WP-Safety

Visual Portfolio, Photo Gallery & Post Grid Security & Risk Analysis

wordpress.org/plugins/visual-portfolio

Powerful WordPress gallery plugin for stunning photo, video & album galleries with advanced layouts and flexible block editing.

60K active installs v3.6.0 PHP 7.2+ WP 6.2+ Updated Mar 25, 2026
gallerygallery-blockimage-galleryportfoliowordpress-gallery-plugin
93
A · Safe
CVEs total4
Unpatched0
Last CVEMar 20, 2026
Plugin page Download
Safety Verdict

Is Visual Portfolio, Photo Gallery & Post Grid Safe to Use in 2026?

Generally Safe

Score 93/100

Visual Portfolio, Photo Gallery & Post Grid has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Mar 20, 2026Updated 1mo ago
Risk Assessment

The Visual Portfolio plugin exhibits a mixed security posture. While its static analysis shows a significant number of entry points with all of them appearing to have authorization checks and a good percentage of output being properly escaped, there are still areas of concern. The presence of the `create_function` is a direct red flag for potential security risks due to its eval-like behavior. Furthermore, the fact that 100% of SQL queries are not using prepared statements is a substantial risk, opening the door to SQL injection vulnerabilities. The plugin's history of 3 medium-severity CVEs, although currently unpatched, indicates a pattern of past vulnerabilities. The common types being Cross-Site Scripting and Injection suggest that improper handling of user-supplied data is a recurring issue. While the absence of critical taint flows and unsanitized paths is positive, and the recent vulnerability being patched is a good sign, the aforementioned issues warrant careful consideration. The use of `create_function` and the lack of prepared statements are the most pressing concerns.

Key Concerns

  • Dangerous function create_function found
  • 100% of SQL queries not using prepared statements
  • 3 medium severity CVEs in history
Vulnerabilities
4 published

Visual Portfolio, Photo Gallery & Post Grid Security Vulnerabilities

CVEs by Year

2 CVEs in 2022
2022
1 CVE in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2026-32537high · 7.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Visual Portfolio, Photo Gallery & Post Grid <= 3.5.1 - Authenticated (Subscriber+) Local File Inclusion

Mar 20, 2026 Patched in 3.5.2 (7d)
CVE-2024-4363medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Visual Portfolio, Photo Gallery & Post Grid <= 3.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via title_tag Parameter

May 14, 2024 Patched in 3.3.3 (1d)
CVE-2022-2597medium · 4.3Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Visual Portfolio, Photo Gallery & Post Grid <= 2.18.0 - Contributor+ CSS Injection

Aug 15, 2022 Patched in 2.19.0 (526d)
CVE-2022-2543medium · 5.3Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Visual Portfolio, Photo Gallery & Post Grid <= 2.17.1 - Unauthenticated CSS Injection

Aug 15, 2022 Patched in 2.18.0 (526d)
Version History

Visual Portfolio, Photo Gallery & Post Grid Release Timeline

v3.6.0Current
v3.5.2
v3.5.11 CVE
CVE-2026-32537
v3.5.01 CVE
CVE-2026-32537
v3.4.11 CVE
CVE-2026-32537
v3.4.01 CVE
CVE-2026-32537
v3.3.161 CVE
CVE-2026-32537
v3.3.151 CVE
CVE-2026-32537
v3.3.141 CVE
CVE-2026-32537
v3.3.131 CVE
CVE-2026-32537
v3.3.121 CVE
CVE-2026-32537
v3.3.111 CVE
CVE-2026-32537
v3.3.101 CVE
CVE-2026-32537
v3.3.91 CVE
CVE-2026-32537
v3.3.81 CVE
CVE-2026-32537
v3.3.71 CVE
CVE-2026-32537
v3.3.61 CVE
CVE-2026-32537
v3.3.51 CVE
CVE-2026-32537
v3.3.41 CVE
CVE-2026-32537
v3.3.31 CVE
CVE-2026-32537
Code Analysis
Analyzed Mar 16, 2026

Visual Portfolio, Photo Gallery & Post Grid Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
0 prepared
Unescaped Output
96
499 escaped
Nonce Checks
16
Capability Checks
11
File Operations
4
External Requests
0
Bundled Libraries
2

Dangerous Functions Found

create_function$callback = create_function( '', 'echo "' . str_replace( '"', '\"', $section['desc'] ) . '";' );vendors\class-settings-api.php:121

Bundled Libraries

Select2TinyMCE

SQL Query Safety

0% prepared1 total queries

Output Escaping

84% escaped595 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

4 flows
ajax_find_oembed (classes\class-admin.php:3845)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Visual Portfolio, Photo Gallery & Post Grid Attack Surface

