Does Image Source Control Lite – Show Image Credits and Captions have any unpatched vulnerabilities?

No. All known vulnerabilities in Image Source Control Lite – Show Image Credits and Captions have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Image Source Control Lite – Show Image Credits and Captions compatible with WordPress 6.9.4?

According to WordPress.org data, Image Source Control Lite – Show Image Credits and Captions 3.8.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Image Source Control Lite – Show Image Credits and Captions compatible with PHP 7.4+?

Image Source Control Lite – Show Image Credits and Captions requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

Image Source Control Lite – Show Image Credits and Captions Security & Risk Analysis

wordpress.org/plugins/image-source-control-isc

Show image credits, image captions, and copyrights. Manage image sources and warn if they are missing. The original plugin since 2012.

3K active installs v3.8.0 PHP 7.4+ WP 6.0+ Updated Feb 16, 2026

attributionscaptionscopyrightscreditsimage-sources

A · Safe

CVEs total4

Unpatched0

Last CVEJan 17, 2025

Plugin page Download

Safety Verdict

Is Image Source Control Lite – Show Image Credits and Captions Safe to Use in 2026?

Generally Safe

Score 97/100

Image Source Control Lite – Show Image Credits and Captions has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jan 17, 2025Updated 1mo ago

Risk Assessment

The 'image-source-control-isc' plugin v3.8.0 exhibits a mixed security posture. While it demonstrates good practices with a high percentage of SQL queries using prepared statements and a significant number of nonce and capability checks, several concerns warrant attention. The presence of a dangerous function like 'unserialize' without further context on its usage is a potential risk, as is the single identified file operation which could be a vector if not handled securely. The taint analysis shows no critical or high severity flows, which is positive, but the presence of two flows with unsanitized paths, even if classified lower, suggests potential for manipulation if inputs are not rigorously validated.

The plugin's vulnerability history is concerning, with four known medium severity CVEs, including authorization bypass and XSS. Although currently unpatched, the absence of active critical or high vulnerabilities is a slight positive, but the pattern of past issues, particularly authorization bypass, indicates a recurring area of weakness. The fact that all past vulnerabilities were medium severity, and none are currently unpatched, suggests that the developers are responsive to fixing issues, but the frequency and types of past vulnerabilities still represent a risk. Overall, while the plugin has strengths in its current security implementation, the past vulnerability record and the identified code signals necessitate careful consideration and monitoring.

Key Concerns

Unprotected AJAX handler
Dangerous function 'unserialize' used
Flows with unsanitized paths found
Four past medium severity CVEs

Vulnerabilities

Image Source Control Lite – Show Image Credits and Captions Security Vulnerabilities

CVEs by Year

1 CVE in 2021

2021

1 CVE in 2023

2023

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2024-13515medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Image Source Control Lite – Show Image Credits and Captions <= 2.28.0 - Reflected Cross-Site Scripting

Jan 17, 2025 Patched in 2.28.1 (1d)

CVE-2025-22711medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Image Source Control <= 2.29.0 - Reflected Cross-Site Scripting

Jan 15, 2025 Patched in 2.29.1 (8d)

CVE-2023-52187medium · 5.3Insertion of Sensitive Information into Log File

Image Source Control <= 2.17.0 - Sensitive Information Exposure via Log File

Dec 29, 2023 Patched in 2.17.1 (25d)

CVE-2021-24781medium · 4.3Authorization Bypass Through User-Controlled Key

Image Source Control Lite < 2.3.1 - Insecure Direct Object Reference

Oct 4, 2021 Patched in 2.3.1 (841d)

Code Analysis

Analyzed Mar 16, 2026

Image Source Control Lite – Show Image Credits and Captions Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

212 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializereturn @unserialize( trim( $data ), [ 'allowed_classes' => false ] );includes\helpers.php:42

SQL Query Safety

86% prepared7 total queries

Output Escaping

76% escaped278 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

pagination_links (includes\image-sources\renderer\global-list.php:298)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Image Source Control Lite – Show Image Credits and Captions Attack Surface

