Does SmugMug Embed have any unpatched vulnerabilities?

No. All known vulnerabilities in SmugMug Embed have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is SmugMug Embed compatible with WordPress 5.5.18?

According to WordPress.org data, SmugMug Embed 3.13 has been tested up to WordPress 5.5.18. Check the plugin's changelog for the latest compatibility information.

How often is SmugMug Embed updated?

SmugMug Embed was last updated on Nov 16, 2020. Frequent updates are generally a positive security signal.

What is SmugMug Embed's security score?

SmugMug Embed has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

SmugMug Embed Security & Risk Analysis

wordpress.org/plugins/smugmug-embed

Allows users to search and embed images into posts or pages directly from their SmugMug accounts.

100 active installs v3.13 PHP + WP 4.8+ Updated Nov 16, 2020

embedimagesintegrationsmug-mugsmugmug

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is SmugMug Embed Safe to Use in 2026?

Generally Safe

Score 85/100

SmugMug Embed has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago

Risk Assessment

The smugmug-embed plugin v3.13 presents a mixed security posture. On the positive side, it demonstrates good practices regarding SQL queries, exclusively using prepared statements, and has no recorded vulnerability history (CVEs). However, significant concerns arise from its attack surface. A substantial number of AJAX handlers (12 out of 14) lack authentication checks, creating numerous potential entry points for unauthorized actions. The presence of a dangerous `unserialize` function, even with no critical taint flows identified, poses a risk if not handled with extreme caution, as it can lead to object injection vulnerabilities. Furthermore, a very low percentage of output escaping (9%) is a critical weakness, suggesting a high probability of cross-site scripting (XSS) vulnerabilities, especially when combined with the unprotected AJAX endpoints. The single external HTTP request also warrants attention for potential data leakage or manipulation if the target is compromised or malicious.

Key Concerns

High number of unprotected AJAX handlers
Dangerous unserialize function detected
Low percentage of output escaping
Single external HTTP request

Vulnerabilities

None known

SmugMug Embed Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

SmugMug Embed Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$reqToken = unserialize($_SESSION['SmugGalReqToken']);includes\class_SME_Settings.php:166

Bundled Libraries

Guzzle

Output Escaping

9% escaped23 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths

saveSelectedAlbums (includes\class_SME_helper.php:117)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

12 unprotected

SmugMug Embed Attack Surface

Entry Points16

Unprotected12

AJAX Handlers 14

authwp_ajax_build_folder_listincludes\class_SME_helper.php:25

noprivwp_ajax_build_folder_listincludes\class_SME_helper.php:26

authwp_ajax_getBreadcrumbsincludes\class_SME_helper.php:27

noprivwp_ajax_getBreadcrumbsincludes\class_SME_helper.php:28

authwp_ajax_saveSelectedAlbumsincludes\class_SME_helper.php:29

noprivwp_ajax_saveSelectedAlbumsincludes\class_SME_helper.php:30

authwp_ajax_SME_loadSelectedAlbumsincludes\class_SME_helper.php:31

noprivwp_ajax_SME_loadSelectedAlbumsincludes\class_SME_helper.php:32

authwp_ajax_addAlbumToSelectedincludes\class_SME_helper.php:33

noprivwp_ajax_addAlbumToSelectedincludes\class_SME_helper.php:34

authwp_ajax_SME_LoadSelectedImagesFromGalleryincludes\class_SME_helper.php:35

noprivwp_ajax_SME_LoadSelectedImagesFromGalleryincludes\class_SME_helper.php:36

authwp_ajax_SME_getImageInfoincludes\class_SME_helper.php:37

noprivwp_ajax_SME_getImageInfoincludes\class_SME_helper.php:38

REST API Routes 2

POST/wp-json/sme-api/v1/settingsincludes\class_SME_Settings.php:418

GET/wp-json/sme-api/v1/settingsincludes\class_SME_Settings.php:477

WordPress Hooks 16

actioninitblock\SME_image\index.php:35

actionadmin_noticesincludes\class-sme-license-manager-client.php:68

filterpre_set_site_transient_update_pluginsincludes\class-sme-license-manager-client.php:70

actioninitincludes\class_SME_helper.php:23

actionadmin_enqueue_scriptsincludes\class_SME_helper.php:24

filterplugin_row_metaincludes\class_SME_helper.php:41

actionadmin_menuincludes\class_SME_Settings.php:40

actionadmin_enqueue_scriptsincludes\class_SME_Settings.php:41

actioninitSmugMugEmbed.php:21

actionwp_logoutSmugMugEmbed.php:22

actionwp_loginSmugMugEmbed.php:23

actionadmin_enqueue_scriptsSmugMugEmbed.php:45

actionwp_enqueue_scriptsSmugMugEmbed.php:51

actionadmin_initSmugMugEmbed.php:89

actioninitSmugMugEmbed.php:114

actionrest_api_initSmugMugEmbed.php:121

Maintenance & Trust

SmugMug Embed Maintenance & Trust

Maintenance Signals

WordPress version tested5.5.18

Last updatedNov 16, 2020

PHP min version

Downloads8K

Community Trust

Rating70/100

Number of ratings4

Active installs100

Alternatives

SmugMug Embed Alternatives

SmugMug Responsive Slider

smugmug-responsive-slider

A responsive image slider to display your SmugMug photos

60 No CVEs

Publitio

publitio

Publitio plugin integrates Publitio cloud media into WordPress with a simple block for effortless uploading, browsing, and embedding of image, video, …

400 1 unpatched

File Manager for Dropbox

integrate-dropbox

100

Secure Dropbox integration for WordPress. Manage, share, and embed files via blocks, shortcodes, and Elementor widgets.

300 No CVEs

Woo Email Control

woo-email-control

Get better control of your Woocommerce emails. Add product images & embed them in emails. Test emails in your browser and via email.

300 1 CVE

Embed Images in Comments

embed-comment-images

Embed direct image links in your comments with an img tag.

100 1 CVE

Developer Profile

SmugMug Embed Developer Profile

twicklund

1 plugin · 100 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect SmugMug Embed

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/smugmug-embed/includes/css/style.css/wp-content/plugins/smugmug-embed/includes/SME_SmugMugEmbed.js

Script Paths

/wp-content/plugins/smugmug-embed/includes/SME_SmugMugEmbed.js

Version Parameters

smugmug-embed/includes/css/style.css?t=smugmug-embed/includes/SME_SmugMugEmbed.js?t=

HTML / DOM Fingerprints

Data Attributes

data-smugmug-embed-api-token

JS Globals

passedData

REST Endpoints

/wp-json/smugmug-embed/v1/settings

Shortcode Output

[smugmug-embed-image][smugmug-gallery]

FAQ

SmugMug Embed Security & Risk Analysis

Is SmugMug Embed Safe to Use in 2026?

Generally Safe

Key Concerns

SmugMug Embed Security Vulnerabilities

SmugMug Embed Code Analysis

Dangerous Functions Found

Bundled Libraries

Output Escaping

Data Flow Analysis

SmugMug Embed Attack Surface

AJAX Handlers 14

REST API Routes 2

SmugMug Embed Maintenance & Trust

Maintenance Signals

Community Trust

SmugMug Embed Alternatives

SmugMug Responsive Slider

Publitio

File Manager for Dropbox

Woo Email Control

Embed Images in Comments

SmugMug Embed Developer Profile

How We Detect SmugMug Embed

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about SmugMug Embed