Does Portfolio and Projects have any unpatched vulnerabilities?

No. All known vulnerabilities in Portfolio and Projects have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Portfolio and Projects compatible with WordPress 6.9.4?

According to WordPress.org data, Portfolio and Projects 1.5.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Portfolio and Projects updated?

Portfolio and Projects was last updated on Feb 20, 2026. Frequent updates are generally a positive security signal.

What is Portfolio and Projects's security score?

Portfolio and Projects has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Portfolio and Projects Security & Risk Analysis

wordpress.org/plugins/portfolio-and-projects

Display Portfolio OR Projects in a grid view. Also work with Gutenberg shortcode block.

1K active installs v1.5.6 PHP + WP 4.0+ Updated Feb 20, 2026

portfolioportfolio-listingproject-gridproject-portfolioresponsive-portfolio

A · Safe

CVEs total2

Unpatched0

Last CVEDec 5, 2025

Plugin page Download

Safety Verdict

Is Portfolio and Projects Safe to Use in 2026?

Generally Safe

Score 98/100

Portfolio and Projects has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Dec 5, 2025Updated 1mo ago

Risk Assessment

The "portfolio-and-projects" plugin version 1.5.6 exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to secure coding practices by utilizing prepared statements for all SQL queries, implementing robust output escaping (91%), and performing a good number of nonce and capability checks (8 and 9 respectively). It also shows a minimal attack surface with no apparent unprotected entry points in the static analysis. However, the presence of a dangerous `unserialize` function is a significant concern, as it can lead to Remote Code Execution (RCE) if exploited with malicious serialized data. While taint analysis reported zero flows, this doesn't negate the inherent risk of `unserialize` if user-controlled data is passed to it without proper sanitization. The plugin's vulnerability history, with two past medium-severity CVEs related to exposure of sensitive information and missing authorization, suggests that historical security flaws have existed and may indicate a pattern of oversight in authorization or data handling. The fact that there are no currently unpatched vulnerabilities is a positive indicator, but the past issues, combined with the `unserialize` function, warrant careful consideration.

Key Concerns

Presence of dangerous unserialize function
Past medium severity vulnerabilities (x2)

Vulnerabilities

Portfolio and Projects Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-67470medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Portfolio and Projects <= 1.5.5 - Authenticated (Contributor+) Information Exposure

Dec 5, 2025 Patched in 1.5.6 (7d)

CVE-2023-39995medium · 4.3Missing Authorization

Portfolio and Projects <= 1.3.7 - Cross-Site Request Forgery via 'wpos_anylc_admin_init_process'

Aug 11, 2023 Patched in 1.3.8 (165d)

Code Analysis

Analyzed Mar 16, 2026

Portfolio and Projects Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

221 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$info = @unserialize($data);wpos-analytics\includes\class-anylc-admin.php:696

Output Escaping

91% escaped242 total outputs

Attack Surface

Portfolio and Projects Attack Surface

Entry Points3

Unprotected0

AJAX Handlers 2

authwp_ajax_wp_pap_get_attachment_edit_formincludes\admin\class-wp-pap-admin.php:41

