Does a high score guarantee a plugin is secure?

No. Scores help prioritize review, but manual validation and staged testing are still required before production deployment.

Gallery by FooGallery

Slug: foogallery · FooPlugins · 100,000+

Not updated in last 3 months

Overall Score

Good overall quality

Good

What this score means

Scores are calculated on a 100-point scale by analysing six weighted categories: Security, WP.org Readiness, Performance, Code Quality, Accessibility, and Vulnerabilities. Open vulnerabilities are weighted by severity, CVSS, and patch availability, and incomplete source data can reduce confidence slightly.

Excellent The plugin follows best practices across every measured category. It is well-maintained, low-risk, and recommended for production use.
Good Strong overall quality with minor areas for improvement. Generally safe to use on most sites.
Needs Review Some areas of concern detected. Review the full issues report and weigh the risks before installing on production.
High Risk Significant quality or security problems found. Exercise caution — check the details carefully before using this plugin.

Score computed: May 22, 2026 10:20 pm (1 month ago). Vulnerability data mode: Live.
High confidence (100/100) based on metadata completeness and vulnerability evidence quality.
Open vulnerabilities are weighted by severity, CVSS, and patch availability, then adjusted slightly when the source data is incomplete.

Wordfence: June 28, 2026 6:47 pm (25 minutes ago)

No known open vulnerabilities found.

AI-Generated Summary

Gallery by FooGallery currently scores 82/100 (good). Latest scan findings include 1 errors and 28 warnings.

Strengths

Overall score is in a strong range for production use.
No open vulnerabilities are currently recorded in tracked sources.

Risks

1 error-level issue was detected in the latest scan.

Recommended Next Actions

Resolve error-level findings first because they usually carry the highest impact.
Address warning-level findings to improve maintainability and reduce future risk.

Generated from latest scan and metadata signals. Validate in staging before production changes.

Score Breakdown

Shield

Security

Needs Review

Why this score?

Top deductions are based on 2 affected rules, reducing this category by 46 total points.

Rule	Hits	Impact	Share
Security issue: Warning	9	-36	78.3%
Security issue: Error	1	-10	21.7%

WP.org Readiness

Excellent

Why this score?

Top deductions are based on 2 affected rules, reducing this category by 4 total points.

Rule	Hits	Impact	Share
Repo issue: Warning	1	-3	75%
Repo issue: Notice	1	-1	25%

Speed

Performance

Excellent

Why this score?

Top deductions are based on 1 affected rules, reducing this category by 6 total points.

Rule	Hits	Impact	Share
Performance issue: Warning	2	-6	100%

Code

Code Quality

100

Excellent

Why this score?

Top deductions are based on 0 affected rules, reducing this category by 0 total points.

No deductions were applied for this category in the latest score run.

A11y

Accessibility

Needs Review

Why this score?

Top deductions are based on 1 affected rules, reducing this category by 32 total points.

Rule	Hits	Impact	Share
Accessibility issue: Warning	16	-32	100%

Bug

Vulnerability Status

100

Excellent

Why this score?

Top deductions are based on 0 affected rules, reducing this category by 0 total points.

No deductions were applied for this category in the latest score run.

Plugin Details

Version: 3.1.26
Active Installs: 100,000+
Last Updated: 2026-03-30 12:00:00
Tested up to: 7.0
Requires PHP: 5.4
Rating: 4.8/5 (976 ratings)
Support: 20/22 resolved (91%)
View on WordPress.org
Download Plugin

Scan Summary

Errors: 1
Warnings: 28
Notices: 1
Last Scanned: 2026-05-22 21:20:18
Score confidence: 100/100

Scans are performed automatically once per day, and the report will note when source data is stale or incomplete.

What Changed Since Last Scan

Comparing latest scan (2026-05-22 21:20:18) to previous scan (2026-05-21 17:18:52).

New: 0 Resolved: 0 Worsened: 0

New Issues

No items in this category.

Resolved Issues

No items in this category.

Worsened Issues

No items in this category.

