WP-Safety

Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Security & Risk Analysis

wordpress.org/plugins/wp-carousel-free

Carousel, Slider, and Photo Gallery with Lightbox plugin. Create Image Carousel, Video Slider, Post Carousel, Post Grid, Product Carousel, and more.

70K active installs v2.7.10 PHP 7.0.0+ WP 5.0+ Updated Jan 6, 2026
carouselgallerysliderslideshowvideo-slider
96
A · Safe
CVEs total5
Unpatched0
Last CVEJan 31, 2025
Plugin page Download
Safety Verdict

Is Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Safe to Use in 2026?

Generally Safe

Score 96/100

Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jan 31, 2025Updated 2mo ago
Risk Assessment

The wp-carousel-free plugin v2.7.10 presents a mixed security posture. While it demonstrates good practices such as a high percentage of properly escaped outputs and a decent number of nonce and capability checks, significant concerns remain. The presence of 4 AJAX handlers without authentication checks creates a substantial attack surface, potentially allowing unauthorized actions. Furthermore, the use of the `unserialize` function without further context is a critical warning sign, as it can lead to deserialization vulnerabilities if untrusted data is processed. The plugin's vulnerability history is also concerning, with a total of 5 known CVEs, including one high severity and four medium severity vulnerabilities. The common vulnerability types of Cross-site Scripting and Deserialization of Untrusted Data directly correlate with the code signals identified. While there are no currently unpatched vulnerabilities, this history indicates a recurring pattern of exploitable flaws, demanding vigilance from users and developers. The plugin's strengths in output escaping and checks are overshadowed by its unprotected entry points and historical susceptibility to dangerous code patterns.

Key Concerns

  • Unprotected AJAX handlers
  • Dangerous function unserialize used
  • One high severity CVE history
  • Four medium severity CVE history
Vulnerabilities
5

Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
3 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
4

5 total CVEs

CVE-2024-13314medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Carousel, Slider, Gallery by WP Carousel <= 2.7.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Jan 31, 2025 Patched in 2.7.4 (27d)
CVE-2024-4002medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Carousel, Slider, Gallery by WP Carousel <= 2.6.8 - Authenticated (Editor+) Stored Cross-Site Scripting

Oct 30, 2024 Patched in 2.6.9 (115d)
CVE-2024-3020high · 7.2Deserialization of Untrusted Data

Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce <= 2.6.3 - Authenticated (Admin+) PHP Object Injection

Apr 9, 2024 Patched in 2.6.4 (1d)
CVE-2024-2949medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Carousel, Slider, Gallery by WP Carousel – Image Carousel & Photo Gallery, Post Carousel & Post Grid, Product Carousel & Product Grid for WooCommerce <= 2.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'sp_wp_carousel_shortcode'

Apr 5, 2024 Patched in 2.6.4 (7d)
CVE-2022-4482medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Carousel, Slider, Gallery by WP Carousel <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 22, 2022 Patched in 2.5.3 (397d)
Code Analysis
Analyzed Mar 16, 2026

Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Code Analysis

Dangerous Functions
1
Raw SQL Queries
2
2 prepared
Unescaped Output
98
847 escaped
Nonce Checks
14
Capability Checks
11
File Operations
0
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$plugins = unserialize( $response['body'] );admin\help-page\help.php:168

SQL Query Safety

50% prepared4 total queries

Output Escaping

90% escaped945 total outputs
Data Flows
All sanitized

Data Flow Analysis

5 flows
<class-wp-carousel-free-admin> (admin\class-wp-carousel-free-admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Attack Surface

Entry Points12
Unprotected4

AJAX Handlers 10

authwp_ajax_wpcf_image_save_metaadmin\class-wp-carousel-free-admin.php:60
authwp_ajax_wpcf_image_get_attachment_linksadmin\class-wp-carousel-free-admin.php:61
authwp_ajax_sp_wpcf_preview_meta_boxadmin\preview\class-wp-carousel-free-preview.php:36
authwp_ajax_shapedplugin_dismiss_offer_banneradmin\views\notices\offer-banner.php:36
authwp_ajax_wpcf-resetadmin\views\sp-framework\functions\actions.php:34
authwp_ajax_wpcf-chosenadmin\views\sp-framework\functions\actions.php:71
authwp_ajax_sp-wpcfree-never-show-review-noticewp-carousel-free.php:223
authwp_ajax_wp_ajax_install_pluginwp-carousel-free.php:224
authwp_ajax_wpcp_export_shortcodeswp-carousel-free.php:249
authwp_ajax_wpcp_import_shortcodeswp-carousel-free.php:250

