WP-Safety

Portfolio Manager Lite Security & Risk Analysis

wordpress.org/plugins/portfolio-manager-lite

A Portfolio plugin to help you show your work in beautiful portfolio lists.

100 active installs v1.20 PHP + WP 3.8+ Updated May 6, 2022
drag-and-dropgalleryportfolioportfolio-listresponsive
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Portfolio Manager Lite Safe to Use in 2026?

Generally Safe

Score 85/100

Portfolio Manager Lite has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago
Risk Assessment

The portfolio-manager-lite plugin v1.20 presents a mixed security posture. On the positive side, it utilizes prepared statements for all SQL queries, which is a strong defense against SQL injection. Furthermore, the absence of known CVEs and recorded vulnerabilities suggests a history of relatively secure development or prompt patching by the developers. The plugin also incorporates some nonces and performs a decent percentage of output escaping, indicating an awareness of common web security practices.

However, significant concerns arise from the substantial attack surface exposed without authentication. A high number of AJAX handlers (13 out of 13) lack any form of authentication check. This means any user, including unauthenticated visitors, can potentially trigger these actions, leading to unintended consequences or information disclosure if these handlers are not robustly protected internally. Additionally, the presence of the `unserialize` function, while not necessarily a vulnerability on its own, is a known risky function that can lead to remote code execution if used with untrusted input. The bundled jQuery version is also outdated, posing a potential risk if vulnerabilities are discovered in that specific version.

In conclusion, while the plugin has strengths in its SQL handling and vulnerability history, the large number of unprotected AJAX endpoints and the use of `unserialize` are significant security weaknesses that warrant attention. The outdated bundled jQuery adds another layer of potential concern. Addressing the unprotected AJAX handlers should be a priority to improve the plugin's overall security.

Key Concerns

  • 13 unprotected AJAX handlers
  • Dangerous function: unserialize
  • Bundled outdated jQuery v1.8.3
  • Low percentage of output escaping (53%)
  • 0 capability checks on entry points
Vulnerabilities
None known

Portfolio Manager Lite Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Portfolio Manager Lite Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
0 prepared
Unescaped Output
295
336 escaped
Nonce Checks
2
Capability Checks
0
File Operations
9
External Requests
4
Bundled Libraries
3

Dangerous Functions Found

unserialize$value = unserialize( urldecode( $value ) );include\otw_components\otw_functions\otw_functions.php:600
unserializeotw_portfolio_manager_lite.php:922

Bundled Libraries

Select2jQuery1.8.3TinyMCE

Output Escaping

53% escaped631 total outputs
Attack Surface
13 unprotected

Portfolio Manager Lite Attack Surface

Entry Points15
Unprotected13

AJAX Handlers 13

authwp_ajax_otw_shortcode_editor_dialoginclude\otw_components\otw_shortcode\otw_shortcode.class.php:166
authwp_ajax_otw_shortcode_get_codeinclude\otw_components\otw_shortcode\otw_shortcode.class.php:167
authwp_ajax_otw_shortcode_live_previewinclude\otw_components\otw_shortcode\otw_shortcode.class.php:168
authwp_ajax_otw_shortcode_live_reloadinclude\otw_components\otw_shortcode\otw_shortcode.class.php:169
authwp_ajax_otw_shortcode_preview_shortcodesinclude\otw_components\otw_shortcode\otw_shortcode.class.php:170
authwp_ajax_otw_shortcode_preview_front_shortcodesinclude\otw_components\otw_shortcode\otw_shortcode.class.php:171
authwp_ajax_otw_pml_select2_optionsotw_portfolio_manager_lite.php:164
authwp_ajax_get_pm_postsotw_portfolio_manager_lite.php:184
noprivwp_ajax_get_pm_postsotw_portfolio_manager_lite.php:185
authwp_ajax_pm_social_shareotw_portfolio_manager_lite.php:188
noprivwp_ajax_pm_social_shareotw_portfolio_manager_lite.php:189
authwp_ajax_otw_pm_get_videootw_portfolio_manager_lite.php:192
noprivwp_ajax_otw_pm_get_videootw_portfolio_manager_lite.php:193

