiongmedia_term_album_after_paneladmin\pages\terms\functions.php:118

actionbefore_gmedia_filter_messageadmin\pages\terms\functions.php:138

actionbefore_gmedia_filter_messageadmin\pages\terms\functions.php:140

actiongmedia_term_category_after_paneladmin\pages\terms\functions.php:162

actionadmin_enqueue_scriptsadmin\processor\class.processor.library.php:49

actionadmin_footeradmin\processor\class.processor.library.php:66

actiongmedia_before_terms_listadmin\processor\class.processor.terms.php:56

actiongmedia_before_terms_listadmin\processor\class.processor.terms.php:58

actiongmedia_before_terms_listadmin\processor\class.processor.terms.php:63

actiongmedia_before_terms_listadmin\processor\class.processor.terms.php:65

actiongmedia_before_terms_listadmin\processor\class.processor.terms.php:70

actiongmedia_before_terms_listadmin\processor\class.processor.terms.php:72

actiongmedia_db_updateconfig\update.php:180

actionafter_uninstallgrand-media.php:67

filtercron_schedulesgrand-media.php:134

actionwp_enqueue_scriptsgrand-media.php:138

actionadmin_enqueue_scriptsgrand-media.php:139

actionwpmu_new_bloggrand-media.php:140

actionplugins_loadedgrand-media.php:147

actiondeleted_usergrand-media.php:148

actioninitgrand-media.php:154

actioninitgrand-media.php:155

actionwidgets_initgrand-media.php:158

actiongmedia_app_cronjobgrand-media.php:159

actiongmedia_modules_updategrand-media.php:160

filterplugin_row_metagrand-media.php:164

actioninitgrand-media.php:185

actionadmin_noticesgrand-media.php:189

actionwp_headgrand-media.php:198

actionwp_footergrand-media.php:199

actiongmedia_headgrand-media.php:201

actiongmedia_headgrand-media.php:202

actiongmedia_headgrand-media.php:203

actiongmedia_enqueue_scriptsgrand-media.php:204

actiongmedia_headgrand-media.php:205

actiongmedia_footergrand-media.php:206

actionadmin_noticesgrand-media.php:230

actionadmin_noticesgrand-media.php:237

actionadmin_noticesgrand-media.php:270

actionadmin_noticesgrand-media.php:272

actioninitgrand-media.php:278

actioninitgrand-media.php:283

actionwp_print_head_scriptsgrand-media.php:616

actionwp_print_footer_scriptsgrand-media.php:617

filterget_gmedia_metadatagrand-media.php:792

filterget_gmedia_term_metadatagrand-media.php:798

filterget_edit_post_linkgrand-media.php:804

filterwp_link_query_argsgrand-media.php:836

filterjetpack_lazy_images_skip_image_with_attributesinc\compatibility.php:35

filtera3_lazy_load_skip_images_classesinc\compatibility.php:48

filterwpss_misc_form_spam_check_bypassinc\compatibility.php:66

filteruser_has_capinc\compatibility.php:114

filterwp_kses_allowed_htmlinc\compatibility.php:239

filtersafe_style_cssinc\compatibility.php:240

actioninitinc\core.php:22

actioninitinc\core.php:23

actionclean_gmedia_cacheinc\core.php:25

actioncreated_gmedia_terminc\core.php:33

actionedited_gmedia_terminc\core.php:34

actiondeleted_gmedia_terminc\core.php:35

filterget_the_gmedia_termsinc\core.php:38

actiongmedia_viewinc\core.php:131

actiongmedia_likeinc\core.php:132

actiongmedia_rateinc\core.php:133

actionwp_headinc\frontend.filters.php:9

actionpre_get_postsinc\frontend.filters.php:10

actionpre_get_postsinc\frontend.filters.php:11

filterthe_postsinc\frontend.filters.php:13

actionthe_postinc\frontend.filters.php:15

filterwidget_comments_argsinc\frontend.filters.php:17

filterget_the_excerptinc\frontend.filters.php:249

filterthe_contentinc\frontend.filters.php:250

filterthe_contentinc\frontend.filters.php:263

filtercomments_openinc\frontend.filters.php:910

filtermedia_upload_tabsinc\media-upload.php:9

actionmedia_upload_gmedia_libraryinc\media-upload.php:10

actionmedia_upload_gmedia_termsinc\media-upload.php:11