Shortcodes 2

[wcfgallery] public\shortcode-deprecated.php:211
[sp_wpcarousel] wp-carousel-free.php:306
WordPress Hooks 45
actionelementor/preview/enqueue_stylesadmin\class-wp-carousel-free-elementor-block.php:68
actionelementor/preview/enqueue_scriptsadmin\class-wp-carousel-free-elementor-block.php:69
actionelementor/editor/before_enqueue_scriptsadmin\class-wp-carousel-free-elementor-block.php:70
actionelementor/initadmin\class-wp-carousel-free-elementor-block.php:137
actionelementor/widgets/registeradmin\class-wp-carousel-free-elementor-block.php:154
actioninitadmin\GutenbergBlock\class-wp-carousel-free-gutenberg-block-init.php:36
actionenqueue_block_editor_assetsadmin\GutenbergBlock\class-wp-carousel-free-gutenberg-block-init.php:37
actionadmin_menuadmin\help-page\help.php:63
actionadmin_print_scriptsadmin\help-page\help.php:68
actionwpcf_enqueueadmin\help-page\help.php:69
actionprint_media_templatesadmin\Media_View\class-wp-carousel-free-media-view.php:52
actionadmin_noticesadmin\views\notices\offer-banner.php:35
actionwp_enqueue_scriptsadmin\views\sp-framework\classes\abstract.class.php:47
actionadmin_menuadmin\views\sp-framework\classes\admin-options.class.php:185
actionadmin_bar_menuadmin\views\sp-framework\classes\admin-options.class.php:186
actionnetwork_admin_menuadmin\views\sp-framework\classes\admin-options.class.php:190
actionadd_meta_boxesadmin\views\sp-framework\classes\metabox-options.class.php:112
actionsave_postadmin\views\sp-framework\classes\metabox-options.class.php:113
actionedit_attachmentadmin\views\sp-framework\classes\metabox-options.class.php:114
actionafter_setup_themeadmin\views\sp-framework\classes\setup.class.php:133
actioninitadmin\views\sp-framework\classes\setup.class.php:134
actionswitch_themeadmin\views\sp-framework\classes\setup.class.php:135
actionadmin_enqueue_scriptsadmin\views\sp-framework\classes\setup.class.php:136
actionprint_default_editor_scriptsadmin\views\sp-framework\fields\wp_editor\wp_editor.php:95
actionplugins_loadedincludes\class-wp-carousel-free-updates.php:47
filterwp_revisions_to_keepincludes\updates\update-2.4.7.php:35
actionafter_setup_themewp-carousel-free.php:169
actioninitwp-carousel-free.php:221
actionadmin_noticeswp-carousel-free.php:222
actionadmin_enqueue_scriptswp-carousel-free.php:236
filterpost_updated_messageswp-carousel-free.php:237
filtermanage_sp_wp_carousel_posts_columnswp-carousel-free.php:238
actionmanage_sp_wp_carousel_posts_custom_columnwp-carousel-free.php:239
filterplugin_action_linkswp-carousel-free.php:240
filterplugin_row_metawp-carousel-free.php:241
filteradmin_footer_textwp-carousel-free.php:242
filterupdate_footerwp-carousel-free.php:243
actionbefore_woocommerce_initwp-carousel-free.php:244
filterpll_get_post_typeswp-carousel-free.php:273
actionwp_loadedwp-carousel-free.php:300
actionwp_enqueue_scriptswp-carousel-free.php:301
actionsave_postwp-carousel-free.php:302
actionadmin_enqueue_scriptswp-carousel-free.php:303
actionplugins_loadedwp-carousel-free.php:397
actionactivated_pluginwp-carousel-free.php:398
Maintenance & Trust

Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 6, 2026
PHP min version7.0.0
Downloads2.0M

Community Trust

Rating94/100
Number of ratings425
Active installs70K
Alternatives

Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Alternatives

Slider by Soliloquy – Responsive Image Slider for WordPress

Slider by Soliloquy – Responsive Image Slider for WordPress

soliloquy-lite

A
99

The best WordPress slider plugin. Drag & Drop responsive slider builder that helps you create a beautiful image slideshows with just a few clicks.

