WP-Safety

HM Books Gallery – Build a Book Showcase, Store or a Library in minutes Security & Risk Analysis

wordpress.org/plugins/wp-books-gallery

Book Gallery will build a mobile-friendly Book Store, Showcase or Library in a few minutes. You can also display pdfs, documents in a grid/list view.

2K active installs v4.7.8 PHP 7.2+ WP 5.4+ Updated Jan 31, 2026
affiliate-marketingbookbooksdocumentspdf
100
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 20, 2023
Plugin page Download
Safety Verdict

Is HM Books Gallery – Build a Book Showcase, Store or a Library in minutes Safe to Use in 2026?

Generally Safe

Score 100/100

HM Books Gallery – Build a Book Showcase, Store or a Library in minutes has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 20, 2023Updated 2mo ago
Risk Assessment

The wp-books-gallery plugin v4.7.8 exhibits a mixed security posture. While it has a relatively small attack surface and a decent number of nonce and capability checks, there are notable areas of concern stemming from its code signals and vulnerability history. The presence of the `unserialize` function, especially without explicit checks on the data being unserialized, is a significant risk that could lead to remote code execution if an attacker can control the serialized data. Additionally, the taint analysis revealing flows with unsanitized paths, including one of high severity, points to potential vulnerabilities where external input is not properly validated or escaped before being used in a sensitive operation.

The plugin's vulnerability history shows a past medium-severity CVE, with the last reported vulnerability in February 2023. While there are no currently unpatched CVEs, the previous CSRF vulnerability highlights a historical tendency to have exploitable weaknesses. The fact that the last vulnerability was not critical or high might suggest good patching practices, but the underlying causes of past vulnerabilities, like CSRF, often indicate a need for robust input validation and authorization checks. The plugin's SQL query practice of using prepared statements 43% of the time is a weakness, as a significant portion of its database interactions are not protected against SQL injection.

In conclusion, while the plugin has some strengths in terms of its limited attack surface and the presence of security checks, the identified risks, particularly the use of `unserialize` and unsanitized taint flows, along with less-than-ideal SQL preparation, necessitate caution. The historical CVE, though medium, serves as a reminder of past security lapses. Users should be aware of these potential vulnerabilities and ensure the plugin is updated to the latest version, although this specific version is v4.7.8, and the history indicates no *currently* unpatched CVEs for it. The mixed results suggest that while not acutely dangerous, it's not a plugin to be deployed without careful consideration and monitoring.

Key Concerns

  • Dangerous function: unserialize detected
  • Taint analysis: high severity flow with unsanitized path
  • SQL queries: 57% not using prepared statements
  • Output escaping: 47% not properly escaped
  • Bundled library: Freemius v1.0 (potentially outdated)
Vulnerabilities
1

HM Books Gallery – Build a Book Showcase, Store or a Library in minutes Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-23705medium · 4.3Cross-Site Request Forgery (CSRF)

WordPress Books Gallery <= 4.4.8 - Cross-Site Request Forgery leading to Plugin Settings Changes

Feb 20, 2023 Patched in 4.4.9 (337d)
Code Analysis
Analyzed Mar 16, 2026

HM Books Gallery – Build a Book Showcase, Store or a Library in minutes Code Analysis

Dangerous Functions
2
Raw SQL Queries
4
3 prepared
Unescaped Output
161
185 escaped
Nonce Checks
9
Capability Checks
5
File Operations
0
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$this->settings = stripslashes_deep( unserialize( get_option('wbg_general_settings') ) );core\gallery-content.php:27
unserialize$this->settings = stripslashes_deep( unserialize( get_option('wbg_detail_settings') ) );core\single-content.php:28

Bundled Libraries

Freemius1.0

SQL Query Safety

43% prepared7 total queries

Output Escaping

53% escaped346 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
<wp-books-gallery> (wp-books-gallery.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

