WP-Safety

Portfolio X Security & Risk Analysis

wordpress.org/plugins/portfolio-x

Portfolio X is a responsive portfolio gallery plugin for project portfolio with unique photo gallery styles, portfolio widgets and project showcase.

200 active installs v3.7.7 PHP 5.6+ WP 4.6+ Updated Dec 17, 2025
client-showcaseportfolioportfolio-galleryportfolio-gridportfolio-widget
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Portfolio X Safe to Use in 2026?

Generally Safe

Score 100/100

Portfolio X has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago
Risk Assessment

The portfolio-x plugin version 3.7.7 exhibits a mixed security posture. While it boasts a clean vulnerability history with no recorded CVEs, indicating a potentially mature codebase or diligent security practices in the past, the static analysis reveals significant concerns. A substantial portion of its attack surface, specifically 10 out of 17 AJAX handlers, lacks authentication checks. This presents a considerable risk, as unauthorized users could potentially trigger these handlers. Furthermore, the taint analysis identified a high-severity flow with unsanitized paths, which could lead to serious security vulnerabilities if exploited. The presence of dangerous functions like `create_function` and `unserialize` also raises red flags, as these are often associated with code injection or deserialization vulnerabilities. While the plugin demonstrates some good practices like a decent number of nonce and capability checks, and a moderate use of prepared statements for SQL queries, the identified unprotected entry points and the high-severity taint flow are critical weaknesses that require immediate attention.

Key Concerns

  • High number of AJAX handlers without auth checks
  • High severity unsanitized taint flow
  • Use of dangerous functions (create_function, unserialize)
  • SQL queries with only 38% prepared statements
  • Only 59% of outputs properly escaped
Vulnerabilities
None known

Portfolio X Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Portfolio X Code Analysis

Dangerous Functions
17
Raw SQL Queries
10
6 prepared
Unescaped Output
630
917 escaped
Nonce Checks
19
Capability Checks
19
File Operations
0
External Requests
4
Bundled Libraries
2

Dangerous Functions Found

create_functionadd_filter( 'option_page_capability_' . ot_options_id(), create_function( '$caps', "return '$caps';"inc\option-tree\includes\ot-functions-admin.php:69
unserialize$textarea = isset( $_POST['import_settings'] ) ? unserialize( ot_decode( $_POST['import_settings'] )inc\option-tree\includes\ot-functions-admin.php:1289
unserialize$options = isset( $_POST['import_data'] ) ? unserialize( ot_decode( $_POST['import_data'] ) ) : '';inc\option-tree\includes\ot-functions-admin.php:1313
unserialize$layouts = isset( $_POST['import_layouts'] ) ? unserialize( ot_decode( $_POST['import_layouts'] ) ) inc\option-tree\includes\ot-functions-admin.php:1361
unserialize$options = unserialize( ot_decode( $value ) );inc\option-tree\includes\ot-functions-admin.php:1377
unserialize$new_options = unserialize( ot_decode( $layouts[$layouts['active_layout']] ) );inc\option-tree\includes\ot-functions-admin.php:1400
unserialize$rebuild_option_tree = unserialize( ot_decode( $rebuild[$rebuild['active_layout']] ) );inc\option-tree\includes\ot-functions-admin.php:2244
unserialize$options = unserialize( ot_decode( $rawdata ) );inc\option-tree\includes\ot-functions-compat.php:99
unserialize$layouts = unserialize( ot_decode( $rawdata ) );inc\option-tree\includes\ot-functions-compat.php:140
unserialize$options = unserialize( ot_decode( $value ) );inc\option-tree\includes\ot-functions-compat.php:156
unserializeupdate_option( ot_options_id(), unserialize( ot_decode( $layouts[$layouts['active_layout']] ) ) );inc\option-tree\includes\ot-functions-compat.php:179
unserialize$settings = isset( $_POST[$field['id'] . '_settings_array'] ) ? unserialize( ot_decode( $_POST[$fielinc\option-tree\includes\ot-meta-box-api.php:243
unserialize$settings = isset( $_POST[$field['id'] . '_settings_array'] ) ? unserialize( ot_decode( $_POST[$fielinc\option-tree\includes\ot-meta-box-api.php:276
unserialize$settings = isset( $_POST[$setting['id'] . '_settings_array'] ) ? unserialize( ot_decode( $_POST[$seinc\option-tree\includes\ot-settings-api.php:622
unserialize$settings = isset( $_POST[$setting['id'] . '_settings_array'] ) ? unserialize( ot_decode( $_POST[$seinc\option-tree\includes\ot-settings-api.php:662
unserializeot_list_item_view( $_REQUEST['name'], $_REQUEST['count'], array(), $_REQUEST['post_id'], $_REQUEST['inc\option-tree\ot-loader.php:662
unserializeot_social_links_view( $_REQUEST['name'], $_REQUEST['count'], array(), $_REQUEST['post_id'], $_REQUESinc\option-tree\ot-loader.php:671

