Plugin inspection:

Gallery – Photo Albums – Portfolio

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.

Warnings

This recommendation applies to version 1.3.81 of this plugin, but the most recent version is 1.3.170. These findings may no longer be correct.

Findings

  • Allows users to add arbitrary HTML to the settings page yet the code contains no checks for the unfiltered_html permission (the settings are protected by nonces)
  • Uses error_reporting() and ini_set() to override configuration and hide errors

  • emg_get_attachment_id_from_src() inserts its argument into SQL without escaping

  • Unserialises values from http://api.wordpress.org/plugins/info/1.0/

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

  • May be vulnerable to SQLi
  • Allows authenticated users with certain permissions to XSS other authenticated users whether or not they have the unfiltered_html permission