Does Photo Engine (Media Organizer & Lightroom) have any unpatched vulnerabilities?

No. All known vulnerabilities in Photo Engine (Media Organizer & Lightroom) have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Photo Engine (Media Organizer & Lightroom) compatible with WordPress 6.9.4?

According to WordPress.org data, Photo Engine (Media Organizer & Lightroom) 6.5.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Photo Engine (Media Organizer & Lightroom) compatible with PHP 7.4+?

Photo Engine (Media Organizer & Lightroom) requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Photo Engine (Media Organizer & Lightroom) updated?

Photo Engine (Media Organizer & Lightroom) was last updated on Feb 25, 2026. Frequent updates are generally a positive security signal.

What is Photo Engine (Media Organizer & Lightroom)'s security score?

Photo Engine (Media Organizer & Lightroom) has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Photo Engine (Media Organizer & Lightroom) Security & Risk Analysis

wordpress.org/plugins/wplr-sync

Organize your photos in folders and collections. Synchronize with Lightroom. Make your life easier! :)

2K active installs v6.5.0 PHP 7.4+ WP 6.0+ Updated Feb 25, 2026

exportimagelightroommanagersync

A · Safe

CVEs total4

Unpatched0

Last CVEJul 30, 2025

Plugin page Download

Safety Verdict

Is Photo Engine (Media Organizer & Lightroom) Safe to Use in 2026?

Generally Safe

Score 96/100

Photo Engine (Media Organizer & Lightroom) has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jul 30, 2025Updated 1mo ago

Risk Assessment

The plugin "wplr-sync" v6.5.0 presents a mixed security posture. While it demonstrates good practices by using prepared statements for a majority of its SQL queries and performing a significant number of capability checks, several concerning areas warrant attention. The plugin has a substantial attack surface with 10 entry points, 9 of which lack proper authentication or permission checks. This is exacerbated by the taint analysis revealing 6 high-severity flows with unsanitized paths, indicating potential for severe vulnerabilities like cross-site scripting or path traversal if these flows are exploited. The vulnerability history further highlights past issues with Cross-Site Request Forgery, Missing Authorization, and Cross-site Scripting, suggesting a recurring pattern of authorization and input sanitization weaknesses.

Despite the absence of currently unpatched CVEs and the presence of nonce checks, the high number of unprotected entry points and the critical taint analysis findings are significant risks. The prevalence of past vulnerabilities in similar categories points to systemic issues that may not have been fully addressed. While the use of prepared statements and capability checks are positive indicators, they do not fully mitigate the risks posed by the exposed attack surface and unsanitized data flows. A comprehensive review and hardening of the input validation and authorization mechanisms for all entry points is strongly recommended.

Key Concerns

Unprotected AJAX handlers
Unprotected REST API routes
High severity unsanitized taint flows
Significant number of unprotected entry points
Low output escaping rate
History of authorization bypass issues
History of XSS vulnerabilities

Vulnerabilities

Photo Engine (Media Organizer & Lightroom) Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

2 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2025-54672medium · 4.3Cross-Site Request Forgery (CSRF)

Photo Engine <= 6.4.3 - Cross-Site Request Forgery

Jul 30, 2025 Patched in 6.4.4 (6d)

CVE-2024-43332medium · 4.3Missing Authorization

Photo Engine <= 6.4.0 - Missing Authorization

Aug 16, 2024 Patched in 6.4.1 (11d)

CVE-2024-39660medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Photo Engine <= 6.3.1 - Authenticated (Author+) Stored Cross-Site Scripting

Aug 1, 2024 Patched in 6.3.2 (7d)

CVE-2023-38513medium · 5.4Authorization Bypass Through User-Controlled Key

Photo Engine <= 6.2.5 - Authenticated (Author+) Insecure Direct Object Reference in ajax_generate_auth_token

Jul 20, 2023 Patched in 6.2.6 (187d)

Code Analysis

Analyzed Mar 16, 2026

Photo Engine (Media Organizer & Lightroom) Code Analysis

Dangerous Functions

Raw SQL Queries

152 prepared

Unescaped Output

43 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

82% prepared186 total queries

Output Escaping

47% escaped92 total outputs

Data Flows

9 unsanitized

Data Flow Analysis

9 flows9 with unsanitized paths

display_hierarchy (classes\admin.php:501)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

