Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) Security & Risk Analysis

wordpress.org/plugins/image-hover-effects-ultimate

Add stunning image hover effects to WordPress. 500+ CSS3 animations, 10 effect modules, no coding needed. Support Elementor & Gutenberg.

20K active installs v9.11.1 PHP 7.4+ WP 6.2+ Updated Mar 27, 2026

css3-effectsimage-galleryimage-hover-animationimage-hover-effectsphoto-gallery

A · Safe

CVEs total8

Unpatched0

Last CVEDec 11, 2022

Plugin page Download

Safety Verdict

Is Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) Safe to Use in 2026?

Generally Safe

Score 96/100

Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

8 known CVEsLast CVE: Dec 11, 2022Updated 1mo ago

Risk Assessment

The "image-hover-effects-ultimate" plugin exhibits a mixed security posture. While it demonstrates good practices like a high percentage of prepared SQL statements and properly escaped output, several concerning factors remain. The presence of an unprotected AJAX handler significantly increases the attack surface and presents a direct avenue for exploitation without proper authentication. The plugin's history of 8 known CVEs, including one critical and one high severity vulnerability, is a significant red flag, indicating a recurring pattern of security weaknesses despite the absence of currently unpatched CVEs. The common vulnerability types like Authorization Bypass and Cross-site Scripting, coupled with the taint analysis showing a flow with unsanitized paths, suggest that input validation and access control are areas that have historically and potentially currently require careful attention. While the majority of its code appears secure, the identified unprotected entry point and past vulnerability trends warrant caution.

Key Concerns

AJAX handler without authentication
Flow with unsanitized paths
Multiple past CVEs (1 critical, 1 high)
Bundled outdated library (Freemius v1.0)

Vulnerabilities

8 published

Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) Security Vulnerabilities

CVEs by Year

2 CVEs in 2021

2021

6 CVEs in 2022

2022

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

8 total CVEs

CVE-2022-4207medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Image Hover Effects Ultimate 9.8.1 - 9.8.4 - Authenticated (Admin+) Stored Cross-Site Scripting

Dec 11, 2022 Patched in 9.8.5 (408d)

CVE-2022-42459high · 7.2Authorization Bypass Through User-Controlled Key

Image Hover Effects Ultimate <= 9.7.1 - Authenticated (Admin+) Arbitrary Options Update

Oct 25, 2022 Patched in 9.7.2 (455d)

CVE-2022-2937medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Image Hover Effects Ultimate <= 9.7.3 - Authenticated Stored Cross-Site Scripting via Title & Description

Aug 31, 2022 Patched in 9.8.0 (510d)

CVE-2022-2936medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Image Hover Effects Ultimate <= 9.7.3 - Authenticated Stored Cross-Site Scripting via Video Link

Aug 31, 2022 Patched in 9.8.0 (510d)

CVE-2022-2935medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Image Hover Effects Ultimate <= 9.7.3 - Authenticated Stored Cross-Site Scripting via Media URL

Aug 31, 2022 Patched in 9.8.0 (930d)

CVE-2022-29424medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Image Hover Effects Ultimate <= 9.7.1 - Reflected Cross-Site Scripting

May 4, 2022 Patched in 9.7.2 (629d)

CVE-2021-25031medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Image Hover Effects Ultimate <= 9.7.0 - Reflected Cross-Site Scripting via effects

Dec 27, 2021 Patched in 9.7.1 (757d)

CVE-2021-36888critical · 9.8Improper Access Control

Image Hover Effects Ultimate <= 9.6.1 - Unauthenticated Arbitrary Options Update

Dec 15, 2021 Patched in 9.6.2 (768d)

Version History

Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) Release Timeline

v9.11.1Current

v9.11.0

v9.10.6

v9.10.5

v9.10.4

v9.10.3

v9.10.2

v9.10.1

v9.10.0

v9.9.7

v9.9.6

v9.9.5

v9.9.4

v9.9.3

v9.9.2

v9.9.1

v9.9.0

v9.8.6

v9.8.5

v9.8.41 CVE

CVE-2022-4207

Code Analysis

Analyzed Mar 16, 2026

Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) Code Analysis

Dangerous Functions

Raw SQL Queries

384 prepared

Unescaped Output

3183 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2DataTablesFreemius1.0

SQL Query Safety

99% prepared389 total queries

Output Escaping

98% escaped3259 total outputs

Data Flows · Security

1 unsanitized

Data Flow Analysis

8 flows1 with unsanitized paths

oxilab_admin_menu (Helper\Admin_helper.php:31)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) Attack Surface

