WP-Safety

PowerFolio – Portfolio & Image Gallery for Elementor Security & Risk Analysis

wordpress.org/plugins/portfolio-elementor

A powerful portfolio and gallery plugin for WP, Elementor and Gutenberg. Create portfolio and image galleries in seconds using any page builder!

10K active installs v3.2.5 PHP 7.4+ WP 4.0+ Updated Dec 3, 2025
elementorgalleryimage-galleryportfolioresponsive-portfolio
96
A · Safe
CVEs total4
Unpatched0
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is PowerFolio – Portfolio & Image Gallery for Elementor Safe to Use in 2026?

Generally Safe

Score 96/100

PowerFolio – Portfolio & Image Gallery for Elementor has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Sep 22, 2025Updated 4mo ago
Risk Assessment

The 'portfolio-elementor' plugin version 3.2.5 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries, properly escaping a high percentage of its output, and having no critical or high severity vulnerabilities currently unpatched. The absence of dangerous functions, file operations, and external HTTP requests is also reassuring. However, there are significant concerns regarding its attack surface and input validation. The presence of two unprotected entry points, including an AJAX handler and a REST API route without permission callbacks, creates potential avenues for exploitation. Furthermore, the complete lack of nonce checks across the identified entry points is a major weakness, leaving these unprotected routes vulnerable to Cross-Site Request Forgery (CSRF) attacks. The plugin also bundles the Freemius v1.0 library, which could potentially be outdated and introduce further risks if not maintained.

The vulnerability history indicates a pattern of medium severity Cross-site Scripting (XSS) vulnerabilities, with four known CVEs in total. While there are no currently unpatched vulnerabilities, the past prevalence of XSS suggests a need for more robust input sanitization and output encoding, especially for user-supplied data processed through the unprotected entry points. The lack of taint analysis results is noted, but the static analysis findings are sufficient to warrant caution. In conclusion, while the plugin shows some strengths in data handling, the unprotected entry points and absence of nonce checks are critical security flaws that need immediate attention to mitigate risks.

Key Concerns

  • Unprotected AJAX handler
  • Unprotected REST API route
  • No nonce checks on AJAX/REST
  • Bundled Freemius v1.0 library
  • Past medium severity XSS (4 CVEs)
Vulnerabilities
4

PowerFolio – Portfolio & Image Gallery for Elementor Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-57932medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PowerFolio <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025 Patched in 3.2.2 (23d)
CVE-2025-7046medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Portfolio for Elementor & Image Gallery | PowerFolio <= 3.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS

Jul 3, 2025 Patched in 3.2.1 (1d)
CVE-2024-22150medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Grid, Image Gallery & Portfolio for Elementor | PowerFolio <= 3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Jan 16, 2024 Patched in 3.1.1 (7d)
CVE-2022-4765medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Portfolio for Elementor <= 2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 3, 2023 Patched in 2.3.1 (385d)
Code Analysis
Analyzed Mar 16, 2026

PowerFolio – Portfolio & Image Gallery for Elementor Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
7
79 escaped
Nonce Checks
0
Capability Checks
5
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

Output Escaping

92% escaped86 total outputs
Attack Surface
2 unprotected

PowerFolio – Portfolio & Image Gallery for Elementor Attack Surface

Entry Points6
Unprotected2

AJAX Handlers 1

authwp_ajax_elpt_dismiss_noticeclasses\Powerfolio_Feedback_Notice.php:14

REST API Routes 2

GET/wp-json/powerfolio/v1/get-post-typesclasses\Powerfolio_Gutenberg.php:205
GET/wp-json/powerfolio/v1/get-portfolio-taxonomy-termsclasses\Powerfolio_Gutenberg.php:211