Shortcodes 2

[otw_pm_vc] classes\otw_portfolio_manager_vc_addon.php:15
[otw-pm-list] otw_portfolio_manager_lite.php:175
WordPress Hooks 31
filterposts_whereclasses\otw_pm_query.php:276
filterposts_whereclasses\otw_pm_query.php:287
filterposts_whereclasses\otw_pm_query.php:298
filterpost_limitsclasses\otw_pm_query.php:308
filterpost_limitsclasses\otw_pm_query.php:337
actioninitclasses\otw_portfolio_manager_vc_addon.php:13
actionadmin_menuinclude\otw_components\otw_factory\otw_factory.class.php:34
actionadmin_print_stylesinclude\otw_components\otw_factory\otw_factory.class.php:36
actionadmin_noticesinclude\otw_components\otw_factory\otw_factory.class.php:38
filterpre_set_site_transient_update_pluginsinclude\otw_components\otw_factory\otw_factory.class.php:40
filterplugins_apiinclude\otw_components\otw_factory\otw_factory.class.php:42
actionwp_enqueue_scriptsinclude\otw_components\otw_functions\otw_component.class.php:90
actionadmin_enqueue_scriptsinclude\otw_components\otw_functions\otw_component.class.php:94
actionadmin_noticesinclude\otw_components\otw_image\otw_image.class.php:21
actionadmin_footerinclude\otw_components\otw_shortcode\otw_shortcode.class.php:164
filtermce_external_pluginsinclude\otw_components\otw_shortcode\otw_shortcode.class.php:175
filtermce_buttonsinclude\otw_components\otw_shortcode\otw_shortcode.class.php:176
actionwp_footerinclude\otw_components\otw_shortcode\otw_shortcode.class.php:185
actionadmin_initotw_portfolio_manager_lite.php:152
actionadmin_menuotw_portfolio_manager_lite.php:155
actionadd_meta_boxesotw_portfolio_manager_lite.php:158
actionsave_postotw_portfolio_manager_lite.php:161
filterotwfcr_noticeotw_portfolio_manager_lite.php:167
actioninitotw_portfolio_manager_lite.php:170
actionwidgets_initotw_portfolio_manager_lite.php:178
actionwp_enqueue_scriptsotw_portfolio_manager_lite.php:181
actiontemplate_redirectotw_portfolio_manager_lite.php:195
filterget_post_metadataotw_portfolio_manager_lite.php:197
filterpost_thumbnail_htmlotw_portfolio_manager_lite.php:198
actionadmin_print_stylesotw_portfolio_manager_lite.php:1046
actionadmin_enqueue_scriptsotw_portfolio_manager_lite.php:1047
Maintenance & Trust

Portfolio Manager Lite Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedMay 6, 2022
PHP min version
Downloads17K

Community Trust

Rating74/100
Number of ratings9
Active installs100
Alternatives

Portfolio Manager Lite Alternatives

PowerFolio – Portfolio & Image Gallery for Elementor

PowerFolio – Portfolio & Image Gallery for Elementor

portfolio-elementor

A
96

A powerful portfolio and gallery plugin for WP, Elementor and Gutenberg. Create portfolio and image galleries in seconds using any page builder!

10K 4 CVEs
Sight – Professional Image Gallery and Portfolio

Sight – Professional Image Gallery and Portfolio

sight

A
99

Introducing Sight — a fast & simple way to create professional looking portfolios and neatly stunning image and video galleries — all with zero co …

4K 1 CVE
Filter Gallery

Filter Gallery

filter-gallery

A
100

Build a responsive filter gallery for your portfolio. Organize images with filters in a stunning grid or masonry layout easily.

3K 1 CVE
Photo Gallery for Images

Photo Gallery for Images

new-photo-gallery

A
98

Display photos in responsive grid and lightbox layouts. Build image galleries, portfolios, and video galleries.

2K 1 CVE
Grid Gallery for Images

Grid Gallery for Images

new-grid-gallery

A
98

Create responsive grid galleries with hover effects and smooth animations. Easy shortcode integration for pages and posts.

1K 2 CVEs
Developer Profile

Portfolio Manager Lite Developer Profile

OTWthemes

12 plugins · 6K total installs

70
trust score
Avg Security Score
66/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Portfolio Manager Lite

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/portfolio-manager-lite/assets/css/otw-portfolio-manager-lite.css/wp-content/plugins/portfolio-manager-lite/assets/css/otw-portfolio-manager-lite-admin.css/wp-content/plugins/portfolio-manager-lite/assets/js/otw-portfolio-manager-lite.js/wp-content/plugins/portfolio-manager-lite/assets/js/otw-portfolio-manager-lite-admin.js
Script Paths
/wp-content/plugins/portfolio-manager-lite/assets/js/otw-portfolio-manager-lite.js/wp-content/plugins/portfolio-manager-lite/assets/js/otw-portfolio-manager-lite-admin.js
Version Parameters
portfolio-manager-lite/assets/css/otw-portfolio-manager-lite.css?ver=portfolio-manager-lite/assets/js/otw-portfolio-manager-lite.js?ver=portfolio-manager-lite/assets/css/otw-portfolio-manager-lite-admin.css?ver=portfolio-manager-lite/assets/js/otw-portfolio-manager-lite-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
otw-pm-portfoliootw-portfolio-itemotw-portfolio-list
HTML Comments
<!-- OTW Portfolio Manager Lite --><!-- OTW Portfolio Manager Lite Admin -->
Data Attributes
data-otw-pm-iddata-otw-portfolio-id
JS Globals
otw_pml_optionsotw_pml_ajax_url
Shortcode Output
[otw-pm-list]
FAQ

Frequently Asked Questions about Portfolio Manager Lite