Bundled Libraries

TinyMCEjQuery

SQL Query Safety

38% prepared16 total queries

Output Escaping

59% escaped1547 total outputs
Data Flows
10 unsanitized

Data Flow Analysis

20 flows10 with unsanitized paths
ot_import (inc\option-tree\includes\ot-functions-admin.php:1243)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

Portfolio X Attack Surface

Entry Points19
Unprotected10

AJAX Handlers 17

authwp_ajax_goodbye_formclass-plugin-deactivate-feedback.php:62
authwp_ajax_cmb2_oembed_handlerinc\cmb2\includes\CMB2_Ajax.php:48
noprivwp_ajax_cmb2_oembed_handlerinc\cmb2\includes\CMB2_Ajax.php:49
authwp_ajax_add_sectioninc\option-tree\ot-loader.php:506
authwp_ajax_add_settinginc\option-tree\ot-loader.php:509
authwp_ajax_add_the_contextual_helpinc\option-tree\ot-loader.php:512
authwp_ajax_add_choiceinc\option-tree\ot-loader.php:515
authwp_ajax_add_list_item_settinginc\option-tree\ot-loader.php:518
authwp_ajax_add_layoutinc\option-tree\ot-loader.php:521
authwp_ajax_add_list_iteminc\option-tree\ot-loader.php:524
authwp_ajax_add_social_linksinc\option-tree\ot-loader.php:527
authwp_ajax_ot_google_fontinc\option-tree\ot-loader.php:530
authwp_ajax_gallery_updateinc\option-tree\ot-loader.php:536
authwp_ajax_qcld_portfolio_process_qc_promo_formqc-support-promo-page\class-qc-support-promo-page.php:116
authwp_ajax_qcld_recommend_support_function_ajaxqc-support-promo-page\qc-clr-recommendbot-support-plugin.php:8
authwp_ajax_sort-postsqcld-functions.php:34
authwp_ajax_show_qcpx_shortcode_cmnqcld-shortcode-generator.php:165

