WP-Safety

picu – Online Photo Proofing Gallery Security & Risk Analysis

wordpress.org/plugins/picu

Photo proofing for professional photographers: Send a collection of photographs to your clients for approval.

2K active installs v3.5.0 PHP 7.4+ WP 6.0+ Updated Apr 1, 2026
clientgalleryphotographerphotographyproofing
99
A · Safe
CVEs total1
Unpatched0
Last CVEDec 22, 2024
Plugin page Download
Safety Verdict

Is picu – Online Photo Proofing Gallery Safe to Use in 2026?

Generally Safe

Score 99/100

picu – Online Photo Proofing Gallery has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Dec 22, 2024Updated 1mo ago
Risk Assessment

The picu plugin version 3.4.0 exhibits a mixed security posture. While it demonstrates good practices in several areas, such as the absence of dangerous functions and a relatively low number of critical taint flows, significant concerns remain. The presence of two AJAX handlers without authentication checks presents a direct attack vector, potentially allowing unauthorized users to trigger plugin functionality. Furthermore, the fact that 100% of its single SQL query is not using prepared statements is a major red flag for SQL injection vulnerabilities, especially given the potential for unsanitized data to reach this query.

The vulnerability history, though currently clear of unpatched issues, shows a past medium-severity vulnerability attributed to missing authorization. This pattern, combined with the current lack of authorization checks on AJAX handlers, suggests a recurring issue with properly securing entry points. While the plugin has a substantial number of outputs and file operations, a majority of outputs are properly escaped, which is a positive sign. However, the identified risks related to unprotected entry points and raw SQL queries are substantial and require immediate attention.

Key Concerns

  • AJAX handlers without auth checks
  • SQL queries not using prepared statements
  • Past medium vulnerability (missing authorization)
Vulnerabilities
1 published

picu – Online Photo Proofing Gallery Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-24590medium · 5.3Missing Authorization

picu – Online Photo Proofing Gallery <= 2.4.0 - Missing Authorization

Dec 22, 2024 Patched in 2.4.1 (60d)
Version History

picu – Online Photo Proofing Gallery Release Timeline

v3.5.0Current
v3.4.0
v3.3.1
v3.3.0
v3.2.0
v3.1.0
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.1
v2.4.01 CVE
CVE-2025-24590
v2.3.81 CVE
CVE-2025-24590
Code Analysis
Analyzed Mar 16, 2026

picu – Online Photo Proofing Gallery Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
251
179 escaped
Nonce Checks
14
Capability Checks
11
File Operations
7
External Requests
2
Bundled Libraries
1

Bundled Libraries

jQuery

SQL Query Safety

0% prepared1 total queries

Output Escaping

42% escaped430 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

8 flows3 with unsanitized paths
picu_trigger_proof_file_download (picu.php:485)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

picu – Online Photo Proofing Gallery Attack Surface

Entry Points8
Unprotected2

AJAX Handlers 5

authwp_ajax_picu_save_pro_box_statebackend\includes\picu-ajax.php:33
authwp_ajax_picu_save_telemetry_nag_statebackend\includes\picu-ajax.php:56
authwp_ajax_picu_save_bf_banner_statebackend\includes\picu-pro.php:264
authwp_ajax_picu_send_selectionfrontend\includes\save-collection.php:135
noprivwp_ajax_picu_send_selectionfrontend\includes\save-collection.php:136

REST API Routes 2

GET/wp-json/picu/v1/emailsblocks\picu-blocks.php:60
GET/wp-json/picu/v1/collectionsblocks\picu-blocks.php:149