HM Books Gallery – Build a Book Showcase, Store or a Library in minutes Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[wp_books_gallery] front\cls-books-gallery-front.php:78
WordPress Hooks 23
actioninitinc\cls-books-gallery-master.php:27
actionadmin_enqueue_scriptsinc\cls-books-gallery-master.php:46
actioninitinc\cls-books-gallery-master.php:47
actioninitinc\cls-books-gallery-master.php:54
actionadmin_menuinc\cls-books-gallery-master.php:61
actionwidgets_initinc\cls-books-gallery-master.php:68
filteradmin_post_thumbnail_htmlinc\cls-books-gallery-master.php:70
actionadd_meta_boxesinc\cls-books-gallery-master.php:71
actionsave_postinc\cls-books-gallery-master.php:78
actionwp_enqueue_scriptsinc\cls-books-gallery-master.php:89
filtersingle_templateinc\cls-books-gallery-master.php:90
filterarchive_templateinc\cls-books-gallery-master.php:96
filtertag_templateinc\cls-books-gallery-master.php:102
actionload-widgets.phpwidget\cls-books-gallery-widget.php:14
filterplugin_row_metawp-books-gallery.php:37
actioninitwp-books-gallery.php:61
actionpre_get_postswp-books-gallery.php:97
filtermanage_books_posts_columnswp-books-gallery.php:123
actionmanage_books_posts_custom_columnwp-books-gallery.php:162
filterwoocommerce_add_to_cart_redirectwp-books-gallery.php:169
filterwoocommerce_return_to_shop_redirectwp-books-gallery.php:177
actionadmin_initwp-books-gallery.php:183
actionadmin_initwp-books-gallery.php:204
Maintenance & Trust

HM Books Gallery – Build a Book Showcase, Store or a Library in minutes Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 31, 2026
PHP min version7.2
Downloads123K

Community Trust

Rating94/100
Number of ratings89
Active installs2K
Alternatives

HM Books Gallery – Build a Book Showcase, Store or a Library in minutes Alternatives

GS Books Showcase – Display Books in Grid, Slider & More | Library for WordPress

GS Books Showcase – Display Books in Grid, Slider & More | Library for WordPress

gs-books-showcase

A
99

Showcase your books in Grid, Slider, Filter & Flip layouts. GS Books Showcase is the ultimate book library plugin for WordPress.

500 2 CVEs
Tizra Connect

Tizra Connect

tizra-connect

A
100

Tizra Connect is a simple way to display Tizra-hosted publications in your WordPress site.

0 No CVEs
Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer

Dear Flipbook – PDF Flipbook, 3D Flipbook, PDF embed, PDF viewer

3d-flipbook-dflip-lite

A
95

Dear Flipbook creates PDF Flipbook, 3D Flipbook, PDF viewer, PDF embed for WordPress sites. Create impressive and realistic 3D flipbooks with PDFs.

100K 8 CVEs
3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery

3D FlipBook – PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery

interactive-3d-flipbook-powered-physics-engine

A
96

3D FlipBook is PDF Viewer, allowing to browse images, PDFs or HTMLs as flipbook. Flipbook attracts user attention and makes more impression on him.

80K 8 CVEs
Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files

embed-any-document

A
95

Embed PDF, DOC, PPT and XLS documents easily on your WordPress website with the help of Google Docs Viewer or Microsoft Office Online.

50K 4 CVEs
Developer Profile

HM Books Gallery – Build a Book Showcase, Store or a Library in minutes Developer Profile

Hossni Mubarak

13 plugins · 8K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
146 days
View full developer profile
Detection Fingerprints

How We Detect HM Books Gallery – Build a Book Showcase, Store or a Library in minutes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-books-gallery/assets/css/frontend.css/wp-content/plugins/wp-books-gallery/assets/css/magnific-popup.css/wp-content/plugins/wp-books-gallery/assets/js/frontend.js/wp-content/plugins/wp-books-gallery/assets/js/jquery.magnific-popup.min.js/wp-content/plugins/wp-books-gallery/assets/js/wow.min.js/wp-content/plugins/wp-books-gallery/assets/js/jquery.ddslick.min.js
Script Paths
assets/js/frontend.jsassets/js/jquery.magnific-popup.min.jsassets/js/wow.min.jsassets/js/jquery.ddslick.min.js
Version Parameters
wp-books-gallery/assets/css/frontend.css?ver=wp-books-gallery/assets/js/frontend.js?ver=wp-books-gallery/assets/js/jquery.magnific-popup.min.js?ver=wp-books-gallery/assets/js/wow.min.js?ver=wp-books-gallery/assets/js/jquery.ddslick.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
wbg-gallery-itemwbg-gallery-item-imagewbg-gallery-item-titlewbg-gallery-item-authorwbg-gallery-item-pricewbg-gallery-item-buttonwbg-no-imagewbg-admin-book-cover-list
HTML Comments
<!-- Donate us link to plugin description --><!-- rewrite_rules upon plugin activation --><!-- include your custom post type on category and tags pages --><!-- Add Columns to logo list table -->+2 more
Data Attributes
data-wbg-imgdata-wbg-titledata-wbg-authordata-wbg-pricedata-wbg-buttondata-wbg-id
JS Globals
WBG_ASSETSWBG_CLS_PRFXWBG_VERSION
Shortcode Output
[wp_books_gallery]
FAQ

Frequently Asked Questions about HM Books Gallery – Build a Book Showcase, Store or a Library in minutes