WP-Safety

Opal Portfolio Security & Risk Analysis

wordpress.org/plugins/opal-portfolios

Opal Portfolio is a flexible WordPress plugin that lets you display your company’s portfolios in a variety of ways: as single pages, and even as embed …

100 active installs v1.0.4 PHP + WP + Updated Mar 1, 2019
galleryportfolioproject
64
C · Use Caution
CVEs total1
Unpatched1
Last CVEApr 1, 2025
Plugin page Download
Safety Verdict

Is Opal Portfolio Safe to Use in 2026?

Use With Caution

Score 64/100

Opal Portfolio has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Apr 1, 2025Updated 7yr ago
Risk Assessment

The "opal-portfolios" v1.0.4 plugin exhibits a mixed security posture. While it demonstrates good practices in SQL query handling, by exclusively using prepared statements, and the absence of dangerous functions or file operations, significant concerns remain. The plugin has a moderately sized attack surface with 12 entry points, and alarmingly, 3 of these are unprotected AJAX handlers. This lack of authentication on critical entry points is a major risk, potentially allowing unauthorized actions. Furthermore, the static analysis reveals that 54% of output is properly escaped, indicating a substantial number of unescaped outputs, which could lead to Cross-Site Scripting (XSS) vulnerabilities. The taint analysis, while not flagging critical or high severity issues, does show 3 flows with unsanitized paths, which warrants further investigation. The vulnerability history is also a cause for concern, with one known medium severity CVE that is currently unpatched. This suggests a recurring issue with input sanitization, specifically Cross-site Scripting, which aligns with the concerns raised by the unescaped output percentage and taint analysis. In conclusion, the plugin has a solid foundation in some areas, but the unprotected entry points, unescaped output, and the unpatched vulnerability present significant risks that need immediate attention.

Key Concerns

  • Unpatched CVE (medium severity)
  • AJAX handlers without auth checks
  • Significant percentage of unescaped output
  • Flows with unsanitized paths in taint analysis
Vulnerabilities
1

Opal Portfolio Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-31748medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Opal Portfolio <= 1.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 1, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Opal Portfolio Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
113
132 escaped
Nonce Checks
3
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

54% escaped245 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
render_ajax (includes\vendors\cmb2\custom-fields\agent_info.php:55)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Opal Portfolio Attack Surface

Entry Points12
Unprotected3

AJAX Handlers 9

authwp_ajax_property_change_agent_infoincludes\vendors\cmb2\custom-fields\agent_info.php:11
authwp_ajax_opalrealestate_upload_imagesincludes\vendors\cmb2\custom-fields\upload\upload.php:33
noprivwp_ajax_opalrealestate_upload_imagesincludes\vendors\cmb2\custom-fields\upload\upload.php:34
authwp_ajax_opalrealestate_upload_user_avatarincludes\vendors\cmb2\custom-fields\upload\upload.php:36
noprivwp_ajax_opalrealestate_upload_user_avatarincludes\vendors\cmb2\custom-fields\upload\upload.php:37
authwp_ajax_opalrealestate_delete_property_imageincludes\vendors\cmb2\custom-fields\upload\upload.php:40
noprivwp_ajax_opalrealestate_delete_property_imageincludes\vendors\cmb2\custom-fields\upload\upload.php:41
authwp_ajax_opalrealestate_user_uploadincludes\vendors\cmb2\custom-fields\user_upload\user_upload.php:33
noprivwp_ajax_wp_ajax_opalrealestate_user_uploadincludes\vendors\cmb2\custom-fields\user_upload\user_upload.php:34