Shortcodes 1

[picu_list_collections] frontend\includes\picu-template-functions.php:864
WordPress Hooks 140
filterautoptimize_filter_noptimizebackend\includes\compatibility\plugin-autoptimize.php:24
filterjetpack_photon_skip_imagebackend\includes\compatibility\plugin-jetpack.php:17
actionwpbackend\includes\compatibility\plugin-jetpack.php:20
filterjetpack_photon_skip_for_urlbackend\includes\compatibility\plugin-jetpack.php:39
filtermla_gallery_the_attachmentsbackend\includes\compatibility\plugin-media-library-assistant.php:28
filterrun_ngg_resource_managerbackend\includes\compatibility\plugin-nextgen-gallery.php:21
filterrank_math/excluded_post_typesbackend\includes\compatibility\plugin-rankmath-seo.php:23
actionadmin_headbackend\includes\compatibility\plugin-rankmath-seo.php:38
filterRML/Activebackend\includes\compatibility\plugin-real-media-library.php:26
filterthe_seo_framework_sitemap_exclude_cptbackend\includes\compatibility\plugin-seo-framework.php:18
filterthe_seo_framework_seobox_outputbackend\includes\compatibility\plugin-seo-framework.php:30
actioncurrent_screenbackend\includes\compatibility\plugin-seo-framework.php:33
filtersgo_javascript_combine_exclude_idsbackend\includes\compatibility\plugin-sg-cachepress.php:28
filterwpseo_sitemap_exclude_post_typebackend\includes\compatibility\plugin-wordpress-seo.php:23
filterwpseo_sitemap_urlbackend\includes\compatibility\plugin-wordpress-seo.php:40
filterwpseo_accessible_post_typesbackend\includes\compatibility\plugin-wordpress-seo.php:50
filterwpseo_indexable_excluded_post_typesbackend\includes\compatibility\plugin-wordpress-seo.php:68
filterpicu_mail_subjectbackend\includes\deprecated.php:19
filterpicu_email_frombackend\includes\deprecated.php:39
actionadmin_noticesbackend\includes\deprecated.php:60
actioninitbackend\includes\deprecated.php:69
filterwp_mailbackend\includes\emails\class-picu-emails.php:547
actionwp_mail_failedbackend\includes\emails\class-picu-emails.php:609
actionsave_post_picu_collectionbackend\includes\emails\picu-emails.php:93
actionpicu_collection_has_expiredbackend\includes\emails\picu-emails.php:492
actionpicu_send_selection_reminderbackend\includes\emails\picu-emails.php:549
filteroption_page_capability_picu_addon_licensesbackend\includes\picu-addons-page.php:182
filterredirect_post_locationbackend\includes\picu-admin-notices.php:51
actionsave_post_picu_collectionbackend\includes\picu-admin-notices.php:139
filterredirect_post_locationbackend\includes\picu-admin-notices.php:150
actionsave_post_picu_collectionbackend\includes\picu-admin-notices.php:155
actionadmin_noticesbackend\includes\picu-admin-notices.php:201
filterbulk_post_updated_messagesbackend\includes\picu-admin-notices.php:221
filterpost_updated_messagesbackend\includes\picu-admin-notices.php:256
actioninitbackend\includes\picu-cpt-collection.php:86
actionadmin_initbackend\includes\picu-cpt-collection.php:104
actioninitbackend\includes\picu-cpt-collection.php:175
filterwp_untrash_post_statusbackend\includes\picu-cpt-collection.php:195
filterwp_insert_post_databackend\includes\picu-cpt-collection.php:223
filtermanage_picu_collection_posts_columnsbackend\includes\picu-cpt-collection.php:280
actionmanage_picu_collection_posts_custom_columnbackend\includes\picu-cpt-collection.php:431
filterprotected_title_formatbackend\includes\picu-cpt-collection.php:452
filterwp_sitemaps_post_typesbackend\includes\picu-cpt-collection.php:462
filtermanage_edit-picu_collection_sortable_columnsbackend\includes\picu-cpt-collection.php:481
filtermanage_edit-picu_collection_sortable_columnsbackend\includes\picu-cpt-collection.php:497
filterpre_get_postsbackend\includes\picu-cpt-collection.php:527
filterpost_row_actionsbackend\includes\picu-cpt-collection.php:555
filterviews_edit-picu_collectionbackend\includes\picu-cpt-collection.php:589
actionparse_querybackend\includes\picu-cpt-collection.php:616
filterdisplay_post_statesbackend\includes\picu-cpt-collection.php:638
actionadd_meta_boxesbackend\includes\picu-edit-collection.php:37
actionedit_form_after_titlebackend\includes\picu-edit-collection.php:483
actionpicu_recipient_actionsbackend\includes\picu-edit-collection.php:1257
actionpicu_recipient_actionsbackend\includes\picu-edit-collection.php:1277
actionsave_post_picu_collectionbackend\includes\picu-edit-collection.php:1424
actionsave_post_picu_collectionbackend\includes\picu-edit-collection.php:1490
actionadmin_noticesbackend\includes\picu-edit-collection.php:1506
actioninitbackend\includes\picu-edit-collection.php:1517
actionwp_loadedbackend\includes\picu-edit-collection.php:1615
actionwp_loadedbackend\includes\picu-edit-collection.php:1667