Detected Issues

Severity	Category	Message	File	Fix Guidance
ERROR	SECURITY	Declared minimum PHP 5.4 is end-of-life and has known unpatched security vulnerabilities.		Quick Raise minimum PHP requirement to at least 8.1 and update plugin metadata. Moderate Refactor incompatible code paths and remove legacy polyfills tied to EOL PHP. Advanced Continuously test and enforce supported PHP baselines via CI and release policy.
WARNING	SECURITY	Main plugin file does not appear to guard direct access with an ABSPATH check.	foogallery.php	Quick Add an ABSPATH guard near the top of the main plugin file to prevent direct execution. Moderate Apply the same remediation pattern across security findings and re-scan to confirm warning issues drop. Advanced Add automated linting, CI checks, and team review guidance so this issue class is prevented in future releases.
WARNING	REPO	Plugin package is missing readme.txt.		Quick Add a readme.txt file so repository metadata, installation instructions, and compatibility information are available. Moderate Apply the same remediation pattern across repo findings and re-scan to confirm warning issues drop. Advanced Add automated linting, CI checks, and team review guidance so this issue class is prevented in future releases.
NOTICE	REPO	Plugin package does not include a license file.		Quick Add a LICENSE or COPYING file so distribution terms are explicit. Moderate Apply the same remediation pattern across repo findings and re-scan to confirm notice issues drop. Advanced Add automated linting, CI checks, and team review guidance so this issue class is prevented in future releases.
WARNING	SECURITY	Raw superglobal access detected.	includes/admin/class-gallery-metaboxes.php	Quick Wrap direct request values with sanitization and nonce verification in the affected code path. Moderate Centralize request normalization in helper methods so handlers consume validated input only. Advanced Adopt typed request DTOs and automated security lint checks for unsanitized superglobal access.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/admin/class-gallery-metabox-fields.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/admin/class-gallery-editor.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/admin/view-help-getting-started.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/admin/view-help-demos.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/admin/view-help-pro.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/admin/class-gallery-attachment-modal.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/admin/view-help.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	SECURITY	Raw superglobal access detected.	includes/admin/class-gallery-datasources.php	Quick Wrap direct request values with sanitization and nonce verification in the affected code path. Moderate Centralize request normalization in helper methods so handlers consume validated input only. Advanced Adopt typed request DTOs and automated security lint checks for unsanitized superglobal access.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/admin/class-pro-promotion.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/functions.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/class-override-thumbnail.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/thumbs/default/class-foogallery-thumb-engine-default.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	SECURITY	Raw superglobal access detected.	includes/class-foogallery-datasource-media_library.php	Quick Wrap direct request values with sanitization and nonce verification in the affected code path. Moderate Centralize request normalization in helper methods so handlers consume validated input only. Advanced Adopt typed request DTOs and automated security lint checks for unsanitized superglobal access.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	includes/class-foogallery-datasource-media_library.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	freemius/includes/fs-plugin-info-dialog.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	SECURITY	Raw superglobal access detected.	freemius/includes/fs-core-functions.php	Quick Wrap direct request values with sanitization and nonce verification in the affected code path. Moderate Centralize request normalization in helper methods so handlers consume validated input only. Advanced Adopt typed request DTOs and automated security lint checks for unsanitized superglobal access.
WARNING	SECURITY	Raw superglobal access detected.	freemius/includes/managers/class-fs-admin-notice-manager.php	Quick Wrap direct request values with sanitization and nonce verification in the affected code path. Moderate Centralize request normalization in helper methods so handlers consume validated input only. Advanced Adopt typed request DTOs and automated security lint checks for unsanitized superglobal access.
WARNING	SECURITY	Direct database query detected without an immediately visible $wpdb->prepare() wrapper.	freemius/includes/class-fs-logger.php	Quick Wrap dynamic SQL arguments with $wpdb->prepare() in the flagged query. Moderate Refactor repeated SQL into repository/helper methods that enforce prepared statements by default. Advanced Add integration tests and static checks that fail builds when direct dynamic SQL is introduced.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	freemius/templates/plugin-icon.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	freemius/templates/plugin-info/screenshots.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	SECURITY	Raw superglobal access detected.	extensions/demo-content-generator/view-demo-content.php	Quick Wrap direct request values with sanitization and nonce verification in the affected code path. Moderate Centralize request normalization in helper methods so handlers consume validated input only. Advanced Adopt typed request DTOs and automated security lint checks for unsanitized superglobal access.
WARNING	SECURITY	Raw superglobal access detected.	extensions/albums/admin/class-metaboxes.php	Quick Wrap direct request values with sanitization and nonce verification in the affected code path. Moderate Centralize request normalization in helper methods so handlers consume validated input only. Advanced Adopt typed request DTOs and automated security lint checks for unsanitized superglobal access.
WARNING	ACCESSIBILITY	Image markup without an alt attribute detected.	extensions/albums/admin/class-metaboxes.php	Quick Add alt attributes to the flagged image tags, or alt="" for decorative images. Moderate Audit all templates/components for missing alternative text and update content guidelines. Advanced Integrate accessibility testing in CI (axe/pa11y) and block releases with critical a11y violations.
WARNING	PERFORMANCE	flush_rewrite_rules() detected.	extensions/albums/public/class-rewrite-rules.php	Quick Only flush rewrite rules during activation or explicit maintenance flows. Moderate Apply the same remediation pattern across performance findings and re-scan to confirm warning issues drop. Advanced Add automated linting, CI checks, and team review guidance so this issue class is prevented in future releases.
WARNING	PERFORMANCE	flush_rewrite_rules() detected.	extensions/albums/class-albums-extension.php	Quick Only flush rewrite rules during activation or explicit maintenance flows. Moderate Apply the same remediation pattern across performance findings and re-scan to confirm warning issues drop. Advanced Add automated linting, CI checks, and team review guidance so this issue class is prevented in future releases.