Shortcodes 3

[portfolio-carousel] classes\Powerfolio_Carousel.php:16
[powerfolio] classes\Powerfolio_Portfolio.php:1109
[elemenfolio] classes\Powerfolio_Portfolio.php:1110
WordPress Hooks 29
actioninitclasses\Powerfolio_Carousel.php:162
actionadmin_noticesclasses\Powerfolio_Feedback_Notice.php:12
actionadmin_print_scriptsclasses\Powerfolio_Feedback_Notice.php:13
actionadmin_print_footer_scriptsclasses\Powerfolio_Feedback_Notice.php:62
actioninitclasses\Powerfolio_Gutenberg.php:6
filterregister_block_type_argsclasses\Powerfolio_Gutenberg.php:7
actionenqueue_block_editor_assetsclasses\Powerfolio_Gutenberg.php:8
actionrest_api_initclasses\Powerfolio_Gutenberg.php:10
actioninitclasses\Powerfolio_Portfolio.php:11
actioninitclasses\Powerfolio_Portfolio.php:12
actioninitclasses\Powerfolio_Portfolio.php:13
actionenqueue_block_editor_assetsclasses\Powerfolio_Portfolio.php:14
actioninitclasses\Powerfolio_Portfolio.php:17
actioninitclasses\Powerfolio_Portfolio.php:1115
actionadmin_enqueue_scriptsclasses\Powerfolio_Shortcode_Generator.php:19
actionadmin_headclasses\Powerfolio_Shortcode_Generator.php:20
filtermce_external_pluginsclasses\Powerfolio_Shortcode_Generator.php:94
filtermce_buttonsclasses\Powerfolio_Shortcode_Generator.php:95
actionadmin_noticeselementor\load_elementor.php:21
actionplugins_loadedelementor\load_elementor.php:28
actionelementor/widgets/widgets_registeredelementor\Register_Powerfolio_Elementor_Widgets.php:39
actionelementor/frontend/before_register_scriptselementor\Register_Powerfolio_Elementor_Widgets.php:41
actionelementor/frontend/element_ready/widgetelementor\Register_Powerfolio_Elementor_Widgets.php:77
actionelementor/editor/before_enqueue_scriptselementor\Register_Powerfolio_Elementor_Widgets.php:81
actionadmin_menuincludes\panel.php:13
actionelementor/initportfolio-elementor.php:123
actioninitportfolio-elementor.php:150
actionwp_enqueue_scriptsportfolio-elementor.php:153
actionplugins_loadedportfolio-elementor.php:163
Maintenance & Trust

PowerFolio – Portfolio & Image Gallery for Elementor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 3, 2025
PHP min version7.4
Downloads366K

Community Trust

Rating90/100
Number of ratings11
Active installs10K
Alternatives

PowerFolio – Portfolio & Image Gallery for Elementor Alternatives

Visual Portfolio, Photo Gallery & Post Grid

Visual Portfolio, Photo Gallery & Post Grid

visual-portfolio

A
98

Modern photo gallery and portfolio plugin with advanced layouts editor. Clean gallery styles with powerful settings in the Gutenberg block.

60K 3 CVEs
Premium Portfolio Features for Phlox theme

Premium Portfolio Features for Phlox theme

auxin-portfolio

A
89

Showcase your projects beautifully in Phlox theme

40K 4 CVEs
WPZOOM Portfolio Lite – Filterable Portfolio Plugin

WPZOOM Portfolio Lite – Filterable Portfolio Plugin

wpzoom-portfolio

A
99

Portfolio plugin for WordPress. Create filterable portfolio grids with masonry layouts and lightbox. Ideal for photographers, designers, agencies.

20K 2 CVEs
Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery

Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery

gallery-videos

A
95

Gallery is a user-friendly plugin to display user or hashtag-based gallery feeds as a responsive customizable gallery.

10K 5 CVEs
Filter Gallery

Filter Gallery

filter-gallery

A
100

Build a responsive filter gallery for your portfolio. Organize images with filters in a stunning grid or masonry layout easily.

3K 1 CVE
Developer Profile

PowerFolio – Portfolio & Image Gallery for Elementor Developer Profile

Diego Pereira

3 plugins · 10K total installs

71
trust score
Avg Security Score
89/100
Avg Patch Time
104 days
View full developer profile
Detection Fingerprints

How We Detect PowerFolio – Portfolio & Image Gallery for Elementor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/portfolio-elementor/vendor/isotope/js/packery-mode.pkgd.min.js/wp-content/plugins/portfolio-elementor/assets/js/custom-carousel-portfolio.js
Script Paths
/wp-content/plugins/portfolio-elementor/vendor/owl.carousel/owl.carousel.min.js/wp-content/plugins/portfolio-elementor/assets/js/custom-carousel-portfolio.js/wp-content/plugins/portfolio-elementor/vendor/isotope/js/packery-mode.pkgd.min.js
Version Parameters
portfolio-elementor/style.css?ver=portfolio-elementor/script.js?ver=portfolio-elementor/vendor/owl.carousel/assets/owl.carousel.css?ver=portfolio-elementor/vendor/owl.carousel/assets/owl.theme.default.min.css?ver=portfolio-elementor/vendor/owl.carousel/owl.carousel.min.js?ver=portfolio-elementor/assets/js/custom-carousel-portfolio.js?ver=

HTML / DOM Fingerprints

CSS Classes
elpt-portfolio
JS Globals
elpug_powerups_catpe_fs
Shortcode Output
[portfolio-carousel
FAQ

Frequently Asked Questions about PowerFolio – Portfolio & Image Gallery for Elementor