New Simple Gallery Security & Risk Analysis

The "new-simple-gallery" plugin version 8.0 exhibits a mixed security posture. On one hand, the static analysis reveals several positive security practices. The plugin utilizes prepared statements for all its SQL queries, indicating a strong defense against SQL injection through database interactions. There are also a reasonable number of nonce checks present, which helps in validating user requests. The limited attack surface, with only one shortcode and no exposed AJAX handlers or REST API routes without authentication, is also a positive indicator.

However, the plugin is not without its concerns. The most significant is the presence of a known, unpatched medium severity vulnerability from 2025-09-05, which historically has been related to SQL injection. This single unpatched CVE poses a considerable risk to any WordPress site using this version. Furthermore, the static analysis shows that only 63% of output is properly escaped. While not a critical flaw on its own, a large number of unescaped outputs can contribute to cross-site scripting (XSS) vulnerabilities if not carefully managed within the context of the application.

In conclusion, while the plugin demonstrates good practices in areas like SQL query handling and limiting its direct attack surface, the single unpatched SQL injection vulnerability from its history is a critical weakness that outweighs these strengths. The moderate rate of output escaping is also a point of attention. Website administrators should prioritize updating or replacing this plugin to mitigate the known security risk.