Does PiwigoPress have any unpatched vulnerabilities?

Yes — PiwigoPress currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is PiwigoPress compatible with WordPress 4.9.29?

According to WordPress.org data, PiwigoPress 2.33 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is PiwigoPress updated?

PiwigoPress was last updated on Oct 21, 2024. Frequent updates are generally a positive security signal.

What is PiwigoPress's security score?

PiwigoPress has a WP-Safety security score of 71/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

PiwigoPress Security & Risk Analysis

wordpress.org/plugins/piwigopress

From any open API Piwigo gallery, swiftly include your photos in Posts/Pages and/or add randomized thumbnails and menus in your sidebar.

200 active installs v2.33 PHP + WP 2.8.4+ Updated Oct 21, 2024

galleriesgallerypicturesrandomizeshortcode

B · Generally Safe

CVEs total1

Unpatched1

Last CVEFeb 24, 2025

Plugin page Download

Safety Verdict

Is PiwigoPress Safe to Use in 2026?

Mostly Safe

Score 71/100

PiwigoPress is generally safe to use though it hasn't been updated recently. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Feb 24, 2025Updated 1yr ago

Risk Assessment

The piwigopress plugin v2.33 exhibits several concerning security weaknesses, despite some positive indicators. While it has a relatively small attack surface and includes some capability checks, the significant presence of unsanitized input flows, particularly in AJAX handlers and raw SQL queries, points to a high risk of exploitation. The lack of proper output escaping in a substantial portion of its code further exacerbates these risks, making it susceptible to cross-site scripting vulnerabilities.

The plugin's vulnerability history, including a known medium-severity CVE with a recent discovery date, suggests a pattern of security issues that may not be promptly addressed. The presence of the `unserialize` function without apparent safeguards is a critical red flag, as it can lead to remote code execution if improperly handled user-supplied data is processed. The raw SQL queries further increase the risk of SQL injection attacks. Coupled with a lack of nonce checks on unprotected AJAX handlers, an attacker could potentially manipulate data or execute arbitrary code.

In conclusion, while the plugin demonstrates some basic security measures like capability checks, the identified vulnerabilities in static analysis and the concerning vulnerability history paint a picture of a plugin that requires significant security improvements. The unprotected entry points, unsanitized data flows, raw SQL usage, and history of vulnerabilities collectively indicate a moderate to high security risk.

Key Concerns

Unpatched CVE
High severity taint flows
Unprotected AJAX handlers
Raw SQL queries without prepared statements
Low output escaping percentage
Dangerous function 'unserialize' used
Missing nonce checks on AJAX

Vulnerabilities

PiwigoPress Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-26896medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PiwigoPress <= 2.33 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 24, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

PiwigoPress Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

10 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$thumbc = unserialize($response['body']);piwigopress.php:121

unserializeextract( unserialize($previous_options) );piwigopress_admin.php:42

unserialize$thumbc = unserialize($response['body']);piwigopress_thumbnails_reloader.php:38

unserialize$thumbc = unserialize($response['body']);PiwigoPress_widget.php:68

unserialize$cats = unserialize($response['body']);PiwigoPress_widget.php:144

SQL Query Safety

0% prepared1 total queries

Output Escaping

17% escaped58 total outputs

Data Flows

8 unsanitized

Data Flow Analysis

8 flows8 with unsanitized paths

PiwigoPress_ajax_categories (piwigopress.php:291)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

PiwigoPress Attack Surface

Entry Points3

Unprotected2

AJAX Handlers 2

authwp_ajax_pwgp-categoriespiwigopress.php:314

authwp_ajax_pwgp-thumbnailspiwigopress.php:321

Shortcodes 1

[PiwigoPress] piwigopress.php:35

WordPress Hooks 10

actionwidgets_initpiwigopress.php:254

actionwp_headpiwigopress.php:269

actionwp_footerpiwigopress.php:288

actionadmin_headpiwigopress.php:326

actioninitpiwigopress.php:328

filterplugin_row_metapiwigopress.php:346

filtermedia_buttons_contextpiwigopress_admin.php:10

actionin_admin_headerpiwigopress_admin.php:11

actionin_admin_footerpiwigopress_admin.php:12

actionsave_postpiwigopress_admin.php:14

Maintenance & Trust

PiwigoPress Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedOct 21, 2024

PHP min version

Downloads18K

Community Trust

Rating66/100

Number of ratings7

Active installs200

Alternatives

PiwigoPress Alternatives

IS Circular Photo Gallery

is-circular-photo-gallery

Circle style picture gallery with Lightbox popups. Uses images from either the Wordpress Media Library or an uploaded directory of images.

20 No CVEs

IS Photo Gallery

is-photo-gallery

Picture gallery with Lightbox popups. Uses images from either the Wordpress Media Library or an uploaded directory of images.

10 No CVEs

Li'l Gallery

lil-gallery

Big main picture of a gallery and thumbnails of others, and the main image changes when one clicks thumbnails.

10 No CVEs

WP-Polaroid Plus

polaroid-plus-gallery

Polaroid Plus style picture gallery with Lightbox popups. Uses images from either the Wordpress Media Library or an uploaded directory of images.

10 No CVEs

Responsive Lightbox & Gallery

responsive-lightbox

The most popular lightbox plugin and responsive gallery builder for WordPress.

100K 13 CVEs

Developer Profile

PiwigoPress Developer Profile

vpiwigo

1 plugin · 200 total installs

trust score

Avg Security Score

71/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect PiwigoPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/piwigopress/css/piwigopress-style.css/wp-content/plugins/piwigopress/css/piwigopress-widget.css

HTML / DOM Fingerprints

CSS Classes

PWGP_shortcodePWGP_photoPWGP_captionPWGP_namePWGP_descPiwigoPress_photoblogPiwigoPress

HTML Comments

+1 more

Data Attributes

data-pwgp-iddata-pwgp-sizedata-pwgp-urldata-pwgp-lnktypedata-pwgp-opntypedata-pwgp-name+3 more

JS Globals

PiwigoPress

Shortcode Output

<div class="PWGP_shortcode<img class="PWGP_photo"<blockquote class="PWGP_caption"><div class="PWGP_name">

FAQ

PiwigoPress Security & Risk Analysis

Is PiwigoPress Safe to Use in 2026?

Mostly Safe

Key Concerns

PiwigoPress Security Vulnerabilities

CVEs by Year

Severity Breakdown

PiwigoPress Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

PiwigoPress Attack Surface

AJAX Handlers 2

Shortcodes 1

PiwigoPress Maintenance & Trust

Maintenance Signals

Community Trust

PiwigoPress Alternatives

IS Circular Photo Gallery

IS Photo Gallery

Li'l Gallery

WP-Polaroid Plus

Responsive Lightbox & Gallery

PiwigoPress Developer Profile

How We Detect PiwigoPress

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about PiwigoPress