actioninitbackend\includes\picu-edit-collection.php:1731
actioninitbackend\includes\picu-edit-collection.php:1778
actionadmin_menubackend\includes\picu-edit-collection.php:1792
actionadmin_headbackend\includes\picu-edit-collection.php:1816
filterintermediate_image_sizes_advancedbackend\includes\picu-edit-collection.php:1928
filterbig_image_size_thresholdbackend\includes\picu-edit-collection.php:1931
actionadmin_noticesbackend\includes\picu-edit-collection.php:2004
filterpost_row_actionsbackend\includes\picu-edit-collection.php:2032
actionwp_loadedbackend\includes\picu-edit-collection.php:2073
filtergutenberg_can_edit_post_typebackend\includes\picu-edit-collection.php:2091
filteruse_block_editor_for_post_typebackend\includes\picu-edit-collection.php:2092
actionsave_post_picu_collectionbackend\includes\picu-edit-collection.php:2202
filterdefault_hidden_meta_boxesbackend\includes\picu-edit-collection.php:2256
filteradmin_body_classbackend\includes\picu-helper.php:31
filteroption_picu_themebackend\includes\picu-helper.php:61
actionsave_post_picu_collectionbackend\includes\picu-helper.php:90
actionsave_post_picu_collectionbackend\includes\picu-helper.php:91
actionsave_post_picu_collectionbackend\includes\picu-helper.php:181
actionpicu_after_email_sentbackend\includes\picu-helper.php:1190
actionpicu_collection_checkerbackend\includes\picu-helper.php:1292
filtercron_schedulesbackend\includes\picu-helper.php:1311
actionpicu_collection_has_expiredbackend\includes\picu-helper.php:1381
actionpicu_collection_has_closedbackend\includes\picu-helper.php:1382
actionpicu_collection_checkerbackend\includes\picu-helper.php:1389
actionpre_get_postsbackend\includes\picu-media.php:33
actionbefore_delete_postbackend\includes\picu-media.php:42
actiondeleted_postbackend\includes\picu-media.php:81
actionpre_get_postsbackend\includes\picu-media.php:130
actionpre_get_postsbackend\includes\picu-media.php:173
filterwp_count_attachmentsbackend\includes\picu-media.php:182
filtermonths_dropdown_resultsbackend\includes\picu-media.php:239
filtermedia_view_settingsbackend\includes\picu-media.php:285
actiontemplate_redirectbackend\includes\picu-media.php:302
filterupload_dirbackend\includes\picu-media.php:361
filterwp_handle_upload_prefilterbackend\includes\picu-media.php:365
filterwp_handle_uploadbackend\includes\picu-media.php:393
actioninitbackend\includes\picu-media.php:419
filterintermediate_image_sizes_advancedbackend\includes\picu-media.php:492
filterwp_generate_attachment_metadatabackend\includes\picu-media.php:518
filterbig_image_size_thresholdbackend\includes\picu-media.php:537
actionadd_attachmentbackend\includes\picu-media.php:561
filterwp_prepare_attachment_for_jsbackend\includes\picu-media.php:587
actionupdate_post_metabackend\includes\picu-media.php:612
actionupdated_post_metabackend\includes\picu-media.php:663
filterwp_image_editorsbackend\includes\picu-media.php:703
actionpicu_pre_settingsbackend\includes\picu-pro.php:212
actionadmin_noticesbackend\includes\picu-pro.php:227
actionadmin_headbackend\includes\picu-settings.php:65
actionadmin_menubackend\includes\picu-settings.php:92
actionadmin_initbackend\includes\picu-settings.php:110
actioninitbackend\includes\picu-settings.php:359
filterdebug_informationbackend\includes\picu-site-health.php:61
actionpicu_run_telemetry_transmitbackend\includes\picu-telemetry.php:101
actionpicu_run_compile_telemetry_databackend\includes\picu-telemetry.php:141
actionadmin_noticesbackend\includes\picu-telemetry.php:193
actiontransition_post_statusbackend\includes\picu-telemetry.php:598
actionadmin_initbackend\includes\picu-welcome-screen.php:35
actionadmin_menubackend\includes\picu-welcome-screen.php:54
actionadmin_headbackend\includes\picu-welcome-screen.php:116
actioninitblocks\picu-blocks.php:24
actionenqueue_block_editor_assetsblocks\picu-blocks.php:48
actionrest_api_initblocks\picu-blocks.php:69
actionrest_api_initblocks\picu-blocks.php:176
filtertemplate_includefrontend\includes\picu-template-functions.php:36
filtertemplate_includefrontend\includes\picu-template-functions.php:84
filterpicu_load_stylesfrontend\includes\picu-template-functions.php:354
filterthe_password_formfrontend\includes\picu-template-functions.php:896
actionafter_setup_themepicu.php:115
actioninitpicu.php:132
actionadmin_enqueue_scriptspicu.php:241
actioninitpicu.php:288
actionadmin_noticespicu.php:303
actioninitpicu.php:313
actionadd_meta_boxespicu.php:335
filterpicu_show_admin_barpicu.php:376
actionwppicu.php:421
filterwppicu.php:477
actioninitpicu.php:492
actionwp_insert_post_datapicu.php:614
actionpicu_collection_folderspicu.php:679