Entry Points7
Unprotected0

AJAX Handlers 4

authwp_ajax_vp_find_oembedclasses\class-admin.php:39
authwp_ajax_vpf_dismiss_ask_review_noticeclasses\class-ask-review.php:29
authwp_ajax_vp_dynamic_control_callbackclasses\class-controls.php:136
authwp_ajax_vp_get_pages_listclasses\class-settings.php:101

Shortcodes 3

[visual_portfolio] classes\class-shortcode.php:21
[visual_portfolio_filter] classes\class-shortcode.php:22
[visual_portfolio_sort] classes\class-shortcode.php:23
WordPress Hooks 204
actioninitclass-visual-portfolio.php:115
actioninitclass-visual-portfolio.php:116
actioninitclass-visual-portfolio.php:117
actionplugins_loadedclass-visual-portfolio.php:374
filtera3_lazy_load_skip_images_classesclasses\3rd\plugins\class-a3-lazy-load.php:21
filteraioseo_canonical_urlclasses\3rd\plugins\class-all-in-one-seo.php:21
filteraioseo_schema_outputclasses\3rd\plugins\class-all-in-one-seo.php:22
actionwp_print_footer_scriptsclasses\3rd\plugins\class-all-in-one-seo.php:23
actionwp_print_footer_scriptsclasses\3rd\plugins\class-all-in-one-seo.php:24
actionwpclasses\3rd\plugins\class-all-in-one-seo.php:25
actionwpclasses\3rd\plugins\class-all-in-one-seo.php:26
actionwp_headclasses\3rd\plugins\class-divi.php:20
actionelementor/widgets/registerclasses\3rd\plugins\class-elementor.php:27
actionwp_body_openclasses\3rd\plugins\class-elementor.php:31
actionwp_footerclasses\3rd\plugins\class-elementor.php:32
actionwp_enqueue_scriptsclasses\3rd\plugins\class-elementor.php:35
filtervpf_images_lazyloadclasses\3rd\plugins\class-ewww-image-optimizer.php:25
filtervpf_enqueue_plugin_lazysizesclasses\3rd\plugins\class-ewww-image-optimizer.php:26
actionwp_enqueue_scriptsclasses\3rd\plugins\class-fancybox.php:20
filterimagify_picture_attributesclasses\3rd\plugins\class-imagify.php:25
filterimagify_picture_img_attributesclasses\3rd\plugins\class-imagify.php:26
filterjetpack_lazy_images_skip_image_with_attributesclasses\3rd\plugins\class-jetpack.php:21
actionwp_enqueue_scriptsclasses\3rd\plugins\class-jetpack.php:23
filtervpf_images_lazyloadclasses\3rd\plugins\class-lazy-loading-responsive-images.php:25
filtervpf_enqueue_plugin_lazysizesclasses\3rd\plugins\class-lazy-loading-responsive-images.php:26
actioninitclasses\3rd\plugins\class-paid-memberships-pro.php:20
filterrank_math/frontend/canonicalclasses\3rd\plugins\class-rank-math.php:21
filterrank_math/frontend/titleclasses\3rd\plugins\class-rank-math.php:22
filterrank_math/opengraph/facebook/og_titleclasses\3rd\plugins\class-rank-math.php:23
actionrank_math/headclasses\3rd\plugins\class-rank-math.php:24
actionrank_math/headclasses\3rd\plugins\class-rank-math.php:25
filtervpf_images_lazyloadclasses\3rd\plugins\class-sg-cachepress.php:25
actionwp_enqueue_scriptsclasses\3rd\plugins\class-sg-cachepress.php:26
actionadmin_enqueue_scriptsclasses\3rd\plugins\class-tinymce.php:27
actionadmin_headclasses\3rd\plugins\class-tinymce.php:28
filtermce_external_pluginsclasses\3rd\plugins\class-tinymce.php:36
filtermce_buttonsclasses\3rd\plugins\class-tinymce.php:37
actioninitclasses\3rd\plugins\class-vc.php:27
actionadmin_enqueue_scriptsclasses\3rd\plugins\class-vc.php:28
filterrocket_delay_js_exclusionsclasses\3rd\plugins\class-wp-rocket.php:21
actioninitclasses\3rd\plugins\class-wpml.php:32
filtervpf_registered_controlsclasses\3rd\plugins\class-wpml.php:39
filtervpf_extend_options_before_query_argsclasses\3rd\plugins\class-wpml.php:40
actionwp_insert_postclasses\3rd\plugins\class-wpml.php:51
filterwpseo_canonicalclasses\3rd\plugins\class-yoast.php:21
filterwpseo_opengraph_urlclasses\3rd\plugins\class-yoast.php:22
filterwpseo_schema_webpageclasses\3rd\plugins\class-yoast.php:23
filterwpseo_schema_breadcrumbclasses\3rd\plugins\class-yoast.php:24
filterwpseo_opengraph_titleclasses\3rd\plugins\class-yoast.php:25
filtervpf_images_lazyloadclasses\3rd\themes\class-avada.php:32
filtervpf_enqueue_plugin_lazysizesclasses\3rd\themes\class-avada.php:33
filterblocksy:custom_post_types:supported_listclasses\3rd\themes\class-blocksy.php:32
filterblocksy:editor:post_types_for_rest_fieldclasses\3rd\themes\class-blocksy.php:35
filtervpf_extend_portfolio_classclasses\3rd\themes\class-enfold.php:36
filtervpf_images_lazyloadclasses\3rd\themes\class-enfold.php:39