9 unprotected

Photo Engine (Media Organizer & Lightroom) Attack Surface

Entry Points10

Unprotected9

AJAX Handlers 7

authwp_ajax_wplrsync_generate_auth_tokenclasses\admin.php:21

authwp_ajax_wplrsync_linkclasses\admin.php:22

authwp_ajax_wplrsync_unlinkclasses\admin.php:23

authwp_ajax_wplrsync_cleanclasses\admin.php:24

authwp_ajax_wplrsync_extensions_resetclasses\admin.php:25

authwp_ajax_wplrsync_extensions_initclasses\admin.php:26

authwp_ajax_wplrsync_extensions_queryclasses\admin.php:27

REST API Routes 3

GET/wp-json/wplr/v1/authclasses\public_api.php:11

GET/wp-json/wplr/v1/hierarchyclasses\public_api.php:19

GET/wp-json/wplr/v1/gallery/(?P<id>[0-9]+)classes\public_api.php:27

WordPress Hooks 46

actionshow_user_profileclasses\admin.php:14

actionedit_user_profileclasses\admin.php:15

actionadmin_menuclasses\admin.php:16

filterwplr_meowapps_is_registeredclasses\admin.php:19

filtermedia_row_actionsclasses\admin.php:20

actionadd_meta_boxesclasses\admin.php:28

actionadmin_enqueue_scriptsclasses\admin.php:39

actioninitclasses\api.php:20

actiondelete_attachmentclasses\core.php:16

filtermanage_media_columnsclasses\core.php:17

filtershortcode_atts_galleryclasses\core.php:18

filtershortcode_atts_collectionclasses\core.php:19

actionmanage_media_custom_columnclasses\core.php:21

actionadmin_headclasses\core.php:22

actionplugins_loadedclasses\core.php:23

actioninitclasses\core.php:24

actionprofile_updateclasses\core.php:25

filterbig_image_size_thresholdclasses\core.php:177

actionpre_get_postsclasses\explorer.php:13

actionrestrict_manage_postsclasses\explorer.php:14

actionadmin_headclasses\explorer.php:19

actionadmin_footerclasses\explorer.php:20

actionwplr_add_tagclasses\keywords.php:48

actionwplr_update_tagclasses\keywords.php:49

actionwplr_remove_tagclasses\keywords.php:50

actionwplr_add_media_tagclasses\keywords.php:51

actionwplr_remove_media_tagclasses\keywords.php:52

filterpre_get_postsclasses\keywords.php:57

actionrest_api_initclasses\public_api.php:7

actionrest_api_initclasses\rest.php:15

filterwplr_issuesclasses\troubleshoot.php:10

filterwplr_issuesclasses\troubleshoot.php:13

actionadmin_menuclasses\ui.php:8

actionadmin_noticescommon\admin.php:72

filterplugin_row_metacommon\admin.php:77

filteredd_sl_api_request_verify_sslcommon\admin.php:78

actioninitcommon\admin.php:96

actionadmin_menucommon\admin.php:153

filteradmin_footer_textcommon\admin.php:158

actionadmin_footercommon\admin.php:218

actionadmin_headcommon\admin.php:456

actionadmin_noticescommon\news.php:43

filtersafe_style_csscommon\news.php:44

actionadmin_noticescommon\ratings.php:33

filtersafe_style_csscommon\ratings.php:34

actionrest_api_initcommon\rest.php:14

Maintenance & Trust

Photo Engine (Media Organizer & Lightroom) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 25, 2026

PHP min version7.4

Downloads245K

Community Trust

Rating98/100

Number of ratings208

Active installs2K

Alternatives

Photo Engine (Media Organizer & Lightroom) Alternatives

LightSync Pro – Connect & Sync Cloud Assets | Lightroom, Canva, Figma, Dropbox & Shutterstock

lightsyncpro

100

Cloud-to-CMS image synchronization for WordPress & Shopify. Connect Lightroom, Canva, Figma, Dropbox, Shutterstock or generate with AI models — up …

0 No CVEs

Meow Gallery

meow-gallery

Tired of slow, bloated gallery plugins? You've earned a coffee ☺️ Polished, beautiful galleries that are blazing fast.

10K 4 CVEs

Simple Image Widget

simple-image-widget

100

A simple widget that makes it a breeze to add images to your sidebars.

10K No CVEs

Full Background Manager

fully-background-manager

Full Background Image Manager WordPress Plugin allows you to set separate background image of each page.

8K No CVEs

Export Featured Images

export-featured-images

Export Categories, Tags and Taxonomies

2K No CVEs

Developer Profile

Photo Engine (Media Organizer & Lightroom) Developer Profile

Jordy Meow

27 plugins · 371K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

372 days

View full developer profile

Detection Fingerprints

How We Detect Photo Engine (Media Organizer & Lightroom)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wplr-sync/app/vendor.js/wp-content/plugins/wplr-sync/app/index.js

Script Paths

app/vendor.jsapp/index.js

Version Parameters

wplr-sync/app/vendor.js?ver=wplr-sync/app/index.js?ver=

HTML / DOM Fingerprints

CSS Classes

wplr-sync-wrap

Data Attributes

data-optionsdata-plugin-urldata-api-url

JS Globals

pEngine

REST Endpoints

/wplr-sync/v1

FAQ