30K 2 CVEs
Smart Slider 3

Smart Slider 3

smart-slider-3

A
91

Responsive slider plugin to create sliders in visual editor easily. Build beautiful image slider, layer slider, video slider, post slider, and more.

800K 7 CVEs
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

ml-slider

A
94

Slider, gallery, carousel plugin for WordPress. Build your image slider, video slider, post slider, YouTube slider, or WooCommerce product slider.

500K 12 CVEs
Slick Slider

Slick Slider

slick-slider

A
85

Turn your native WordPress galleries into beautiful fully responsive sliders. Adjust the slider to your needs on a per gallery base.

2K No CVEs
Thumbnail carousel slider

Thumbnail carousel slider

wp-responsive-thumbnail-slider

A
94

This is a beautiful responsive thumbnail slider for WordPress sites. Admin can manage any number of images into the responsive thumbnail slider.

2K 6 CVEs
Developer Profile

Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel Developer Profile

ShapedPlugin LLC

18 plugins · 315K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
385 days
View full developer profile
Detection Fingerprints

How We Detect Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-carousel-free/admin/css/admin-style.css/wp-content/plugins/wp-carousel-free/admin/css/sp-framework-style.css/wp-content/plugins/wp-carousel-free/admin/js/admin-script.js/wp-content/plugins/wp-carousel-free/admin/js/sp-framework-script.js/wp-content/plugins/wp-carousel-free/public/assets/css/slick.css/wp-content/plugins/wp-carousel-free/public/assets/css/style.css/wp-content/plugins/wp-carousel-free/public/assets/css/magnific-popup.css/wp-content/plugins/wp-carousel-free/public/assets/js/slick.min.js+7 more
Script Paths
/wp-content/plugins/wp-carousel-free/admin/js/admin-script.js/wp-content/plugins/wp-carousel-free/public/assets/js/slick.min.js/wp-content/plugins/wp-carousel-free/public/assets/js/magnific-popup.min.js/wp-content/plugins/wp-carousel-free/public/assets/js/script.js/wp-content/plugins/wp-carousel-free/admin/help-page/js/help-page.js/wp-content/plugins/wp-carousel-free/admin/Media_View/js/media-script.js+1 more
Version Parameters
wp-carousel-free/admin/css/admin-style.css?ver=wp-carousel-free/admin/css/sp-framework-style.css?ver=wp-carousel-free/admin/js/admin-script.js?ver=wp-carousel-free/admin/js/sp-framework-script.js?ver=wp-carousel-free/public/assets/css/slick.css?ver=wp-carousel-free/public/assets/css/style.css?ver=wp-carousel-free/public/assets/css/magnific-popup.css?ver=wp-carousel-free/public/assets/js/slick.min.js?ver=wp-carousel-free/public/assets/js/magnific-popup.min.js?ver=wp-carousel-free/public/assets/js/script.js?ver=wp-carousel-free/admin/help-page/css/help-page.css?ver=wp-carousel-free/admin/help-page/js/help-page.js?ver=wp-carousel-free/admin/Media_View/css/media-style.css?ver=wp-carousel-free/admin/Media_View/js/media-script.js?ver=wp-carousel-free/admin/class-wp-carousel-free-elementor-block.js?ver=

HTML / DOM Fingerprints

CSS Classes
sp-wp-carousel-wrappersp-wpc-frontendsp-carousel-wrapsp-carousel-content
HTML Comments
<!-- Created by WP Carousel Free plugin --><!-- WP Carousel Free Plugin --><!-- WP Carousel Pro Plugin -->
Data Attributes
data-sp-carousel-iddata-wpc-carousel-settings
JS Globals
wp_carousel_free_ajax_objectsp_wp_carousel_free_public
REST Endpoints
/wp-json/wp-carousel-free/v1/get_carousel_posts/wp-json/wp-carousel-free/v1/get_carousel_posts_by_id
Shortcode Output
[sp_carousel][wp_carousel]
FAQ

Frequently Asked Questions about Carousel, Slider, Photo Gallery with Lightbox, Video Slider, by WP Carousel