actioninitclasses\3rd\themes\class-thrive-architect.php:21
filtervpf_enqueue_dynamic_styles_inline_styleclasses\3rd\themes\class-thrive-architect.php:32
actionadmin_enqueue_scriptsclasses\class-admin.php:20
actionenqueue_block_assetsclasses\class-admin.php:21
actionin_admin_headerclasses\class-admin.php:22
filteradmin_footer_textclasses\class-admin.php:23
actionadmin_menuclasses\class-admin.php:27
actionadmin_menuclasses\class-admin.php:28
actionadmin_menuclasses\class-admin.php:31
actioninitclasses\class-admin.php:34
filtervpf_extend_layoutsclasses\class-admin.php:35
filtervpf_extend_items_stylesclasses\class-admin.php:36
actioninitclasses\class-archive-mapping.php:57
actionpre_get_postsclasses\class-archive-mapping.php:78
actionpre_post_updateclasses\class-archive-mapping.php:79
actiondeleted_postclasses\class-archive-mapping.php:80
actiontrashed_postclasses\class-archive-mapping.php:81
actionupdate_option_vp_generalclasses\class-archive-mapping.php:82
actionupdate_option_page_on_frontclasses\class-archive-mapping.php:83
actionvpf_extend_query_argsclasses\class-archive-mapping.php:84
filtervpf_layout_element_optionsclasses\class-archive-mapping.php:85
filterdisplay_post_statesclasses\class-archive-mapping.php:88
actionadmin_initclasses\class-archive-mapping.php:91
actionadmin_initclasses\class-archive-mapping.php:92
filterpost_type_linkclasses\class-archive-mapping.php:93
filtervpf_extend_filter_itemsclasses\class-archive-mapping.php:94
filterthe_titleclasses\class-archive-mapping.php:95
filterbody_classclasses\class-archive-mapping.php:96
filterredirect_canonicalclasses\class-archive-mapping.php:97
filterpre_get_shortlinkclasses\class-archive-mapping.php:98
filtervpf_extend_portfolio_data_attributesclasses\class-archive-mapping.php:99
filtervpf_pagination_item_dataclasses\class-archive-mapping.php:100
filtervpf_pagination_argsclasses\class-archive-mapping.php:101
filtervpf_extend_sort_item_urlclasses\class-archive-mapping.php:102
filtervpf_each_item_argsclasses\class-archive-mapping.php:103
filterwxr_importer.pre_process.postclasses\class-archive-mapping.php:104
filterwp_nav_menu_objectsclasses\class-archive-mapping.php:105
actionadmin_noticesclasses\class-ask-review.php:27
actionadmin_enqueue_scriptsclasses\class-ask-review.php:28
actiontemplate_redirectclasses\class-assets.php:39
actionwp_enqueue_scriptsclasses\class-assets.php:40
actiontemplate_redirectclasses\class-assets.php:42
actiontemplate_redirectclasses\class-assets.php:43
actionwp_footerclasses\class-assets.php:45
actionwp_headclasses\class-assets.php:47
actionwp_headclasses\class-assets.php:50
filterwpclasses\class-assets.php:53
actionvpf_parse_blocksclasses\class-assets.php:54
actionenqueue_block_editor_assetsclasses\class-assets.php:57
actionwp_enqueue_scriptsclasses\class-assets.php:58
actionwp_headclasses\class-assets.php:517
filtervpf_control_valueclasses\class-controls.php:139
actionafter_setup_themeclasses\class-custom-post-meta.php:21
actioninitclasses\class-custom-post-meta.php:22
actionadd_meta_boxesclasses\class-custom-post-meta.php:23
actionsave_postclasses\class-custom-post-meta.php:24
actionsave_postclasses\class-custom-post-meta.php:25
actionwp_headclasses\class-custom-post-meta.php:26
actioninitclasses\class-custom-post-type.php:39
actionrestrict_manage_postsclasses\class-custom-post-type.php:40
actioninitclasses\class-custom-post-type.php:43
actionscreen_options_show_screenclasses\class-custom-post-type.php:46
filtermanage_portfolio_posts_columnsclasses\class-custom-post-type.php:49
filtermanage_portfolio_posts_custom_columnclasses\class-custom-post-type.php:50
filteradmin_noticesclasses\class-custom-post-type.php:53
filtermanage_vp_lists_posts_columnsclasses\class-custom-post-type.php:56
actionmanage_vp_lists_posts_custom_columnclasses\class-custom-post-type.php:57
actionrestrict_manage_postsclasses\class-custom-post-type.php:58
actionparse_queryclasses\class-custom-post-type.php:59
filterallowed_block_types_allclasses\class-custom-post-type.php:62
actionclassic_editor_enabled_editors_for_post_typeclasses\class-custom-post-type.php:65
actionuse_block_editor_for_post_typeclasses\class-custom-post-type.php:66