actionmedia_upload_gmedia_galleriesinc\media-upload.php:12

actionadmin_enqueue_scriptsinc\media-upload.php:39

filterrewrite_rules_arrayinc\permalinks.php:15

filterquery_varsinc\permalinks.php:16

actionparse_requestinc\permalinks.php:17

actionparse_queryinc\permalinks.php:18

filterpost_thumbnail_htmlinc\permalinks.php:20

filtergmedia_shortcode_queryinc\permalinks.php:21

filtershow_admin_barinc\permalinks.php:23

actionsingle_templateinc\permalinks.php:24

filtercomment_post_redirectinc\permalinks.php:25

actionmedia_buttonsinc\post-metabox.php:20

actionadmin_enqueue_scriptsinc\post-metabox.php:21

actionadmin_footerinc\post-metabox.php:23

filteradmin_post_thumbnail_htmlinc\post-metabox.php:24

actiondo_meta_boxesinc\post-metabox.php:31

actionsave_postinc\post-metabox.php:32

filterthe_contentinc\shortcodes.php:11

filterjetpack_photon_skip_imageinc\shortcodes.php:229

filterwpseo_sitemap_urlimagesinc\sitemap.php:17

filterthe_content_feedinc\sitemap.php:19

actiongmedia_headload-template.php:92

actiongmedia_headtemplate\category.php:3

filtercomments_templatetemplate\comments-popup.php:10

actiongmedia_headtemplate\functions.php:5

actiongmedia_headtemplate\functions.php:6

actiongmedia_headtemplate\functions.php:7

actiongmedia_footertemplate\functions.php:8

actiongmedia_footertemplate\functions.php:9

actiongmedia_footertemplate\functions.php:10

filtershow_admin_bartemplate\functions.php:76

filterbody_classtemplate\functions.php:206

Scheduled Events 8

gmedia_modules_update

gmedia_db_update

gmedia_app_cronjob

gmedia_modules_update

gmedia_app_cronjob

Maintenance & Trust

Gmedia Photo Gallery Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 16, 2026

PHP min version5.6

Downloads1.0M

Community Trust

Rating86/100

Number of ratings260

Active installs8K

Alternatives

Gmedia Photo Gallery Alternatives

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

envira-gallery-lite

Envira Gallery is a fast, easy and powerful gallery builder with lightbox, masonry and grid layouts, albums, videos, and responsive displays and more

100K 10 CVEs

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

nextgen-gallery

The most popular gallery plugin that lets you create galleries and albums in seconds.

400K 37 CVEs

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

photo-gallery

Photo Gallery is a powerful image gallery plugin with a list of advanced options for creating responsive image galleries with beautiful lightbox.

200K 1 unpatched

Robo Gallery – Photo & Image Slider

robo-gallery

Robo Gallery is a powerful image gallery and photo gallery plugin with advanced features to create responsive galleries with a beautiful lightbox

40K 17 CVEs

Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

gt3-photo-video-gallery

GT3 Image Gallery - create photo gallery, video gallery, block gallery, slider and more with ease. All photo galleries are responsive and loading fast

10K 4 CVEs

Developer Profile

Gmedia Photo Gallery Developer Profile

stepasyuk

3 plugins · 59K total installs

trust score

Avg Security Score

81/100

Avg Patch Time

2416 days

View full developer profile

Detection Fingerprints

How We Detect Gmedia Photo Gallery

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/grand-media/assets/img/gm-admin-icon.svg/wp-content/plugins/grand-media/assets/img/gm-logo.svg/wp-content/plugins/grand-media/assets/js/gm-editor.js/wp-content/plugins/grand-media/assets/js/gm-gallery-params.js/wp-content/plugins/grand-media/assets/js/gm-gallery-view.js/wp-content/plugins/grand-media/assets/js/gm-gallery.js/wp-content/plugins/grand-media/assets/js/gm-grid-view.js/wp-content/plugins/grand-media/assets/js/gm-modal.js+19 more

