Does ThickBox have any unpatched vulnerabilities?

No. All known vulnerabilities in ThickBox have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is ThickBox compatible with WordPress 3.9.40?

According to WordPress.org data, ThickBox 1.6.1 has been tested up to WordPress 3.9.40. Check the plugin's changelog for the latest compatibility information.

How often is ThickBox updated?

ThickBox was last updated on Jun 21, 2014. Frequent updates are generally a positive security signal.

What is ThickBox's security score?

ThickBox has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

ThickBox Security & Risk Analysis

wordpress.org/plugins/thickbox

Embed ThickBox into your posts and pages.

200 active installs v1.6.1 PHP + WP 2.5+ Updated Jun 21, 2014

galleryimagespicturessmoothboxthickbox

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is ThickBox Safe to Use in 2026?

Generally Safe

Score 85/100

ThickBox has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11yr ago

Risk Assessment

The Thickbox plugin version 1.6.1 exhibits a mixed security posture. On one hand, the static analysis shows no known critical vulnerabilities in its history and a complete absence of AJAX handlers, REST API routes, shortcodes, and cron events that could serve as direct entry points. Furthermore, all detected SQL queries are properly prepared, and there are no external HTTP requests, which are positive security indicators. However, significant concerns arise from the output escaping. With 100% of its outputs not being properly escaped, this plugin presents a high risk of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis also reveals flows with unsanitized paths, although they are not classified as critical or high severity. The presence of file operations without explicit authentication or capability checks is also a potential area of concern, especially when combined with unescaped output. While the plugin has no recorded CVEs, the lack of output escaping is a fundamental security flaw that could lead to exploitable issues.

Key Concerns

Unescaped output across all outputs
Flows with unsanitized paths
File operation without explicit auth check

Vulnerabilities

None known

ThickBox Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

ThickBox Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

0 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

0% escaped11 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

thickbox_show_options_page (thickbox.php:289)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

ThickBox Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 8

actioninitthickbox.php:138

actionwp_headthickbox.php:195

actionwp_footerthickbox.php:229

actionwp_print_scriptsthickbox.php:241

actionwp_print_stylesthickbox.php:252

filterwp_get_attachment_linkthickbox.php:272

actionadmin_menuthickbox.php:283

actionadmin_headthickbox.php:464

Maintenance & Trust

ThickBox Maintenance & Trust

Maintenance Signals

WordPress version tested3.9.40

Last updatedJun 21, 2014

PHP min version

Downloads98K

Community Trust

Rating52/100

Number of ratings5

Active installs200

Alternatives

ThickBox Alternatives

Social Photo Fetcher

facebook-photo-fetcher

Allows you to automatically create Wordpress photo galleries from Facebook albums. Simple to use and highly customizable.

1K 1 unpatched

Easy Gallery Slider

easy-gallery-slider

Responsive slider uses the images attached to a post or page. Simple to customize and configure.

100 No CVEs

SmoothGallery

smoothgallery

Embed JonDesign's SmoothGallery into your posts and pages.

70 No CVEs

T&P Gallery Slider

tp-gallery-slider

T&P Gallery Slider for WordPress is an image hover/click gallery as a WordPress plugin.

50 1 unpatched

SimpleGal

simplegal

Create an Image-Gallery in 5 simple Steps. Just add the shortcode to your posts.

30 No CVEs

Developer Profile

ThickBox Developer Profile

Christian Schenk

3 plugins · 280 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect ThickBox

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/thickbox/thickbox/thickbox.css/wp-content/plugins/thickbox/thickbox/thickbox.js/wp-content/plugins/thickbox/smoothbox/smoothbox.css/wp-content/plugins/thickbox/smoothbox/smoothbox.js

Script Paths

/wp-content/plugins/thickbox/thickbox/thickbox.php?action=tcss/wp-content/plugins/thickbox/thickbox/thickbox.php?action=tjs/wp-content/plugins/thickbox/thickbox/thickbox.php?action=scss/wp-content/plugins/thickbox/thickbox/thickbox.php?action=sjs

Version Parameters

ver=ver=1.6.1

HTML / DOM Fingerprints

CSS Classes

TB_overlayTB_windowTB_ajaxContentTB_closeWindow

HTML Comments

Data Attributes

data-thickbox-titledata-thickbox-caption

JS Globals

thickboxtb_pathToImagetb_make_thickboxtb_removetb_show

FAQ