actionuse_block_editor_for_postclasses\class-custom-post-type.php:67
filteruser_can_richeditclasses\class-custom-post-type.php:70
actionadmin_menuclasses\class-custom-post-type.php:73
actionadmin_menuclasses\class-custom-post-type.php:74
actionwp_before_admin_bar_renderclasses\class-custom-post-type.php:77
actioninitclasses\class-custom-post-type.php:80
actionactivated_pluginclasses\class-deactivate-duplicate-plugin.php:20
actionpre_current_active_pluginsclasses\class-deactivate-duplicate-plugin.php:21
filtervpf_items_style_builtin_controls_optionsclasses\class-deprecated.php:36
filtervpf_items_style_builtin_controlsclasses\class-deprecated.php:37
filtervpf_get_optionsclasses\class-deprecated.php:38
filtervpf_image_item_argsclasses\class-deprecated.php:42
filtervpf_post_item_argsclasses\class-deprecated.php:43
filtervpf_each_item_argsclasses\class-deprecated.php:46
actionenqueue_block_assetsclasses\class-gutenberg.php:27
actionadmin_initclasses\class-image-placeholder.php:21
actionwpclasses\class-image-placeholder.php:23
actionwp_loadedclasses\class-images.php:50
actionafter_setup_themeclasses\class-images.php:52
filterimage_size_names_chooseclasses\class-images.php:53
filterkses_allowed_protocolsclasses\class-images.php:61
filtervpf_lazyload_skip_image_with_attributesclasses\class-images.php:168
filterthe_contentclasses\class-images.php:172
filterpost_thumbnail_htmlclasses\class-images.php:173
filterget_avatarclasses\class-images.php:174
filterwidget_textclasses\class-images.php:175
filterget_image_tagclasses\class-images.php:176
filterwoocommerce_placeholder_imgclasses\class-images.php:179
filterwoocommerce_product_get_imageclasses\class-images.php:180
filterwoocommerce_single_product_image_thumbnail_htmlclasses\class-images.php:181
actionwp_kses_allowed_htmlclasses\class-images.php:184
actionwp_headclasses\class-images.php:185
actionadmin_initclasses\class-migration.php:35
actionwpclasses\class-migration.php:37
actionwpclasses\class-parse-blocks.php:30
actionrender_blockclasses\class-parse-blocks.php:36
filterthe_contentclasses\class-parse-blocks.php:44
filterwidget_block_contentclasses\class-parse-blocks.php:45
actioninitclasses\class-preview.php:35
filterpre_handle_404classes\class-preview.php:36
filtervpf_get_optionsclasses\class-preview.php:37
actiontemplate_redirectclasses\class-preview.php:38
actionwp_enqueue_scriptsclasses\class-preview.php:39
actionenqueue_block_assetsclasses\class-preview.php:42
actionwp_print_scriptsclasses\class-preview.php:43
filterpre_option_permalink_structureclasses\class-preview.php:52
filtershow_admin_barclasses\class-preview.php:250
filterscript_loader_tagclasses\class-preview.php:255
actionrest_api_initclasses\class-rest.php:34
filterwp_kses_allowed_htmlclasses\class-security.php:20
filterwp_kses_allowed_htmlclasses\class-security.php:21
filterwp_kses_allowed_htmlclasses\class-security.php:22
actioninitclasses\class-seo-optimization.php:31
actionwp_headclasses\class-seo-optimization.php:42
actionadmin_initclasses\class-settings.php:97
actionadmin_menuclasses\class-settings.php:98
actionadmin_enqueue_scriptsclasses\class-settings.php:100
filteraioseo_sitemap_postsclasses\class-sitemap.php:16
filterrank_math/sitemap/urlimagesclasses\class-sitemap.php:17
filterwpseo_sitemap_urlimagesclasses\class-sitemap.php:18
actionwp_enqueue_scriptsclasses\class-supported-themes.php:20
actionadmin_initclasses\class-welcome-screen.php:20
actionadmin_menuclasses\class-welcome-screen.php:21
actionadmin_headclasses\class-welcome-screen.php:22
actioninitgutenberg\block\index.php:20
actioninitgutenberg\block-saved\index.php:27
actionadmin_initgutenberg\block-saved\index.php:28
actioninitgutenberg\blocks\filter-by-category\index.php:20
actioninitgutenberg\blocks\filter-by-category-item\index.php:20
actioninitgutenberg\blocks\loop\index.php:20
actioninitgutenberg\blocks\pagination\index.php:20
actioninitgutenberg\blocks\pagination-infinite\index.php:20
actioninitgutenberg\blocks\pagination-load-more\index.php:20
actioninitgutenberg\blocks\pagination-next\index.php:20
actioninitgutenberg\blocks\pagination-numbers\index.php:20
actioninitgutenberg\blocks\pagination-previous\index.php:20
actioninitgutenberg\blocks\sort\index.php:20
Maintenance & Trust