Script Paths

/wp-content/plugins/grand-media/assets/js/gm-editor.js/wp-content/plugins/grand-media/assets/js/gm-gallery-params.js/wp-content/plugins/grand-media/assets/js/gm-gallery-view.js/wp-content/plugins/grand-media/assets/js/gm-gallery.js/wp-content/plugins/grand-media/assets/js/gm-grid-view.js/wp-content/plugins/grand-media/assets/js/gm-modal.js+8 more

Version Parameters

grand-media/assets/css/gm-admin.css?ver=grand-media/assets/css/gm-frontend.css?ver=grand-media/assets/css/gm-grid-view.css?ver=grand-media/assets/css/gm-modal.css?ver=grand-media/assets/css/gm-shortcode.css?ver=grand-media/assets/css/photoswipe.css?ver=grand-media/assets/css/photoswipe-skin.css?ver=grand-media/assets/css/gmedia-gallery.css?ver=grand-media/assets/css/gmedia-frontend.css?ver=grand-media/assets/js/gm-editor.js?ver=grand-media/assets/js/gm-gallery-params.js?ver=grand-media/assets/js/gm-gallery-view.js?ver=grand-media/assets/js/gm-gallery.js?ver=grand-media/assets/js/gm-grid-view.js?ver=grand-media/assets/js/gm-modal.js?ver=grand-media/assets/js/gm-shortcode-button.js?ver=grand-media/assets/js/gm-upload.js?ver=grand-media/assets/js/gm-user.js?ver=grand-media/assets/js/masonry.pkgd.min.js?ver=grand-media/assets/js/photoswipe.js?ver=grand-media/assets/js/photoswipe.min.js?ver=grand-media/assets/js/photoswipe-ui-default.js?ver=grand-media/assets/js/photoswipe-ui-default.min.js?ver=

HTML / DOM Fingerprints

CSS Classes

gmedia-gallerygmedia-gallery-covergmedia-gallery-itemgmedia-gallery-captiongmedia-gallery-titlegmedia-gallery-descriptiongmedia-gallery-dategmedia-gallery-author+33 more

HTML Comments

Data Attributes

data-gmedia-iddata-gmedia-typedata-gmedia-titledata-gmedia-altdata-gmedia-descriptiondata-gmedia-url+13 more

JS Globals

gmedia_gallery_paramsgmedia_editor_paramsgmedia_upload_paramsgmedia_user_paramsgmedia_modal_paramsGmediaGallery+5 more

REST Endpoints

/wp-json/gmedia/v1/galleries/wp-json/gmedia/v1/galleries/<id>/wp-json/gmedia/v1/media/wp-json/gmedia/v1/media/<id>/wp-json/gmedia/v1/users/wp-json/gmedia/v1/users/<id>

Shortcode Output

[gmedia id="[gmedia gallery_id="[gmedia album_id="[gmedia folder_id="

FAQ

Gmedia Photo Gallery Security & Risk Analysis

Is Gmedia Photo Gallery Safe to Use in 2026?

High Risk

Key Concerns

Gmedia Photo Gallery Security Vulnerabilities

CVEs by Year

Severity Breakdown

Gmedia Photo Gallery Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Gmedia Photo Gallery Attack Surface

AJAX Handlers 32

Shortcodes 6

Scheduled Events 8

Gmedia Photo Gallery Maintenance & Trust

Maintenance Signals

Community Trust

Gmedia Photo Gallery Alternatives

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Robo Gallery – Photo & Image Slider

Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

Gmedia Photo Gallery Developer Profile

How We Detect Gmedia Photo Gallery

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Gmedia Photo Gallery