authwp_ajax_wp_pap_save_attachment_dataincludes\admin\class-wp-pap-admin.php:44

Shortcodes 1

[pap_portfolio] includes\shortcode\wp-pap-gallery-slider.php:152

WordPress Hooks 29

actionadmin_initincludes\admin\class-wp-pap-admin.php:20

actionadmin_menuincludes\admin\class-wp-pap-admin.php:23

actionadd_meta_boxesincludes\admin\class-wp-pap-admin.php:26

actionadmin_footerincludes\admin\class-wp-pap-admin.php:38

actionwp_enqueue_scriptsincludes\class-wp-pap-script.php:20

actionadmin_enqueue_scriptsincludes\class-wp-pap-script.php:23

actioninitincludes\wp-pap-post-types.php:59

actioninitincludes\wp-pap-post-types.php:101

filterpost_updated_messagesincludes\wp-pap-post-types.php:131

actionplugins_loadedportfolio-and-projects.php:86

actionupdate_option_active_pluginsportfolio-and-projects.php:123

actionadmin_noticesportfolio-and-projects.php:183

actionadmin_menuwpos-analytics\includes\class-anylc-admin.php:45

actionadmin_menuwpos-analytics\includes\class-anylc-admin.php:48

actionadmin_initwpos-analytics\includes\class-anylc-admin.php:51

actionadmin_noticeswpos-analytics\includes\class-anylc-admin.php:54

actionadmin_footerwpos-analytics\includes\class-anylc-admin.php:57

actionwp_loadedwpos-analytics\includes\class-anylc-admin.php:60

actioninitwpos-analytics\includes\class-anylc-admin.php:63

filtercron_scheduleswpos-analytics\includes\class-anylc-admin.php:66

actionwpos_monthly_cron_hookwpos-analytics\includes\class-anylc-admin.php:69

actionrest_api_initwpos-analytics\includes\class-anylc-admin.php:72

filterrest_pre_serve_requestwpos-analytics\includes\class-anylc-admin.php:585

actionadmin_enqueue_scriptswpos-analytics\includes\class-anylc-script.php:20

actionactivated_pluginwpos-analytics\wpos-analytics.php:244

actionplugins_loadedwpos-analytics\wpos-analytics.php:258

actionadmin_menuwpos-plugins\includes\admin\class-espbw-admin.php:19

actionadmin_enqueue_scriptswpos-plugins\includes\class-espbw-script.php:19

actionplugins_loadedwpos-plugins\wpos-recommendation.php:185

Scheduled Events 1

wpos_monthly_cron_hook

Maintenance & Trust

Portfolio and Projects Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 20, 2026

PHP min version

Downloads78K

Community Trust

Rating94/100

Number of ratings11

Active installs1K

Alternatives

Portfolio and Projects Alternatives

PowerFolio – Portfolio & Image Gallery for Elementor

portfolio-elementor

A powerful portfolio and gallery plugin for WP, Elementor and Gutenberg. Create portfolio and image galleries in seconds using any page builder!

10K 4 CVEs

Creative Portfolio

creative-portfolio

Creative portfolio for creative people. This plugin Registers a custom post type for portfolio items and display them on a filterable creative grid.

200 No CVEs

Portfolio

tc-portfolio

Portfolio is a custom post type based Responsive Filterable Portfolio showing plugin. Users can create stunning portfolio WordPress site using Shortc …

200 No CVEs

Portfolio Designer – WordPress Portfolio Plugin (Image/Video/Slider Gallery)

portfolio-designer-lite

Portfolio Designer Lite plugin allows you to create, manage, edit and design portfolio and showcase with few clicks.

100 No CVEs

Fancy Grid Portfolio

fancy-grid-portfolio

Create portfolio in nice grid format that is animated and filterable with beautiful hover overlay of project title and description.

30 No CVEs

Developer Profile

Portfolio and Projects Developer Profile

Essential Plugin

33 plugins · 205K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

219 days

View full developer profile

Detection Fingerprints

How We Detect Portfolio and Projects

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/portfolio-and-projects/assets/css/wp-pap-public.css/wp-content/plugins/portfolio-and-projects/assets/css/slick.css/wp-content/plugins/portfolio-and-projects/assets/js/slick.min.js/wp-content/plugins/portfolio-and-projects/assets/js/wp-pap-public.js/wp-content/plugins/portfolio-and-projects/assets/css/owl.carousel.min.css/wp-content/plugins/portfolio-and-projects/assets/js/owl.carousel.min.js/wp-content/plugins/portfolio-and-projects/assets/css/magnific-popup.css/wp-content/plugins/portfolio-and-projects/assets/js/magnific-popup.min.js+1 more

Script Paths

/wp-content/plugins/portfolio-and-projects/assets/js/slick.min.js/wp-content/plugins/portfolio-and-projects/assets/js/owl.carousel.min.js/wp-content/plugins/portfolio-and-projects/assets/js/magnific-popup.min.js/wp-content/plugins/portfolio-and-projects/assets/js/wp-pap-public.js/wp-content/plugins/portfolio-and-projects/assets/js/wp-pap-public-script.js

Version Parameters

portfolio-and-projects/assets/css/slick.css?ver=portfolio-and-projects/assets/css/wp-pap-public.css?ver=portfolio-and-projects/assets/js/slick.min.js?ver=portfolio-and-projects/assets/js/owl.carousel.min.js?ver=portfolio-and-projects/assets/css/owl.carousel.min.css?ver=portfolio-and-projects/assets/css/magnific-popup.css?ver=portfolio-and-projects/assets/js/magnific-popup.min.js?ver=portfolio-and-projects/assets/js/wp-pap-public.js?ver=portfolio-and-projects/assets/js/wp-pap-public-script.js?ver=

HTML / DOM Fingerprints

CSS Classes

wp-pap-portfoliowp-pap-gallerywp-pap-slider-wrapwp-pap-content

Data Attributes

data-popup-title-link

JS Globals

wp_pap_data

Shortcode Output

[portfolio_slider][portfolio_grid][projects_slider][projects_grid]

FAQ