Entry Points8

Unprotected1

AJAX Handlers 6

noprivwp_ajax_image_hover_ultimateClasses\ImageApi.php:984

authwp_ajax_image_hover_ultimateClasses\ImageApi.php:985

authwp_ajax_image_hover_settingsClasses\ImageApi.php:986

authwp_ajax_oxi_image_hover_preview_frameClasses\ImageApi.php:987

authwp_ajax_oxi_image_admin_recommendedClasses\Support_Recommended.php:31

authwp_ajax_oxi_image_admin_noticeClasses\Support_Reviews.php:23

Shortcodes 2

[iheu_ultimate_oxi] index.php:234

[iheu_oxi_VC] Modules\Visual_Composer.php:123

WordPress Hooks 17

actionadmin_noticesClasses\Support_Recommended.php:32

actionadmin_enqueue_scriptsClasses\Support_Recommended.php:33

actionadmin_noticesClasses\Support_Recommended.php:34

actionadmin_noticesClasses\Support_Reviews.php:24

actionadmin_enqueue_scriptsClasses\Support_Reviews.php:25

actionadmin_noticesClasses\Support_Reviews.php:26

actionadmin_menuIncludes\Admin\Menu.php:22

actionadmin_enqueue_scriptsIncludes\Assets.php:19

actionwp_enqueue_scriptsIncludes\Assets.php:20

actioninitindex.php:119

actionadmin_headindex.php:208

filterwidget_textindex.php:237

actionwidgets_initindex.php:238

actionimage_hover_ultimate_updateindex.php:245

actionvc_before_initModules\Visual_Composer.php:122

actionwp_enqueue_scriptsPage\PreviewFrame.php:52

actionwp_print_stylesPage\PreviewFrame.php:53

Scheduled Events 1

image_hover_ultimate_update

Maintenance & Trust

Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 27, 2026

PHP min version7.4

Downloads752K

Community Trust

Rating94/100

Number of ratings248

Active installs20K

Alternatives

Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) Alternatives

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

nextgen-gallery

The most popular gallery plugin that lets you create galleries and albums in seconds.

400K 38 CVEs

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

photo-gallery

Photo Gallery is a powerful image gallery plugin with a list of advanced options for creating responsive image galleries with beautiful lightbox.

200K 62 CVEs

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

envira-gallery-lite

Envira Gallery is a fast, easy and powerful gallery builder with lightbox, masonry and grid layouts, albums, videos, and responsive displays and more

100K 11 CVEs

Gallery by FooGallery

foogallery

Photo Gallery, Image Gallery by FooGallery — fast, responsive, SEO-optimized, and packed with beautiful layouts.

100K 20 CVEs

Robo Gallery – Photo & Image Slider

robo-gallery

Robo Gallery is a powerful image gallery and photo gallery plugin with advanced features to create responsive galleries with a beautiful lightbox

40K 19 CVEs

Developer Profile

Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier ) Developer Profile

Oxilab

6 plugins · 31K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

613 days

View full developer profile

Detection Fingerprints

How We Detect Image Hover Effects Ultimate ( Image Gallery, Effects, Lightbox, Comparison & Magnifier )

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/image-hover-effects-ultimate/assets/backend/css/oxi-image-hover-admin.css/wp-content/plugins/image-hover-effects-ultimate/assets/frontend/css/image-hover-effects.css/wp-content/plugins/image-hover-effects-ultimate/assets/frontend/js/image-hover-effects.js/wp-content/plugins/image-hover-effects-ultimate/assets/backend/js/oxi-image-hover-admin.js

Script Paths

wp-content/plugins/image-hover-effects-ultimate/assets/backend/js/oxi-image-hover-admin.jswp-content/plugins/image-hover-effects-ultimate/assets/frontend/js/image-hover-effects.js

Version Parameters

image-hover-effects-ultimate/assets/backend/css/oxi-image-hover-admin.css?ver=image-hover-effects-ultimate/assets/frontend/css/image-hover-effects.css?ver=image-hover-effects-ultimate/assets/frontend/js/image-hover-effects.js?ver=image-hover-effects-ultimate/assets/backend/js/oxi-image-hover-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

oxi-image-hover-effectsoxi-image-hover-styleoxi-image-hover-tooltip

HTML Comments

Data Attributes

data-oxi-image-hover-id

JS Globals

window.oxi_image_hover_data

Shortcode Output

[iheu_ultimate_oxi

FAQ