Scheduled Events 4

picu_collection_checker
picu_run_telemetry_transmit
picu_run_compile_telemetry_data
picu_collection_folders
Maintenance & Trust

picu – Online Photo Proofing Gallery Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 1, 2026
PHP min version7.4
Downloads118K

Community Trust

Rating94/100
Number of ratings55
Active installs2K
Alternatives

picu – Online Photo Proofing Gallery Alternatives

Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers

Sunshine Photo Cart – Client Photo Gallery & Photo Proofing for Photographers

sunshine-photo-cart

B
77

Create professional client photo galleries and photo proofing galleries for your photography business. Sell photos directly to clients with zero commi &hellip;

1K 21 CVEs
Simple Lightbox

Simple Lightbox

simple-lightbox

A
99

The highly customizable lightbox for WordPress

100K 1 CVE
Easy Photography Portfolio

Easy Photography Portfolio

photography-portfolio

A
85

Easy Photography Portfolio is an elegant portfolio gallery plugin designed for Photographers. Install the plugin, add portfolio entries and galleries &hellip;

3K No CVEs
Fullscreen Galleria

Fullscreen Galleria

fullscreen-galleria

A
85

A simple fullscreen gallery to Wordpress

900 1 CVE
Portfolio X

Portfolio X

portfolio-x

A
100

Portfolio X is a responsive portfolio gallery plugin for project portfolio with unique photo gallery styles, portfolio widgets and project showcase.

200 No CVEs
Developer Profile

picu – Online Photo Proofing Gallery Developer Profile

picu

2 plugins · 2K total installs

88
trust score
Avg Security Score
100/100
Avg Patch Time
60 days
View full developer profile
Detection Fingerprints

How We Detect picu – Online Photo Proofing Gallery

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/picu/backend/css/picu-admin.css/wp-content/plugins/picu/backend/js/picu-admin.min.js
Script Paths
/wp-content/plugins/picu/backend/js/picu-admin.min.js
Version Parameters
picu-admin.min.js?ver=picu-admin.css?ver=

HTML / DOM Fingerprints

CSS Classes
picu-collection-wrappicu-adminpicu_page_picu-
HTML Comments
<!-- Picu Pro -->
Data Attributes
data-picu
JS Globals
picu_admin
REST Endpoints
/wp-json/picu-telemetry/v1/
FAQ

Frequently Asked Questions about picu – Online Photo Proofing Gallery