Shortcodes 2

[portfolio-x] qcld-register-shortcodes.php:4
[portfolio-x-showcase] qcld-shortcode-2.php:4
WordPress Hooks 135
actionadmin_footer-plugins.phpclass-plugin-deactivate-feedback.php:61
filterwp_mail_content_typeclass-plugin-deactivate-feedback.php:97
actionadmin_headclass-qc-free-plugin-upgrade-notice.php:34
actionplugin_row_metaclass-qc-free-plugin-upgrade-notice.php:115
actionadmin_menuclass-qc-free-plugin-upgrade-notice.php:157
actioncmb2_save_options-page_fieldsinc\cmb2\includes\CMB2_Ajax.php:51
filterget_post_metadatainc\cmb2\includes\CMB2_Ajax.php:140
filterupdate_post_metadatainc\cmb2\includes\CMB2_Ajax.php:143
filtercmb2_show_oninc\cmb2\includes\CMB2_hookup.php:56
actionadd_meta_boxesinc\cmb2\includes\CMB2_hookup.php:80
actionadd_attachmentinc\cmb2\includes\CMB2_hookup.php:81
actionedit_attachmentinc\cmb2\includes\CMB2_hookup.php:82
actionsave_postinc\cmb2\includes\CMB2_hookup.php:83
actionadd_meta_boxes_commentinc\cmb2\includes\CMB2_hookup.php:94
actionedit_commentinc\cmb2\includes\CMB2_hookup.php:95
filtermanage_edit-comments_columnsinc\cmb2\includes\CMB2_hookup.php:98
actionmanage_comments_custom_columninc\cmb2\includes\CMB2_hookup.php:99
actionshow_user_profileinc\cmb2\includes\CMB2_hookup.php:106
actionedit_user_profileinc\cmb2\includes\CMB2_hookup.php:107
actionuser_new_forminc\cmb2\includes\CMB2_hookup.php:108
actionpersonal_options_updateinc\cmb2\includes\CMB2_hookup.php:110
actionedit_user_profile_updateinc\cmb2\includes\CMB2_hookup.php:111
actionuser_registerinc\cmb2\includes\CMB2_hookup.php:112
filtermanage_users_columnsinc\cmb2\includes\CMB2_hookup.php:115
filtermanage_users_custom_columninc\cmb2\includes\CMB2_hookup.php:116
actioncreated_terminc\cmb2\includes\CMB2_hookup.php:154
actionedited_termsinc\cmb2\includes\CMB2_hookup.php:155
actiondelete_terminc\cmb2\includes\CMB2_hookup.php:156
actioncmb2_do_oembedinc\cmb2\includes\helper-functions.php:120
filteris_protected_metainc\cmb2\includes\rest-api\CMB2_REST.php:118
actioninitinc\cmb2\init.php:72
actionadmin_headinc\option-tree\includes\ot-cleanup-api.php:32
actionadmin_menuinc\option-tree\includes\ot-cleanup-api.php:35
actionot_pre_consolidate_postsinc\option-tree\includes\ot-cleanup-api.php:38
actionadmin_noticesinc\option-tree\includes\ot-cleanup-api.php:80
actionadmin_noticesinc\option-tree\includes\ot-functions-admin.php:101
filterupload_mimesinc\option-tree\includes\ot-functions-admin.php:1182
filterwp_mime_type_iconinc\option-tree\includes\ot-functions-admin.php:1183
filterot_recognized_font_familiesinc\option-tree\includes\ot-functions-admin.php:2548
actionot_after_theme_options_saveinc\option-tree\includes\ot-functions-admin.php:5192
actionsplit_shared_terminc\option-tree\includes\ot-functions-admin.php:6121
actionadmin_initinc\option-tree\includes\ot-functions-compat.php:12
filterot_option_types_arrayinc\option-tree\includes\ot-functions-compat.php:13
filterot_recognized_font_stylesinc\option-tree\includes\ot-functions-compat.php:14
filterot_recognized_font_weightsinc\option-tree\includes\ot-functions-compat.php:15
filterot_recognized_font_variantsinc\option-tree\includes\ot-functions-compat.php:16
filterot_recognized_font_familiesinc\option-tree\includes\ot-functions-compat.php:17
filterot_recognized_background_repeatinc\option-tree\includes\ot-functions-compat.php:18
filterot_recognized_background_positioninc\option-tree\includes\ot-functions-compat.php:19
filterot_measurement_unit_typesinc\option-tree\includes\ot-functions-compat.php:20
actionadd_meta_boxesinc\option-tree\includes\ot-meta-box-api.php:44
actionsave_postinc\option-tree\includes\ot-meta-box-api.php:46
actionadmin_initinc\option-tree\includes\ot-post-formats-api.php:43
filterpre_pinginc\option-tree\includes\ot-post-formats-api.php:46
actionadmin_menuinc\option-tree\includes\ot-settings-api.php:63
actionadmin_initinc\option-tree\includes\ot-settings-api.php:66
actionadmin_initinc\option-tree\includes\ot-settings-api.php:69
