WP-Safety

Widgets for Social Photo Feed Security & Risk Analysis

wordpress.org/plugins/social-photo-feed-widget

Instagram Feed Widgets. Display your Instagram feed on your website to increase engagement, sales and SEO.

10K active installs v1.8 PHP 7.0+ WP 6.2+ Updated Mar 19, 2026
instagraminstagram-feedinstagram-galleryinstagram-photosinstagram-widget
71
B · Generally Safe
CVEs total3
Unpatched1
Last CVEMay 1, 2026
Plugin page Download
Safety Verdict

Is Widgets for Social Photo Feed Safe to Use in 2026?

Mostly Safe

Score 71/100

Widgets for Social Photo Feed is generally safe to use. 3 past CVEs were resolved.

3 known CVEs 1 unpatched Last CVE: May 1, 2026Updated 2mo ago
Risk Assessment

The 'social-photo-feed-widget' plugin v1.7.9 exhibits a mixed security posture. On the positive side, it demonstrates good practices in handling SQL queries with prepared statements and ensuring all output is properly escaped, which significantly reduces the risk of common injection and cross-site scripting vulnerabilities. The presence of numerous nonce and capability checks across its code is also a strong indicator of security-conscious development.

However, a critical concern emerges from the static analysis revealing one AJAX handler that lacks authentication checks. This creates a direct, unprotected entry point into the plugin's functionality, potentially allowing unauthorized users to trigger actions. Furthermore, the taint analysis indicates two flows with unsanitized paths, though they are not classified as critical or high severity, they still warrant attention as they could lead to unexpected behavior or data exposure.

The vulnerability history reveals a previously disclosed medium-severity CVE related to missing authorization, and importantly, this vulnerability remains unpatched. This pattern of authorization issues, coupled with the current finding of an unprotected AJAX handler, strongly suggests a recurring weakness in the plugin's authorization mechanisms. While the plugin has strengths in code sanitization and escaping, the persistent authorization flaws and the presence of an unprotected entry point significantly elevate the risk.

Key Concerns

  • Unprotected AJAX handler
  • Unpatched CVE: Missing Authorization
  • Taint flow with unsanitized path
  • Taint flow with unsanitized path
Vulnerabilities
3 published

Widgets for Social Photo Feed Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
2 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

CVE-2025-14726medium · 6.5Exposure of Sensitive Information to an Unauthorized Actor

Widgets for Social Photo Feed <= 1.8 - Missing Authentication to Unauthenticated Plugin Settings Access/Update via trustindex_feed_hook_instagram REST API endpoints

May 1, 2026 Patched in 1.8.1 (1d)
CVE-2026-5425high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Widgets for Social Photo Feed <= 1.7.9 - Unauthenticated Stored Cross-Site Scripting via feed_data

Apr 3, 2026 Patched in 1.8.0 (1d)
CVE-2025-68595medium · 5.3Missing Authorization

Widgets for Social Photo Feed <= 1.7.7 - Missing Authorization

Dec 23, 2025Unpatched
Version History

Widgets for Social Photo Feed Release Timeline

v1.8Current2 CVEs
CVE-2025-68595 CVE-2025-14726
v1.7.93 CVEs
CVE-2026-5425 CVE-2025-68595 CVE-2025-14726
v1.7.83 CVEs
CVE-2026-5425 CVE-2025-68595 CVE-2025-14726
v1.7.73 CVEs
CVE-2026-5425 CVE-2025-68595 CVE-2025-14726
v1.7.63 CVEs
CVE-2026-5425 CVE-2025-68595 CVE-2025-14726
v1.7.53 CVEs
CVE-2026-5425 CVE-2025-68595 CVE-2025-14726
v1.6.73 CVEs
CVE-2026-5425 CVE-2025-68595 CVE-2025-14726
v1.53 CVEs
CVE-2026-5425 CVE-2025-68595 CVE-2025-14726
v1.4.93 CVEs
CVE-2026-5425 CVE-2025-68595 CVE-2025-14726
v1.33 CVEs
CVE-2026-5425 CVE-2025-68595 CVE-2025-14726
v1.2.13 CVEs
CVE-2026-5425 CVE-2025-68595 CVE-2025-14726
v1.1.23 CVEs
CVE-2026-5425 CVE-2025-68595 CVE-2025-14726
Code Analysis
Analyzed Mar 16, 2026

Widgets for Social Photo Feed Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
2
475 escaped
Nonce Checks
16
Capability Checks
4
File Operations
0
External Requests
7
Bundled Libraries
0

