WP-Safety

Ultimate Post Thumbnails Security & Risk Analysis

wordpress.org/plugins/ultimate-post-thumbnails

The easiest way to add multiple featured images (and lightbox) to WordPress.

10 active installs v2.1 PHP + WP 4.6+ Updated Jan 15, 2017
featured-imagemultiple-post-thumbnailsresponsive
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Ultimate Post Thumbnails Safe to Use in 2026?

Generally Safe

Score 85/100

Ultimate Post Thumbnails has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9yr ago
Risk Assessment

The plugin "ultimate-post-thumbnails" v2.1 exhibits a mixed security posture. On the positive side, it has no known historical vulnerabilities and utilizes prepared statements for all SQL queries, indicating good practices in database interaction. The presence of nonce and capability checks for most entry points also suggests an awareness of common WordPress security measures.

However, the static analysis reveals significant concerns. The plugin has an unprotected AJAX handler, representing a direct attack surface that could be exploited if not properly secured. The taint analysis identifies three high-severity flows with unsanitized paths, which are particularly alarming as they suggest potential for attackers to manipulate data leading to vulnerabilities like arbitrary file read/write or cross-site scripting (XSS) if combined with other weaknesses. The use of the `unserialize` function is also a known risk, especially if the serialized data originates from an untrusted source or can be manipulated.

Given the lack of historical vulnerabilities, it's difficult to definitively assess the plugin's long-term security track record. However, the current analysis highlights immediate risks that need addressing. The presence of high-severity taint flows and an unprotected AJAX endpoint are critical issues that outweigh the good practices observed. Therefore, while the plugin demonstrates some secure coding habits, the identified risks necessitate caution and remediation.

Key Concerns

  • Unprotected AJAX handler
  • 3 High severity unsanitized taint flows
  • Dangerous unserialize function used
  • 44% of outputs improperly escaped
  • Bundled outdated jQuery v1.10.2
Vulnerabilities
None known

Ultimate Post Thumbnails Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Ultimate Post Thumbnails Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
50
39 escaped
Nonce Checks
5
Capability Checks
5
File Operations
5
External Requests
0
Bundled Libraries
2

Dangerous Functions Found

unserialize$child_array = unserialize($child_array);common\helper.php:281

Bundled Libraries

Select2jQuery1.10.2

Output Escaping

44% escaped89 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
<class.meta_box> (common\classes\class.meta_box.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Ultimate Post Thumbnails Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 2

authwp_ajax_dismiss_admin_noticeinc\notice-dismissal\persist-admin-notices-dismissal.php:47
authwp_ajax_upt_shortcode_panelshortcode\shortcode.thumbslider.php:19

Shortcodes 1

[upt_slider] shortcode\shortcode.thumbslider.php:20
WordPress Hooks 46
filterupt_metabox_optionsaddons.php:33
filterupt_metabox_optionsaddons.php:78
actionadmin_menubaseadmin\class.baseadmin.php:47
filtermedia_view_stringsbaseadmin\class.baseadmin.php:100
actionadmin_enqueue_scriptsbaseadmin\class.baseadmin.php:101
actionadmin_enqueue_scriptsbaseadmin\class.baseadmin.php:105
actionadmin_headbaseadmin\class.baseadmin.php:108
actionsave_postcommon\classes\class.cache.php:11
actiondeleted_postcommon\classes\class.cache.php:12
actionswitch_themecommon\classes\class.cache.php:13
actionsave_postcommon\classes\class.meta_box.php:49
actionadmin_enqueue_scriptscommon\classes\class.meta_box.php:50
actionadd_meta_boxescommon\classes\class.meta_box.php:59
filterstyle_loader_tagcommon\helper.php:426
actionwp_enqueue_scriptscommon\init.php:20
actionadmin_enqueue_scriptscommon\init.php:46
actionadmin_enqueue_scriptscommon\init.php:66
filtereditor_max_image_sizefunctions.php:651
actioninitinc\fly-dynamic-image-resizer.php:37
filtermedia_row_actionsinc\fly-dynamic-image-resizer.php:45
actiondelete_attachmentinc\fly-dynamic-image-resizer.php:46
actionadmin_enqueue_scriptsinc\notice-dismissal\persist-admin-notices-dismissal.php:46
filterupt_settings_generalinc\prettyphoto\prettyphoto.php:12
filterupt_metabox_optionsinc\prettyphoto\prettyphoto.php:40
actionwp_enqueue_scriptsinc\prettyphoto\prettyphoto.php:87
filterupt_slider_attsinc\prettyphoto\prettyphoto.php:120
filterupt_post_thumbnail_link_attsinc\prettyphoto\prettyphoto.php:127
actionadmin_enqueue_scriptsinc\welcome.php:6
actionadmin_initinc\welcome.php:34
actionadmin_menuinc\welcome.php:59
actionadmin_headinc\welcome.php:75
filteradmin_post_thumbnail_htmlmetabox-post-thumbnails.php:148
actionafter_setup_themeregister.php:23
actionafter_setup_themeshortcode\shortcode.thumbslider.php:18
filtermce_external_pluginsshortcode\shortcode.thumbslider.php:26
filtermce_buttons_2shortcode\shortcode.thumbslider.php:27
actioninitultimate-post-thumbnails.php:30
actionadmin_initultimate-post-thumbnails.php:54
actionadmin_noticesultimate-post-thumbnails.php:55
actionadmin_enqueue_scriptsultimate-post-thumbnails.php:57
actionwp_enqueue_scriptsultimate-post-thumbnails.php:66
actionadmin_enqueue_scriptsultimate-post-thumbnails.php:80
actionwp_headultimate-post-thumbnails.php:88
filterwp_get_attachment_image_attributesultimate-post-thumbnails.php:108
filterpost_thumbnail_htmlultimate-post-thumbnails.php:135
filterupt_post_thumbnail_link_attsultimate-post-thumbnails.php:151
Maintenance & Trust