Visual Portfolio, Photo Gallery & Post Grid Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 25, 2026
PHP min version7.2
Downloads2.3M

Community Trust

Rating96/100
Number of ratings330
Active installs60K
Alternatives

Visual Portfolio, Photo Gallery & Post Grid Alternatives

Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

gt3-photo-video-gallery

A
95

GT3 Image Gallery - create photo gallery, video gallery, block gallery, slider and more with ease. All photo galleries are responsive and loading fast

10K 4 CVEs
Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery

nextgen-gallery

B
76

The most popular gallery plugin that lets you create galleries and albums in seconds.

400K 38 CVEs
Photo Gallery by 10Web – Mobile-Friendly Image Gallery

Photo Gallery by 10Web – Mobile-Friendly Image Gallery

photo-gallery

B
75

Photo Gallery is a powerful image gallery plugin with a list of advanced options for creating responsive image galleries with beautiful lightbox.

200K 62 CVEs
Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More

envira-gallery-lite

A
95

Envira Gallery is a fast, easy and powerful gallery builder with lightbox, masonry and grid layouts, albums, videos, and responsive displays and more

100K 11 CVEs
Modula Image Gallery – Photo Grid & Video Gallery

Modula Image Gallery – Photo Grid & Video Gallery

modula-best-grid-gallery

A
87

Create responsive image galleries with drag-and-drop grid builder. Custom layouts, video support, AI optimization. Works with any theme.

100K 15 CVEs
Developer Profile

Visual Portfolio, Photo Gallery & Post Grid Developer Profile

Danny van Kooten

94 plugins · 2.1M total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
514 days
View full developer profile
Detection Fingerprints

How We Detect Visual Portfolio, Photo Gallery & Post Grid

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/visual-portfolio/assets/css/visual-portfolio-frontend.css/wp-content/plugins/visual-portfolio/assets/js/visual-portfolio-frontend.js/wp-content/plugins/visual-portfolio/gutenberg/blocks/pagination/view.asset.php
Script Paths
/wp-content/plugins/visual-portfolio/assets/js/visual-portfolio-frontend.js/wp-content/plugins/visual-portfolio/gutenberg/blocks/pagination/view.asset.php
Version Parameters
/wp-content/plugins/visual-portfolio/assets/css/visual-portfolio-frontend.css?ver=/wp-content/plugins/visual-portfolio/assets/js/visual-portfolio-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
vp-portfolio
HTML Comments
Visual PortfolioPlugin Name: Visual Portfolio, Posts & Image GalleryAuthor: Visual Portfolio Team
Data Attributes
data-vp-id
JS Globals
visualPortfolioFrontend
REST Endpoints
/wp-json/visual-portfolio/v1/get-portfolio
Shortcode Output
[visual-portfolio]
FAQ

Frequently Asked Questions about Visual Portfolio, Photo Gallery & Post Grid