Output Escaping

100% escaped477 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
<admin> (include\admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Widgets for Social Photo Feed Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_download_checksocial-photo-feed-widget.php:143
WordPress Hooks 27
filterrocket_minify_excluded_external_jsinclude\cache-plugin-filters.php:13
filterrocket_exclude_jsinclude\cache-plugin-filters.php:14
filterrocket_delay_js_exclusionsinclude\cache-plugin-filters.php:15
filterlitespeed_optimize_js_excludesinclude\cache-plugin-filters.php:16
filtersgo_javascript_combine_excluded_external_pathsinclude\cache-plugin-filters.php:17
filtersgo_css_combine_excludeinclude\cache-plugin-filters.php:18
filterrocket_rucss_safelistinclude\cache-plugin-filters.php:58
filterscript_loader_taginclude\cache-plugin-filters.php:63
filterstyle_loader_taginclude\cache-plugin-filters.php:78
actionplugins_loadedsocial-photo-feed-widget.php:34
actionadmin_menusocial-photo-feed-widget.php:35
filterplugin_action_linkssocial-photo-feed-widget.php:36
filterplugin_row_metasocial-photo-feed-widget.php:37
actioninitsocial-photo-feed-widget.php:38
actionadmin_enqueue_scriptssocial-photo-feed-widget.php:39
actioninitsocial-photo-feed-widget.php:41
actioninitsocial-photo-feed-widget.php:57
filterscript_loader_tagsocial-photo-feed-widget.php:58
actionrest_api_initsocial-photo-feed-widget.php:64
actionadmin_noticessocial-photo-feed-widget.php:148
actionelementor/widgets/widgets_registeredsocial-photo-feed-widget.php:190
actionelementor/elements/categories_registeredsocial-photo-feed-widget.php:194
actionwp_enqueue_scriptssocial-photo-feed-widget.php:203
actionwp_footertrustindex-feed-plugin.class.php:4857
actionadmin_footertrustindex-feed-plugin.class.php:4858
filterfilesystem_methodtrustindex-feed-plugin.class.php:4942
actionadmin_noticestrustindex-feed-plugin.class.php:4967
Maintenance & Trust

Widgets for Social Photo Feed Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 19, 2026
PHP min version7.0
Downloads106K

Community Trust

Rating92/100
Number of ratings21
Active installs10K
Alternatives

Widgets for Social Photo Feed Alternatives

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

Smash Balloon Social Photo Feed – Easy Social Feeds Plugin

instagram-feed

A
98

Formerly "Instagram Feed". Display clean, customizable, and responsive Instagram feeds from multiple accounts. Supports Instagram oEmbeds.

1.0M 4 CVEs
WPZOOM Social Feed Widget & Block

WPZOOM Social Feed Widget & Block

instagram-widget-by-wpzoom

A
100

Instagram feed plugin for WordPress: Display your Instagram photos, videos & reels. Easy setup with Gutenberg block, widget, shortcode & Elementor

60K 1 CVE
Gutena PhotoFeed

Gutena PhotoFeed

photofeed-block-by-gutena

A
100

Gutena PhotoFeed is a free and simple plugin for WordPress that allows you to display your Instagram photos in a gallery. You can set the number of co &hellip;

800 No CVEs
Juicer.io: The Best Social Photo Feed – Posts, Reels, Stories and more

Juicer.io: The Best Social Photo Feed – Posts, Reels, Stories and more

juicer-io-the-best-social-photo-feed-posts-reels-stories-and-more

A
100

Display beautiful Instagram feeds on your WordPress site. Support for Instagram Posts, Reels, Stories by @username or #hashtag. Fully customizable.

200 No CVEs
Social Media Feed Widget

Social Media Feed Widget

social-media-feed-widget

A
100

Formerly \"Social Media Feed Widget \". Display clean, customizable, and responsive Instagram feeds from multiple accounts.

10 No CVEs
Developer Profile

Widgets for Social Photo Feed Developer Profile

Trustindex

34 plugins · 975K total installs

87
trust score
Avg Security Score
98/100
Avg Patch Time
71 days
View full developer profile
Detection Fingerprints

How We Detect Widgets for Social Photo Feed

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/social-photo-feed-widget/css/widget.css/wp-content/plugins/social-photo-feed-widget/css/feed.css/wp-content/plugins/social-photo-feed-widget/css/ti-animation.css/wp-content/plugins/social-photo-feed-widget/css/loader.css/wp-content/plugins/social-photo-feed-widget/js/feed-loader.js
Script Paths
/wp-content/plugins/social-photo-feed-widget/js/feed-loader.js
Version Parameters
social-photo-feed-widget/css/widget.css?ver=social-photo-feed-widget/css/feed.css?ver=social-photo-feed-widget/css/ti-animation.css?ver=social-photo-feed-widget/css/loader.css?ver=social-photo-feed-widget/js/feed-loader.js?ver=

HTML / DOM Fingerprints

CSS Classes
trustindex-feed-containerti-feed-itemti-icon-instagramti-animationtrustindex-notification-row
HTML Comments
Copyright 2019 Trustindex Kft (email: support@trustindex.io)This function ensures that each element of the JSON object is sanitized individually using standard WordPress sanitization functions
Data Attributes
data-ti-source-iddata-ti-feed-iddata-ti-feed-typedata-ti-feed-styledata-ti-account-iddata-ti-profile-id+1 more
JS Globals
TRUSTINDEX_Feed_Instagram
REST Endpoints
/wp-json/trustindex-feed-instagram/v1/get-token/wp-json/trustindex-feed-instagram/v1/troubleshooting/wp-json/trustindex-feed-instagram/v1/submit-data/wp-json/trustindex-feed-instagram/v1/refresh-data
Shortcode Output
[social_photo_feed]
FAQ

Frequently Asked Questions about Widgets for Social Photo Feed