WP-Safety

Picture Gallery – Frontend Image Uploads, AJAX Photo List Security & Risk Analysis

wordpress.org/plugins/picture-gallery

Streamline photo sharing with AJAX-powered galleries, frontend uploads, and integrated monetization.

400 active installs v1.6.4 PHP 7.4+ WP 5.1+ Updated Sep 9, 2025
galleryimagephotopictureupload
97
A · Safe
CVEs total5
Unpatched0
Last CVEMar 12, 2025
Plugin page Download
Safety Verdict

Is Picture Gallery – Frontend Image Uploads, AJAX Photo List Safe to Use in 2026?

Generally Safe

Score 97/100

Picture Gallery – Frontend Image Uploads, AJAX Photo List has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Mar 12, 2025Updated 6mo ago
Risk Assessment

The 'picture-gallery' plugin v1.6.4 presents a mixed security posture. On the positive side, it demonstrates good practices with 100% of SQL queries using prepared statements and a high percentage (90%) of output escaping. The absence of bundled libraries and a history of zero currently unpatched CVEs are also strengths. However, there are notable areas for concern. The presence of 2 AJAX handlers without authentication checks creates a direct attack vector. Furthermore, taint analysis revealed 2 flows with unsanitized paths, including one of high severity, indicating potential for data manipulation or code execution if these paths are exploited. The plugin's history of 5 medium-severity CVEs, primarily related to Cross-site Scripting, suggests recurring issues with input sanitization in the past, even though none are currently unpatched. This pattern, combined with the identified unsanitized paths, warrants caution. While the plugin has made strides in secure coding practices, the unprotected entry points and taint analysis findings are significant risks that need immediate attention to improve its overall security.

Key Concerns

  • Unprotected AJAX handlers
  • High severity unsanitized path flow
  • Unsanitized path flow (low severity)
  • Medium severity CVE history (5 total)
Vulnerabilities
5

Picture Gallery – Frontend Image Uploads, AJAX Photo List Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
5

5 total CVEs

CVE-2025-26581medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Picture Gallery <= 1.6.3 - Unauthenticated Stored Cross-Site Scripting

Mar 12, 2025 Patched in 1.6.4 (352d)
CVE-2024-13584medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Picture Gallery – Frontend Image Uploads, AJAX Photo List <= 1.5.19 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 21, 2025 Patched in 1.5.20 (1d)
CVE-2024-12696medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Picture Gallery – Frontend Image Uploads, AJAX Photo List <= 1.5.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via videowhisper_picture_upload_guest Shortcode

Jan 17, 2025 Patched in 1.5.23 (1d)
CVE-2024-34759medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Picture Gallery <= 1.5.11 - Authenticated (Author+) Stored Cross-Site Scripting

May 14, 2024 Patched in 1.5.12 (7d)
WF-ea01e11e-31b5-4cd9-8fab-3693e47f705a-picture-gallerymedium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Picture Gallery – Frontend Image Uploads, AJAX Photo List < 1.4.3 - Cross-Site Scripting

Aug 10, 2021 Patched in 1.4.3 (896d)
Code Analysis
Analyzed Mar 16, 2026

Picture Gallery – Frontend Image Uploads, AJAX Photo List Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
7 prepared
Unescaped Output
38
346 escaped
Nonce Checks
6
Capability Checks
8
File Operations
21
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared7 total queries

Output Escaping

90% escaped384 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

10 flows2 with unsanitized paths
adminManage (inc\admin.php:1157)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Picture Gallery – Frontend Image Uploads, AJAX Photo List Attack Surface

Entry Points12
Unprotected2

AJAX Handlers 4

authwp_ajax_vwpg_picturespicture-gallery.php:246
noprivwp_ajax_vwpg_picturespicture-gallery.php:247
authwp_ajax_vwpg_uploadpicture-gallery.php:250
authwp_ajax_vwpg_uploadpicture-gallery.php:1802