Ultimate Post Thumbnails Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.32
Last updatedJan 15, 2017
PHP min version
Downloads3K

Community Trust

Rating60/100
Number of ratings1
Active installs10
Alternatives

Ultimate Post Thumbnails Alternatives

Feslider – Featured Slider

Feslider – Featured Slider

feslider

A
85

Image slider that act like featured image, its featured slider!

80 No CVEs
PAJ Featured Image Owl Carousel / Slider

PAJ Featured Image Owl Carousel / Slider

paj-featured-image-owl-carousel

A
85

Responsive feature image Carousel slider for posts and pages, use with shortcode or SiteOrigin Widgets Bundle by SiteOrigin.

80 No CVEs
Mobile Featured Image

Mobile Featured Image

mobile-featured-image

A
85

Display a mobile featured image

50 No CVEs
Go News In Pictures

Go News In Pictures

news-in-pictures

A
85

Plugin for viewing best news photos, news pictures online

10 No CVEs
RG Responsive Gallery

RG Responsive Gallery

rg-responsive-gallery

A
85

Add a simple and light weighted image gallery. Featured image slider

10 No CVEs
Developer Profile

Ultimate Post Thumbnails Developer Profile

Edward

1 plugin · 10 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Ultimate Post Thumbnails

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ultimate-post-thumbnails/css/admin.css/wp-content/plugins/ultimate-post-thumbnails/css/front.css/wp-content/plugins/ultimate-post-thumbnails/js/admin.js/wp-content/plugins/ultimate-post-thumbnails/js/admin.add-featured-image.js/wp-content/plugins/ultimate-post-thumbnails/js/front.js/wp-content/plugins/ultimate-post-thumbnails/js/imagesloaded.pkgd.min.js/wp-content/plugins/ultimate-post-thumbnails/js/jquery.flexslider.manualDirectionControls.js
Script Paths
/wp-content/plugins/ultimate-post-thumbnails/js/admin.js/wp-content/plugins/ultimate-post-thumbnails/js/admin.add-featured-image.js/wp-content/plugins/ultimate-post-thumbnails/js/front.js/wp-content/plugins/ultimate-post-thumbnails/js/imagesloaded.pkgd.min.js/wp-content/plugins/ultimate-post-thumbnails/js/jquery.flexslider.manualDirectionControls.js
Version Parameters
ultimate-post-thumbnails/css/admin.css?ver=ultimate-post-thumbnails/css/front.css?ver=ultimate-post-thumbnails/js/admin.js?ver=ultimate-post-thumbnails/js/admin.add-featured-image.js?ver=ultimate-post-thumbnails/js/front.js?ver=ultimate-post-thumbnails/js/imagesloaded.pkgd.min.js?ver=ultimate-post-thumbnails/js/jquery.flexslider.manualDirectionControls.js?ver=

HTML / DOM Fingerprints

CSS Classes
upt-imageupt-link-single
Data Attributes
data-dismissible="upt-notice-clear-cache"
JS Globals
window.UPT_VERSION
FAQ

Frequently Asked Questions about Ultimate Post Thumbnails