Shortcodes 3

[portfolio_carousel] includes\shortcode\carousel.php:134
[portfolio_filter] includes\shortcode\filter.php:120
[portfolio_grid] includes\shortcode\grid.php:132
WordPress Hooks 32
actionadmin_initincludes\admin\class-menu.php:33
actionadmin_menuincludes\admin\class-menu.php:35
actionadmin_enqueue_scriptsincludes\admin\class-menu.php:37
actioncustomize_registerincludes\class-opalportfolio-customizer.php:273
actionafter_setup_themeincludes\class-opalportfolio-customizer.php:278
actionwidgets_initincludes\class-opalportfolio-widgets.php:3
actionwp_enqueue_scriptsincludes\class-style-customizer.php:24
actionwp_enqueue_scriptsincludes\class-style-customizer.php:25
filtertemplate_includeincludes\class-template-loader.php:27
actionelementor/widgets/widgets_registeredincludes\hook-functions.php:19
actioninitincludes\hook-functions.php:217
filteropalportfolio_sidebar_archive_positionincludes\hook-functions.php:353
filtercmb2_meta_boxesincludes\post-type\portfolio.php:23
filtercmb2_render_agent_infoincludes\vendors\cmb2\custom-fields\agent_info.php:10
filtercmb2_render_opal_button_setincludes\vendors\cmb2\custom-fields\button_set.php:15
filtercmb2_render_opal_footer_layoutincludes\vendors\cmb2\custom-fields\footer-layout.php:18
filtercmb2_render_opal_header_layoutincludes\vendors\cmb2\custom-fields\header-layout.php:18
filtercmb2_render_opal_mapincludes\vendors\cmb2\custom-fields\map\map.php:30
filtercmb2_sanitize_opal_mapincludes\vendors\cmb2\custom-fields\map\map.php:31
filtercmb2_render_opal_sliderincludes\vendors\cmb2\custom-fields\slider\slider.php:13
filtercmb2_render_opal_switchincludes\vendors\cmb2\custom-fields\switch\switch.php:18
filtercmb2_render_opal_switch_layoutincludes\vendors\cmb2\custom-fields\switch-layout.php:18
filtercmb2_render_text_passwordincludes\vendors\cmb2\custom-fields\text_password.php:10
filtercmb2_render_opal_text_priceincludes\vendors\cmb2\custom-fields\text_price.php:10
filtercmb2_render_opal_uploadincludes\vendors\cmb2\custom-fields\upload\upload.php:30
filtercmb2_sanitize_opal_uploadincludes\vendors\cmb2\custom-fields\upload\upload.php:31
filtercmb2_render_adduserincludes\vendors\cmb2\custom-fields\user\user.php:30
filtercmb2_sanitize_adduserincludes\vendors\cmb2\custom-fields\user\user.php:31
filtercmb2_render_user_uploadincludes\vendors\cmb2\custom-fields\user_upload\user_upload.php:30
filtercmb2_sanitize_user_uploadincludes\vendors\cmb2\custom-fields\user_upload\user_upload.php:31
actioninitopalportfolio.php:49
actionplugins_loadedopalportfolio.php:50
Maintenance & Trust

Opal Portfolio Maintenance & Trust

Maintenance Signals

WordPress version tested5.0.25
Last updatedMar 1, 2019
PHP min version
Downloads3K

Community Trust

Rating20/100
Number of ratings1
Active installs100
Alternatives

Opal Portfolio Alternatives

WPZOOM Portfolio Lite – Filterable Portfolio Plugin

WPZOOM Portfolio Lite – Filterable Portfolio Plugin

wpzoom-portfolio

A
99

Portfolio plugin for WordPress. Create filterable portfolio grids with masonry layouts and lightbox. Ideal for photographers, designers, agencies.

20K 2 CVEs
Sight – Professional Image Gallery and Portfolio

Sight – Professional Image Gallery and Portfolio

sight

A
99

Introducing Sight — a fast & simple way to create professional looking portfolios and neatly stunning image and video galleries — all with zero co &hellip;

4K 1 CVE
Filterable Portfolio

Filterable Portfolio

filterable-portfolio

A
100

A WordPress Portfolio plugin to display portfolio/project images to your site.

1K No CVEs
Portfolio Block – The Ultimate Project & Portfolio Builder

Portfolio Block – The Ultimate Project & Portfolio Builder

portfolio-block

A
100

Portfolio Block helps you create and display modern, responsive portfolios with multiple layouts, filters, and full design control.

700 No CVEs
Portfolio Awesome – Responsive WordPress Porfolio Plugin

Portfolio Awesome – Responsive WordPress Porfolio Plugin

portfolio-builder-awesome

A
92

Create Grid Portfolio, Masonry Portfolio, Carousel portfolio, Slider Portfolio and Other stunning portfolio template with this portfolio plugin for Wo &hellip;

400 No CVEs
Developer Profile

Opal Portfolio Developer Profile

wpopal

19 plugins · 3K total installs

81
trust score
Avg Security Score
90/100
Avg Patch Time
50 days
View full developer profile
Detection Fingerprints

How We Detect Opal Portfolio

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/opal-portfolios/assets/css/admin-styles.css/wp-content/plugins/opal-portfolios/assets/js/portfolio-scripts.js/wp-content/plugins/opal-portfolios/assets/css/carousel.css/wp-content/plugins/opal-portfolios/assets/css/filter.css/wp-content/plugins/opal-portfolios/assets/css/grid.css
Script Paths
/wp-content/plugins/opal-portfolios/assets/js/portfolio-scripts.js
Version Parameters
opal-portfolios/assets/css/admin-styles.css?ver=opal-portfolios/assets/js/portfolio-scripts.js?ver=opal-portfolios/assets/css/carousel.css?ver=opal-portfolios/assets/css/filter.css?ver=opal-portfolios/assets/css/grid.css?ver=

HTML / DOM Fingerprints

CSS Classes
portfolio_settings_pageopal-portfolio-filteropal-portfolio-gridopal-portfolio-carousel
Data Attributes
data-show-filterdata-filter-positiondata-filter-styledata-filter-categorydata-filter-layoutdata-grid-columns+14 more
JS Globals
opal_portfolio_filter_paramsopal_portfolio_grid_paramsopal_portfolio_carousel_params
Shortcode Output
[opal_portfolio_filter[opal_portfolio_grid[opal_portfolio_carousel
FAQ

Frequently Asked Questions about Opal Portfolio