actionadmin_initinc\option-tree\includes\ot-settings-api.php:72
actionadmin_initinc\option-tree\includes\ot-settings-api.php:75
filterot_theme_modeinc\option-tree\ot-loader.php:18
actionadmin_noticesinc\option-tree\ot-loader.php:26
actionafter_setup_themeinc\option-tree\ot-loader.php:57
actionplugins_loadedinc\option-tree\ot-loader.php:111
actionafter_setup_themeinc\option-tree\ot-loader.php:115
actioninitinc\option-tree\ot-loader.php:397
actioninitinc\option-tree\ot-loader.php:401
actionadmin_headinc\option-tree\ot-loader.php:404
actioninitinc\option-tree\ot-loader.php:446
actioninitinc\option-tree\ot-loader.php:450
actioninitinc\option-tree\ot-loader.php:454
actionadmin_print_scripts-post-new.phpinc\option-tree\ot-loader.php:460
actionadmin_print_scripts-post.phpinc\option-tree\ot-loader.php:461
actionadmin_print_styles-post-new.phpinc\option-tree\ot-loader.php:464
actionadmin_print_styles-post.phpinc\option-tree\ot-loader.php:465
actionadmin_bar_menuinc\option-tree\ot-loader.php:470
actionadmin_initinc\option-tree\ot-loader.php:473
actionadmin_initinc\option-tree\ot-loader.php:476
actionadmin_initinc\option-tree\ot-loader.php:479
actionadmin_initinc\option-tree\ot-loader.php:482
actionadmin_initinc\option-tree\ot-loader.php:485
actionadmin_initinc\option-tree\ot-loader.php:488
actionadmin_initinc\option-tree\ot-loader.php:491
actionadmin_initinc\option-tree\ot-loader.php:494
actionwp_enqueue_scriptsinc\option-tree\ot-loader.php:497
actionwp_enqueue_scriptsinc\option-tree\ot-loader.php:500
actionot_after_theme_options_saveinc\option-tree\ot-loader.php:503
filtermedia_view_settingsinc\option-tree\ot-loader.php:533
filtergettextinc\option-tree\ot-loader.php:539
actionadmin_initportfolio-options.php:17
actionadmin_menuportfolio-options.php:19
filterot_show_pagesportfolio-settings.php:2
filterot_show_new_layoutportfolio-settings.php:3
filterot_header_version_textportfolio-settings.php:5
actioninitportfolio-settings.php:17
actiontemplate_includeportfolio-x.php:119
filtertemplate_includeportfolio-x.php:138
actionwp_enqueue_scriptsportfolio-x.php:162
actionpre_get_postsportfolio-x.php:167
actionadmin_initportfolio-x.php:192
filtertemplate_includeportfolio-x.php:202
filtercustom_menu_orderportfolio-x.php:266
actionplugins_loadedportfolio-x.php:268
actionadd_meta_boxesportfolio-x.php:290
actionactivated_pluginportfolio-x.php:356
actionadmin_menuqc-promo-page\promo-page.php:21
actionadmin_menuqc-support-promo-page\class-qc-support-promo-page.php:32
actionadmin_enqueue_scriptsqc-support-promo-page\class-qc-support-promo-page.php:62
actionrestrict_manage_postsqcld-admin-end-functions.php:6
filterparse_queryqcld-admin-end-functions.php:49
filterimage_size_names_chooseqcld-functions.php:5
filternext_post_linkqcld-functions.php:17
filterprevious_post_linkqcld-functions.php:18
actioninitqcld-functions.php:164
actioninitqcld-register-post-type.php:3
actioninitqcld-register-post-type.php:4
actioninitqcld-register-post-type.php:81
actioncmb2_admin_initqcld-register-post-type.php:181
actioncmb2_admin_initqcld-register-post-type.php:255
filtermanage_edit-portfolio_item_columnsqcld-register-post-type.php:349
actionmanage_portfolio_item_posts_custom_columnqcld-register-post-type.php:350
filtermanage_edit-portfolio_columnsqcld-register-post-type.php:375
actionmanage_portfolio_posts_custom_columnqcld-register-post-type.php:376
actionadmin_menuqcld-register-post-type.php:418
actionadmin_menuqcld-register-post-type.php:441
actionadmin_enqueue_scriptsqcld-scripts.php:4
actionwp_footerqcld-scripts.php:30
actionwp_enqueue_scriptsqcld-scripts.php:57
actionwp_headqcld-scripts.php:61
filtermce_external_pluginsqcld-shortcode-generator.php:11
filtermce_buttonsqcld-shortcode-generator.php:12
actioninitqcld-shortcode-generator.php:25
actionadmin_enqueue_scriptsqcld-shortcode-generator.php:32
actionadmin_noticesqcld-upgrade-posttype.php:19
actionadmin_menuqcld-upgrade-posttype.php:23
actionwidgets_initqcld-widgets.php:124
Maintenance & Trust