Entry Points13

Unprotected1

AJAX Handlers 11

authwp_ajax_isc_download_logadmin\includes\ajax.php:14

authwp_ajax_isc_send_feedbackincludes\feedback.php:21

authwp_ajax_isc-post-image-relationsincludes\image-sources\admin\ajax.php:18

authwp_ajax_isc-image-post-relationsincludes\image-sources\admin\ajax.php:19

authwp_ajax_isc-clear-indexincludes\image-sources\admin\ajax.php:20

authwp_ajax_isc-show-storageincludes\image-sources\admin\ajax.php:21

authwp_ajax_isc-clear-storageincludes\image-sources\admin\ajax.php:22

authwp_ajax_isc-clear-image-posts-indexincludes\image-sources\admin\ajax.php:23

authwp_ajax_isc-clear-post-images-indexincludes\image-sources\admin\ajax.php:24

authwp_ajax_newsletter_signupincludes\settings\sections\newsletter.php:31

authwp_ajax_newsletter_closeincludes\settings\sections\newsletter.php:32

Shortcodes 2

[isc_list_all] public\public.php:34

[isc_list] public\public.php:53

WordPress Hooks 45

actioninitadmin\admin.php:16

actionin_admin_headeradmin\admin.php:19

actionisc_admin_noticesadmin\admin.php:22

filterwpml_show_admin_language_switcheradmin\admin.php:25

actiondelete_attachmentadmin\admin.php:31

actionadd_meta_boxes_attachmentadmin\includes\media-library-checks.php:16

actionrestrict_manage_postsadmin\includes\media-library-filter.php:16

actionadmin_enqueue_scriptsadmin\includes\scripts.php:16

actionadmin_print_scriptsadmin\includes\scripts.php:17

actioninitincludes\block-options\block-options.php:14

actionenqueue_block_editor_assetsincludes\block-options\block-options.php:45

actionenqueue_block_editor_assetsincludes\block-options\block-options.php:49

actionupdate_optionincludes\block-options\block-options.php:50

actionadmin_enqueue_scriptsincludes\feedback.php:19

filteradmin_footerincludes\feedback.php:20

filterattachment_fields_to_editincludes\image-sources\admin\fields.php:19

actionisc_admin_media_library_filtersincludes\image-sources\admin\media-library-filters.php:16

actionpre_get_postsincludes\image-sources\admin\media-library-filters.php:17

actionadmin_noticesincludes\image-sources\admin\media-library-filters.php:18

actionadmin_menuincludes\image-sources\admin\menu.php:17

actionadmin_noticesincludes\image-sources\admin\notices.php:17

actionadmin_enqueue_scriptsincludes\image-sources\admin\scripts.php:16

actionadmin_print_scriptsincludes\image-sources\admin\scripts.php:17

actiondelete_attachmentincludes\image-sources\admin.php:24

actionupdated_post_metaincludes\image-sources\image-sources.php:95

actionadded_post_metaincludes\image-sources\image-sources.php:102

actionadd_attachmentincludes\image-sources\image-sources.php:107

actiondeleted_postincludes\image-sources\image-sources.php:115

actionbefore_delete_postincludes\image-sources\image-sources.php:120

actionwp_trash_postincludes\image-sources\image-sources.php:121

actionwp_insert_postincludes\image-sources\image-sources.php:127

filterattachment_fields_to_saveincludes\model.php:27

filterisc_settings_on_save_after_validationincludes\settings\section.php:19

actionisc_admin_settings_overlay_included_images_afterincludes\settings\sections\caption.php:40

actionisc_admin_settings_overlay_included_images_afterincludes\settings\sections\caption.php:44

actionadmin_initincludes\settings.php:14

actionadmin_menuincludes\settings.php:15

actionadmin_enqueue_scriptsincludes\settings.php:16

actionadmin_print_scriptsincludes\settings.php:17

actionwppublic\public.php:26

actionwp_enqueue_scriptspublic\public.php:44

actionwp_headpublic\public.php:45

filterthe_excerptpublic\public.php:50

filterrender_blockpublic\public.php:51

filterthe_contentpublic\public.php:99

Maintenance & Trust

Image Source Control Lite – Show Image Credits and Captions Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 16, 2026

PHP min version7.4

Downloads127K

Community Trust

Rating92/100

Number of ratings41

Active installs3K

Alternatives

Image Source Control Lite – Show Image Credits and Captions Alternatives

Image Rights

image-rights

Adds additional fields for setting image credits in the media library.

100 No CVEs

Image Source Overlay

image-source-overlay

With Image Source Overlay you can manage image sources in media library. Plugin will then generate small overlay for every image crediting the origina …

60 No CVEs

FSM Custom Featured Image Caption

fsm-custom-featured-image-caption

Allows adding custom captions to the featured images of the posts.

5K No CVEs

Footer Credits

footer-credits

A Customizer control to make footer credits editable.

1K No CVEs

GamiPress – WooCommerce Points Per Purchase Total

gamipress-wc-points-per-purchase-total

100

Award points based on WooCommerce purchase total.

500 No CVEs

Developer Profile

Image Source Control Lite – Show Image Credits and Captions Developer Profile

Thomas Maier

2 plugins · 3K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

219 days

View full developer profile

Detection Fingerprints

How We Detect Image Source Control Lite – Show Image Credits and Captions

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/image-source-control-isc/admin/assets/css/isc.css

Version Parameters

isc_image_settings_css?ver=

HTML / DOM Fingerprints

CSS Classes

isc-get-proisc-notice

HTML Comments

<!-- wp:image<!-- wp:media-text<!-- wp:cover<!-- wp:post-featured-image+1 more

Data Attributes

isc_image_sourceisc_image_source_urlisc_image_licenceisc_image_source_own

JS Globals

isc

REST Endpoints

/wp-json/wp/v2/media

FAQ