Photo Express for Google Security & Risk Analysis

wordpress.org/plugins/photo-express-for-google

Browse and select photos from any public or private Google+ album and add them to your posts/pages. This is an unofficial fork of "Picasa and Goo …

70 active installs v0.3.2 PHP + WP 3.7+ Updated Aug 30, 2015
googlegoogleplusoauthpicasaweb
64
C · Use Caution
CVEs total1
Unpatched1
Last CVEJun 23, 2025
Safety Verdict

Is Photo Express for Google Safe to Use in 2026?

Use With Caution

Score 64/100

Photo Express for Google has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jun 23, 2025Updated 10yr ago
Risk Assessment

The photo-express-for-google plugin version 0.3.2 exhibits a concerning security posture, primarily due to a significant number of unprotected entry points and a history of vulnerabilities. The static analysis reveals 4 out of 9 total entry points lack authentication checks, which is a major concern for potential unauthorized access and manipulation. While there are no critical or high severity taint analysis findings, the presence of 2 flows with unsanitized paths warrants attention as they could lead to unexpected behavior or security issues if exploited. The vulnerability history is particularly troubling, with one known unpatched medium severity CVE. This indicates a pattern of security weaknesses that have not been fully addressed, and the fact that it's a Cross-site Scripting (XSS) vulnerability suggests potential issues with how user input is handled. While the plugin does perform capability checks and has some output escaping, the high percentage of unescaped outputs and the lack of prepared statements for SQL queries are notable weaknesses. The combination of unprotected entry points and past vulnerabilities paints a picture of a plugin that requires immediate attention to mitigate risks.

Key Concerns

  • Unprotected AJAX handlers
  • SQL queries without prepared statements
  • Low percentage of properly escaped output
  • Unpatched medium severity CVE
  • Flows with unsanitized paths
Vulnerabilities
1 published

Photo Express for Google Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-27361medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Photo Express for Google <= 0.3.2 - Reflected Cross-Site Scripting

Jun 23, 2025Unpatched
Version History

Photo Express for Google Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

Photo Express for Google Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
31
20 escaped
Nonce Checks
1
Capability Checks
8
File Operations
1
External Requests
4
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

39% escaped51 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

6 flows2 with unsanitized paths
check_for_authorization_code (class-google-photo-access.php:98)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Photo Express for Google Attack Surface

Entry Points9
Unprotected4

AJAX Handlers 4

authwp_ajax_peg_get_galleryphoto-express.php:135
authwp_ajax_peg_get_imagesphoto-express.php:136
authwp_ajax_peg_save_statephoto-express.php:137
authwp_ajax_peg_process_shortcodephoto-express.php:138

Shortcodes 5

[pe2-gallery] photo-express.php:174
[pe2-image] photo-express.php:175
[peg-gallery] photo-express.php:177
[peg-image] photo-express.php:178
[clear] photo-express.php:180
WordPress Hooks 24
actionadmin_print_stylesclass-photo-browser.php:289
actionadmin_enqueue_scriptsclass-photo-browser.php:290
actionwp_footerclass-photo-renderer.php:1242
actionwp_footerclass-photo-renderer.php:1278
actionadmin_initclass-settings.php:62
actionadmin_print_styles-settings_page_photo-expressclass-settings.php:63
actionupdate_option_peg_general_settingsclass-simple-cache.php:25
actionsave_postclass-simple-cache.php:27
actionplugins_loadedphoto-express.php:115
actionmedia_buttonsphoto-express.php:129
actionmedia_upload_picasaphoto-express.php:132
actionadmin_initphoto-express.php:145
actionadmin_initphoto-express.php:146
actioninitphoto-express.php:149
actionadmin_menuphoto-express.php:157
filtercontextual_helpphoto-express.php:158
actionwpmu_new_blogphoto-express.php:164
actionwp_footerphoto-express.php:186
actioninitphoto-express.php:190
actioninitphoto-express.php:196
actioninitphoto-express.php:202
actioninitphoto-express.php:213
actionwp_footerphoto-express.php:222
filterthe_contentphoto-express.php:236
Maintenance & Trust

Photo Express for Google Maintenance & Trust

Maintenance Signals

WordPress version tested4.2.39
Last updatedAug 30, 2015
PHP min version
Downloads22K

Community Trust

Rating88/100
Number of ratings20
Active installs70
Developer Profile

Photo Express for Google Developer Profile

thhake

1 plugin · 70 total installs

69
trust score
Avg Security Score
64/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Photo Express for Google

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/photo-express-for-google/photo-express.css/wp-content/plugins/photo-express-for-google/peg-admin.css/wp-content/plugins/photo-express-for-google/peg-gallery.css/wp-content/plugins/photo-express-for-google/peg-scripts.js/wp-content/plugins/photo-express-for-google/peg-styles.js
Script Paths
/wp-content/plugins/photo-express-for-google/peg-scripts.js
Version Parameters
photo-express-for-google/photo-express.css?ver=photo-express-for-google/peg-admin.css?ver=photo-express-for-google/peg-gallery.css?ver=photo-express-for-google/peg-scripts.js?ver=photo-express-for-google/peg-styles.js?ver=

HTML / DOM Fingerprints

CSS Classes
peg-browser-containerpeg-gallery-mainpeg-login-button
HTML Comments
<!-- Picasa Express 2.0 --><!-- PEG Gallery --><!-- PEG Image -->
Data Attributes
data-peg-gallery-iddata-peg-image-id
JS Globals
photoExpress
REST Endpoints
/wp-json/photo-express-for-google/v1/get-galleries/wp-json/photo-express-for-google/v1/get-images
Shortcode Output
[peg-gallery][peg-image][pe2-gallery][pe2-image]
FAQ

Frequently Asked Questions about Photo Express for Google