WP-Safety

Image Annotations Security & Risk Analysis

wordpress.org/plugins/image-annotations

Image Annotations plugin lets readers to leave annotations to the selected area of the image in comments.

10 active installs v1.13 PHP + WP 3.8.1+ Updated Oct 5, 2015
annotationscommentsimagesnote
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Image Annotations Safe to Use in 2026?

Generally Safe

Score 85/100

Image Annotations has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The image-annotations plugin v1.13 exhibits a mixed security posture. While the static analysis indicates a contained attack surface with all identified entry points (AJAX handlers) having nonce checks, the absence of capability checks is a significant concern. The presence of dangerous functions like 'unserialize' combined with a complete lack of prepared statements for SQL queries and no output escaping for any of its outputs presents substantial risks. This suggests that data processed by the plugin, especially if it originates from user input, could be manipulated to execute arbitrary code or extract sensitive information. The vulnerability history is clean, with no recorded CVEs, which is a positive indicator. However, this does not negate the inherent risks identified in the code analysis. The lack of past vulnerabilities might be due to a low discovery rate or the plugin's specific functionalities not attracting malicious attention yet. Overall, while the plugin has good practices regarding nonces and a clean history, the fundamental lack of input validation, output sanitization, and proper SQL handling makes it vulnerable to serious security exploits.

Key Concerns

  • Dangerous function 'unserialize' found
  • SQL queries lack prepared statements
  • Output escaping is completely missing
  • No capability checks on AJAX handlers
Vulnerabilities
None known

Image Annotations Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Image Annotations Code Analysis

Dangerous Functions
8
Raw SQL Queries
5
0 prepared
Unescaped Output
2
0 escaped
Nonce Checks
3
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$unsercomm = unserialize(unserialize($annotation->meta_value));image-annotations.php:62
unserialize$unsercomm = unserialize(unserialize($annotation->meta_value));image-annotations.php:62
unserialize$annot_comm = unserialize(unserialize($one_annot->meta_value));image-annotations.php:235
unserialize$annot_comm = unserialize(unserialize($one_annot->meta_value));image-annotations.php:235
unserialize$annotation = unserialize(unserialize($annotations->meta_value));image-annotations.php:381
unserialize$annotation = unserialize(unserialize($annotations->meta_value));image-annotations.php:381
unserialize$unsercomm = unserialize(unserialize($annotations->meta_value));image-annotations.php:406
unserialize$unsercomm = unserialize(unserialize($annotations->meta_value));image-annotations.php:406

SQL Query Safety

0% prepared5 total queries

Output Escaping

0% escaped2 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
ia_edit_text (image-annotations.php:373)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Image Annotations Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 3

authwp_ajax_add_annotationimage-annotations.php:20
authwp_ajax_edit_annotationimage-annotations.php:21
authwp_ajax_del_annotationimage-annotations.php:22
WordPress Hooks 7
actionwp_enqueue_scriptsimage-annotations.php:17
actionwp_enqueue_scriptsimage-annotations.php:18
filterthe_contentimage-annotations.php:19
actionplugins_loadedimage-annotations.php:23
actionadmin_menuimage-annotations.php:25
actionadmin_initimage-annotations.php:26
filtercomments_arrayimage-annotations.php:28
Maintenance & Trust

Image Annotations Maintenance & Trust

Maintenance Signals

WordPress version tested4.3.34
Last updatedOct 5, 2015
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Image Annotations Alternatives

demon image annotation

demon image annotation

demon-image-annotation

A
98

Allows you to add textual annotations to images by select a region of the image and then attach a textual description.

10 3 CVEs
Guan Image Notes

Guan Image Notes

guan-image-notes

A
85

Image tagging system sync with WordPress comment system. Or also known as image notes, or image annotation.

10 No CVEs
Dan's Annotator

Dan's Annotator

dans-annotator

A
100

Lightweight front-end annotation tool with threads, tagging, and collaborator sessions.

0 No CVEs
Comment Image

Comment Image

comment-image

A
85

Enable readers to attach an image to their comments.

1K No CVEs
Embed Images in Comments

Embed Images in Comments

embed-comment-images

A
85

Embed direct image links in your comments with an img tag.

100 1 CVE
Developer Profile

Image Annotations Developer Profile

M03G

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Image Annotations

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/image-annotations/css/admin-style.css/wp-content/plugins/image-annotations/css/style.css/wp-content/plugins/image-annotations/js/script.js
Script Paths
/wp-content/plugins/image-annotations/js/script.js
Version Parameters
image-annotations/css/style.css?ver=image-annotations/js/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
ia-admin-tableia-admin-annotationia-editedia-endeditia-editia-delia-annotationia-date+4 more
Data Attributes
ia-idia-reply-todata-countdown
JS Globals
ia_add_scriptsia_add_styleia_add_formia_add_textia_edit_textia_delete_text+7 more
FAQ

Frequently Asked Questions about Image Annotations