WP-Safety

WP Flow Plus Security & Risk Analysis

wordpress.org/plugins/wp-imageflow2

Flow style gallery with Lightbox popups. Uses images from the Wordpress Media Library or an uploaded directory of images.

900 active installs v5.2.7 PHP + WP 3.0.1+ Updated Nov 28, 2025
carouselgalleryimageimageflowlightbox
97
A · Safe
CVEs total3
Unpatched0
Last CVESep 3, 2025
Plugin page Download
Safety Verdict

Is WP Flow Plus Safe to Use in 2026?

Generally Safe

Score 97/100

WP Flow Plus has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Sep 3, 2025Updated 4mo ago
Risk Assessment

The wp-imageflow2 plugin, version 5.2.7, presents a mixed security posture. While it exhibits good practices by having no unprotected entry points and a single nonce and capability check, several areas raise concerns. The static analysis reveals a significant risk with SQL queries; all four detected queries do not utilize prepared statements, which is a major vulnerability. Additionally, the output escaping is poorly implemented, with only 31% of outputs being properly escaped, indicating a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis shows all five analyzed flows have unsanitized paths, although they are not currently classified as critical or high severity. This suggests potential for XSS or other input validation issues that could be exploited.

The vulnerability history shows a past pattern of three medium severity CVEs, primarily related to Cross-Site Scripting. While there are no currently unpatched vulnerabilities, the historical prevalence of XSS issues, coupled with the current lack of proper output escaping and unsanitized input flows, strongly suggests that new XSS vulnerabilities are likely to exist or could be easily introduced. The plugin's strengths lie in its limited attack surface and the presence of some authentication checks. However, the significant reliance on raw SQL and inadequate output sanitization overshadow these strengths, making it a moderate security risk.

Key Concerns

  • Raw SQL queries without prepared statements
  • Low percentage of properly escaped output
  • All analyzed flows have unsanitized paths
  • History of XSS vulnerabilities
Vulnerabilities
3

WP Flow Plus Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-58625medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Flow Plus <= 5.2.5 - Authenticated (Author+) Stored Cross-Site Scripting

Sep 3, 2025 Patched in 5.2.6 (9d)
CVE-2024-49695medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Flow Plus <= 5.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 21, 2024 Patched in 5.2.4 (10d)
CVE-2024-35651medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Flow Plus <= 5.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 27, 2024 Patched in 5.2.3 (16d)
Code Analysis
Analyzed Mar 16, 2026

WP Flow Plus Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
0 prepared
Unescaped Output
62
28 escaped
Nonce Checks
1
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

0% prepared4 total queries

Output Escaping

31% escaped90 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

5 flows5 with unsanitized paths
settings_update_bonus (includes\bonus.php:342)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

WP Flow Plus Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[wp-imageflow2] includes\class_render.php:29
[wp-flowplus] includes\class_render.php:30
WordPress Hooks 28
actionadmin_menuincludes\admin\class_admin.php:16
filterwpflowplus_settings_tabs_arrayincludes\admin\class_admin.php:18
actionwpfp_settings_tab_generalincludes\admin\class_admin.php:19
actionwpfp_settings_update_generalincludes\admin\class_admin.php:20
actionwpfp_settings_tab_formatincludes\admin\class_admin.php:21
actionwpfp_settings_update_formatincludes\admin\class_admin.php:22
actionwpfp_settings_tab_helpincludes\admin\class_admin.php:23
actionwpfp_settings_update_helpincludes\admin\class_admin.php:24
filterattachment_fields_to_editincludes\admin\class_admin.php:27
filterattachment_fields_to_saveincludes\admin\class_admin.php:28
actionadmin_enqueue_scriptsincludes\admin\class_admin.php:31
filterwpflowplus_settings_tabs_arrayincludes\bonus.php:18
actionwpfp_settings_tab_bonusincludes\bonus.php:19
actionwpfp_settings_update_bonusincludes\bonus.php:20
actionwp_enqueue_scriptsincludes\bonus.php:22
actionwp_enqueue_scriptsincludes\bonus.php:23
filterwpif2_js_optionsincludes\bonus.php:25
filterwpif2_after_imageincludes\bonus.php:26
filterwpif2_image_listincludes\class_render.php:33
filterwpif2_image_listincludes\class_render.php:34
actionmedia_buttonsincludes\shortcode-buttons.php:19
actionadmin_headincludes\shortcode-buttons.php:22
actionadmin_footerincludes\shortcode-buttons.php:27
actionadmin_noticeswp-imageflow2.php:45
actioninitwp-imageflow2.php:64
actionwp_enqueue_scriptswp-imageflow2.php:67
actionplugins_loadedwp-imageflow2.php:68
actionadmin_noticeswp-imageflow2.php:109
Maintenance & Trust

WP Flow Plus Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedNov 28, 2025
PHP min version
Downloads134K

Community Trust

Rating100/100
Number of ratings6
Active installs900
Alternatives

WP Flow Plus Alternatives

Gallerya

Gallerya

gallerya

A
100

Change the native post gallery to be displayed as a slider with lightbox support.

10 No CVEs
Smart Slider 3

Smart Slider 3

smart-slider-3

A
89

Responsive slider plugin to create sliders in visual editor easily. Build beautiful image slider, layer slider, video slider, post slider, and more.

800K 8 CVEs
Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider

ml-slider

A
94

Slider, gallery, carousel plugin for WordPress. Build your image slider, video slider, post slider, YouTube slider, or WooCommerce product slider.

500K 12 CVEs
Firelight Lightbox

Firelight Lightbox

easy-fancybox

A
96

Formerly Easy Fancybox. The most popular WordPress lightbox plugin. Simple, fast, and responsive. Opens images, videos, PDFs, and custom popups.

200K 5 CVEs
Lightbox & Modal Popup WordPress Plugin – FooBox

Lightbox & Modal Popup WordPress Plugin – FooBox

foobox-image-lightbox

A
94

A responsive image lightbox for WordPress galleries, WordPress attachments & FooGallery

100K 5 CVEs
Developer Profile

WP Flow Plus Developer Profile

Spiffy Plugins

2 plugins · 4K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
280 days
View full developer profile
Detection Fingerprints

How We Detect WP Flow Plus

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-imageflow2/css/screen.css/wp-content/plugins/wp-imageflow2/js/imageflowplus.js/wp-content/plugins/wp-imageflow2/js/wpif2_utility.js
Script Paths
/wp-content/plugins/wp-imageflow2/js/imageflowplus.js/wp-content/plugins/wp-imageflow2/js/wpif2_utility.js
Version Parameters
wp-imageflow2/style.css?ver=wp-imageflow2/ie8.css?ver=wp-imageflow2/js/imageflowplus.js?ver=wp-imageflow2/js/wpif2_utility.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- WP Flow Plus requires at least WordPress 2.8.4 -->** Nothing needs to be done for now **** Merge default options with the saved values **** Determine the path to a gallery specified by url **+9 more
Data Attributes
data-wpif2-image-link
JS Globals
wpif2_flowplus
FAQ

Frequently Asked Questions about WP Flow Plus