PrettyPhoto – Simple Lightbox Plugin Security & Risk Analysis

The 'prettyPhoto' plugin version 1.2.5 exhibits a mixed security posture. The static analysis reveals a commendable lack of immediately exploitable entry points like AJAX handlers, REST API routes, and shortcodes that are exposed without authentication. Furthermore, the absence of dangerous functions and raw SQL queries is a positive sign, indicating some adherence to secure coding practices. However, the 60% output escaping rate suggests a potential for Cross-Site Scripting (XSS) vulnerabilities in the remaining 40% of outputs, though the taint analysis did not reveal any active flows.

The vulnerability history is a significant concern. With three known CVEs, and one still unpatched, the plugin has a documented history of security flaws, primarily related to Cross-Site Scripting. The fact that the last vulnerability was recorded relatively recently (2025-09-05) indicates that the development team has been active in fixing issues, but also that new ones have emerged. The presence of unpatched vulnerabilities, even if medium severity, poses an ongoing risk to users of this version. While the current code analysis shows no glaring immediate threats, the historical pattern of XSS vulnerabilities and the existence of an unpatched CVE necessitate caution.