Score History

No history available yet. · All-Time High: N/A

All Past Vulnerabilities

Showing all known historical vulnerabilities for this plugin, including open and closed records.

Vulnerability	CVE	Severity	Status	Affected Versions	Patched Version	Updated	Source
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel <= 2.4.31 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting	N/A	LOW	Closed	*-2.4.31	2.4.32	2025-07-10 00:00:00	Wordfence
FooGallery <= 3.1.11 - Missing Authorization	N/A	LOW	Closed	*-3.1.11	3.1.13	2026-02-15 00:00:00	Wordfence
Gallery by FooGallery <= 3.1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Gallery Metadata Exposure	N/A	LOW	Closed	*-3.1.9	3.1.10	2026-02-10 12:28:05	Wordfence
FooGallery <= 2.0.34 - Stored Cross-Site Scripting	N/A	LOW	Closed	[*, 2.0.35)	2.0.35	2021-05-31 00:00:00	Wordfence
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel <= 2.4.29 - Authenticated (Custom+) Stored Cross-Site Scripting via Album Title Size	N/A	LOW	Closed	*-2.4.29	2.4.30	2025-03-07 16:21:23	Wordfence
Freemius SDK <= 2.4.2 - Missing Authorization Checks	N/A	LOW	Closed	[*, 2.1.34)	2.1.34	2022-03-04 00:00:00	Wordfence
FooGallery <= 2.4.29 - Reflected Cross-Site Scripting	N/A	LOW	Closed	*-2.4.29	2.4.30	2025-02-27 00:00:00	Wordfence
Freemius SDK <= 2.2.3 - Missing Authorization to Arbitrary Options Update	N/A	LOW	Closed	[*, 1.6.17)	1.6.17	2019-02-25 00:00:00	Wordfence
FooGallery <= 1.9.24 - Authenticated Cross-Site Scripting	N/A	LOW	Closed	[*, 1.9.25)	1.9.25	2020-05-04 00:00:00	Wordfence
FooGallery <= 2.2.44 - Reflected Cross-Site Scripting	N/A	LOW	Closed	[*, 2.3.2)	2.3.2	2023-09-29 00:00:00	Wordfence
FooGallery <= 3.1.11 - Authenticated (Author+) Stored Cross-Site Scripting	N/A	LOW	Closed	*-3.1.11	3.1.13	2026-02-15 00:00:00	Wordfence
FooGallery <= 2.4.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gallery Custom URL	N/A	LOW	Closed	*-2.4.15	2.4.16	2024-06-13 17:03:24	Wordfence
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel <= 2.4.29 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Post/Page Updates	N/A	LOW	Closed	*-2.4.29	2.4.30	2025-03-07 16:21:23	Wordfence
FooGallery <= 2.2.35 - Reflected Cross-Site Scripting	N/A	LOW	Closed	*-2.2.35	2.2.41	2023-04-13 00:00:00	Wordfence
Best WordPress Gallery Plugin – FooGallery <= 2.4.7 -Authenticated(Administrator+) Stored Cross-Site Scripting via settings	N/A	LOW	Closed	*-2.4.7	2.4.9	2024-02-14 00:00:00	Wordfence
FooGallery <= 2.2.44 - Cross-Site Request Forgery	N/A	LOW	Closed	*-2.2.44	2.3.2	2023-09-29 00:00:00	Wordfence
FooGallery <= 2.4.14 - Authenticated (Author+) Stored Cross-Site Scripting via Image Attachment Fields	N/A	LOW	Closed	*-2.4.14	2.4.15	2024-04-05 00:00:00	Wordfence
Freemius <= 2.10.1 - Reflected DOM-Based Cross-Site Scripting via url Parameter	N/A	LOW	Closed	*-2.4.27	2.4.29	2026-04-30 17:17:30	Wordfence
FooGallery Premium <= 2.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting	N/A	LOW	Closed	*-2.4.8	2.4.9	2024-01-02 00:00:00	Wordfence
Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel <= 3.1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'custom_attribute_key' Shortcode Parameter	N/A	LOW	Closed	*-3.1.31	3.1.32	2026-06-12 18:03:23	Wordfence
FooGallery <= 2.4.14 - Authenticated (Author+) Stored Cross-Site Scripting	N/A	LOW	Closed	*-2.4.14	2.4.15	2024-04-05 00:00:00	Wordfence
FooGallery <= 1.8.12 - Cross-Site Scripting	N/A	LOW	Closed	*-1.8.12	1.8.18	2020-06-01 00:00:00	Wordfence
FooGallery (Free and Premium) < 2.4.15 - Authenticated (Author+) Stored Cross-Site Scripting	N/A	LOW	Closed	[*, 2.4.15)	2.4.15	2024-05-23 00:00:00	Wordfence