Shortcodes 8

[videowhisper_picture_upload_guest] picture-gallery.php:227
[videowhisper_pictures] picture-gallery.php:229
[videowhisper_picture] picture-gallery.php:230
[videowhisper_picture_preview] picture-gallery.php:231
[videowhisper_picture_upload] picture-gallery.php:233
[videowhisper_picture_import] picture-gallery.php:234
[videowhisper_postpictures] picture-gallery.php:236
[videowhisper_postpictures_process] picture-gallery.php:237
WordPress Hooks 15
actionadmin_noticesinc\admin.php:244
actionadmin_noticesinc\admin.php:248
actionadmin_noticesinc\admin.php:688
actionadmin_noticesinc\admin.php:692
actionwp_enqueue_scriptspicture-gallery.php:200
filterthe_contentpicture-gallery.php:213
filterthe_contentpicture-gallery.php:215
actionbefore_delete_postpicture-gallery.php:221
filterthe_contentpicture-gallery.php:224
actioninitpicture-gallery.php:1789
actionadmin_menupicture-gallery.php:1790
actionadmin_bar_menupicture-gallery.php:1791
actionplugins_loadedpicture-gallery.php:1793
filterarchive_templatepicture-gallery.php:1796
filtersingle_templatepicture-gallery.php:1799
Maintenance & Trust

Picture Gallery – Frontend Image Uploads, AJAX Photo List Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedSep 9, 2025
PHP min version7.4
Downloads27K

Community Trust

Rating74/100
Number of ratings3
Active installs400
Alternatives

Picture Gallery – Frontend Image Uploads, AJAX Photo List Alternatives

Social Photo Fetcher

Social Photo Fetcher

facebook-photo-fetcher

B
70

Allows you to automatically create Wordpress photo galleries from Facebook albums. Simple to use and highly customizable.

1K 1 unpatched
JJ NextGen JQuery Slider

JJ NextGen JQuery Slider

jj-nextgen-jquery-slider

A
85

Allows you to pick a gallery from the 'NextGen Gallery' plugin to use as a 'JQuery Nivo slider'.

900 No CVEs
NextGEN Gallery Sidebar Widget

NextGEN Gallery Sidebar Widget

nextgen-gallery-sidebar-widget

A
85

A widget to show NextGEN galleries in your sidebar.

600 No CVEs
JJ NextGen JQuery Carousel

JJ NextGen JQuery Carousel

jj-nextgen-jquery-carousel

A
85

Allows you to pick a gallery from the 'NextGen Gallery' plugin to use as a 'JQuery JCarousel'.

400 No CVEs
NextGen NivoSlider

NextGen NivoSlider

nextgen-nivoslider

A
85

The NextGen Nivoslider plugin allows you to create a NivoSlider, using images from your NextGen gallery, with a simple shortcode or widget.

300 No CVEs
Developer Profile

Picture Gallery – Frontend Image Uploads, AJAX Photo List Developer Profile

videowhisper

12 plugins · 1K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
1072 days
View full developer profile
Detection Fingerprints

How We Detect Picture Gallery – Frontend Image Uploads, AJAX Photo List

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/picture-gallery/css/picture-gallery.css/wp-content/plugins/picture-gallery/js/picture-gallery-frontend.js
Script Paths
/wp-content/plugins/picture-gallery/js/picture-gallery-frontend.js
Version Parameters
picture-gallery/css/picture-gallery.css?ver=picture-gallery/js/picture-gallery-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
picture-gallerypicture-gallery-thumbnailspicture-gallery-itempicture-gallery-thumbpicture-gallery-details
Data Attributes
data-gallery-iddata-picture-iddata-thumb-url
JS Globals
picture_gallery_vars
Shortcode Output
[picture-gallery][picture-gallery-uploader]
FAQ

Frequently Asked Questions about Picture Gallery – Frontend Image Uploads, AJAX Photo List