Portfolio X Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedDec 17, 2025
PHP min version5.6
Downloads21K

Community Trust

Rating100/100
Number of ratings8
Active installs200
Alternatives

Portfolio X Alternatives

Responsive Filterable Portfolio

Responsive Filterable Portfolio

responsive-filterable-portfolio

A
95

This is a beautiful responsive portfolio with responsive lightbox plugin for WordPress blogs and sites. Admin can manage any number of videos, images, …

1K 4 CVEs
Advance Portfolio Grid, Slider and Gallery – Showcase Projects, Images and Videos

Advance Portfolio Grid, Slider and Gallery – Showcase Projects, Images and Videos

advance-portfolio-grid

A
99

Create responsive and customizable portfolio grids to showcase projects, case studies, and creative work on your WordPress site.

900 1 CVE
Portfolio Wall

Portfolio Wall

portfolio-wall

A
85

This WordPress plugin gives you the opportunity to display your portfolio details. The plugin is as easy to use by shortcode.

10 No CVEs
Zozo Portfolio for Elementor

Zozo Portfolio for Elementor

zozo-portfolio

A
100

A modern Elementor portfolio plugin for WordPress that lets you create filterable, responsive, and dynamic portfolio layouts.

0 No CVEs
Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery

Video Gallery – YouTube Gallery, Vimeo, Video Portfolio, Image Portfolio and Image Gallery

gallery-videos

A
95

Gallery is a user-friendly plugin to display user or hashtag-based gallery feeds as a responsive customizable gallery.

10K 5 CVEs
Developer Profile

Portfolio X Developer Profile

QuantumCloud

29 plugins · 26K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
255 days
View full developer profile
Detection Fingerprints

How We Detect Portfolio X

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/portfolio-x/assets/css/frontend.css/wp-content/plugins/portfolio-x/assets/css/magnific-popup.css/wp-content/plugins/portfolio-x/assets/js/isotope.pkgd.min.js/wp-content/plugins/portfolio-x/assets/js/magnific-popup.js/wp-content/plugins/portfolio-x/assets/js/frontend.js
Script Paths
/wp-content/plugins/portfolio-x/assets/js/isotope.pkgd.min.js/wp-content/plugins/portfolio-x/assets/js/magnific-popup.js/wp-content/plugins/portfolio-x/assets/js/frontend.js
Version Parameters
portfolio-x/assets/css/frontend.css?ver=portfolio-x/assets/css/magnific-popup.css?ver=portfolio-x/assets/js/isotope.pkgd.min.js?ver=portfolio-x/assets/js/magnific-popup.js?ver=portfolio-x/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
portfolio-x-gridportfolio-x-item
Data Attributes
data-portfolio-x-id
Shortcode Output
[portfolio_x]
FAQ

Frequently Asked Questions about Portfolio X