DevriX · PGeorgiev · Apr 2, 2026 · Mar 18, 2026 · Mar 18, 2026 · Mar 20, 2026
diff --git a/easy-image-gallery.php b/easy-image-gallery.php
@@ -3,7 +3,7 @@
 Plugin Name: Easy Image Gallery
 Plugin URI: https://devrix.com/
 Description: An easy to use image gallery with drag & drop re-ordering
-Version: 1.5.3
+Version: 1.5.4
 Author: DevriX
 Author URI: https://devrix.com/
 Text Domain: easy-image-gallery

diff --git a/includes/admin-page.php b/includes/admin-page.php
@@ -4,11 +4,11 @@
 }
 
 /**
- * Add EIG Plugin Options Page
+ * Register the Easy Image Gallery options page in the admin menu.
  *
  * @since 1.4.1
  */
-function add_eig_plugin_page() {
+function easy_image_gallery_add_plugin_page() {
 	add_menu_page(
 		__( 'Easy Image Gallery Settings', 'easy-image-gallery' ),
 		__( 'Easy Image Gallery', 'easy-image-gallery' ),
@@ -18,4 +18,4 @@ function add_eig_plugin_page() {
 		'dashicons-images-alt2',
 	);
 }
-add_action( 'admin_menu', 'add_eig_plugin_page' );
+add_action( 'admin_menu', 'easy_image_gallery_add_plugin_page' );
diff --git a/includes/gutenberg-block/src/init.php b/includes/gutenberg-block/src/init.php
@@ -16,6 +16,15 @@
 	define( 'EASY_IMAGE_BLOCK_GALLERY_URL', trailingslashit( plugin_dir_url( __DIR__ ) ) );
 }
 
+/**
+ * Asset version for block CSS/JS (matches main plugin when available).
+ *
+ * @return string
+ */
+function easy_image_gallery_block_asset_version() {
+	return defined( 'EASY_IMAGE_GALLERY_VERSION' ) ? EASY_IMAGE_GALLERY_VERSION : '1.0.0';
+}
+
 
 /**
  * Hiding/Showing EIG Gutenberg Block depending on user choice to hide/show it
@@ -47,10 +56,11 @@ function easy_image_gallery_block_cgb_block_assets() { // phpcs:ignore
 
 	// Styles.
 	wp_enqueue_style(
-		'easy_image_gallery_block-cgb-style-css', // Handle.
-		plugins_url( 'dist/blocks.style.build.css', dirname( __FILE__ ) ), // Block style CSS.
-		array( 'wp-editor' ) // Dependency to include the CSS after it.
-		// filemtime( plugin_dir_path( __DIR__ ) . 'dist/blocks.style.build.css' ) // Version: File modification time.
+		'easy_image_gallery_block-cgb-style-css',
+		plugins_url( 'dist/blocks.style.build.css', dirname( __FILE__ ) ),
+		array( 'wp-editor' ),
+		easy_image_gallery_block_asset_version(),
+		'all'
 	);
 
 	if ( is_admin() ) {
@@ -89,18 +99,19 @@ function easy_image_gallery_block_cgb_editor_assets() { // phpcs:ignore
 
 	// Scripts.
 	wp_enqueue_script(
-		'easy_image_gallery_block-cgb-block-js', // Handle.
-		plugins_url( '/dist/blocks.build.js', dirname( __FILE__ ) ), // Block.build.js: We register the block here. Built with Webpack.
-		array( 'wp-blocks', 'wp-i18n', 'wp-element', 'wp-editor' ), // Dependencies, defined above.
-		// filemtime( plugin_dir_path( __DIR__ ) . 'dist/blocks.build.js' ), // Version: File modification time.
-		true // Enqueue the script in the footer.
+		'easy_image_gallery_block-cgb-block-js',
+		plugins_url( '/dist/blocks.build.js', dirname( __FILE__ ) ),
+		array( 'wp-blocks', 'wp-i18n', 'wp-element', 'wp-editor' ),
+		easy_image_gallery_block_asset_version(),
+		true
 	);
 	// Styles.
 	wp_enqueue_style(
-		'easy_image_gallery_block-cgb-block-editor-css', // Handle.
-		plugins_url( 'dist/blocks.editor.build.css', dirname( __FILE__ ) ), // Block editor CSS.
-		array( 'wp-edit-blocks' ) // Dependency to include the CSS after it.
-		// filemtime( plugin_dir_path( __DIR__ ) . 'dist/blocks.editor.build.css' ) // Version: File modification time.
+		'easy_image_gallery_block-cgb-block-editor-css',
+		plugins_url( 'dist/blocks.editor.build.css', dirname( __FILE__ ) ),
+		array( 'wp-edit-blocks' ),
+		easy_image_gallery_block_asset_version(),
+		'all'
 	);
 }
 

diff --git a/includes/metabox.php b/includes/metabox.php
@@ -42,7 +42,7 @@ function easy_image_gallery_metabox() {
 		<div class="repeat">
 			<div class="eig_repeat_container">
 				<div class="buttons">
-					<span class="button button-primary button-large eig-add"><?php echo __( 'Add new gallery', 'easy-image-gallery' ); ?></span>
+					<span class="button button-primary button-large eig-add"><?php esc_html_e( 'Add new gallery', 'easy-image-gallery' ); ?></span>
 				</div>
 				<div class="eig_repeat_body">
 					<?php
@@ -59,20 +59,20 @@ function easy_image_gallery_metabox() {
 							<input type="text" hidden="" class="row_count" data-count="{{row-count-placeholder}}">
 							<input type="text" hidden="" id="attachment_ids_{{row-count-placeholder}}" name="image_gallery[{{row-count-placeholder}}][DATA]" value="">
 							<span class="name">Gallery</span>
-							<a href="#" class="dx-eig-gallery-add-images button" data-count="{{row-count-placeholder}}"><?php _e( 'Add images to the gallery', 'easy-image-gallery' ); ?></a>
-							<span class="eig-remove"><img src="<?php echo EASY_IMAGE_GALLERY_URL . 'includes/fonts/close.png'; ?>"></span>
+							<a href="#" class="dx-eig-gallery-add-images button" data-count="{{row-count-placeholder}}"><?php esc_html_e( 'Add images to the gallery', 'easy-image-gallery' ); ?></a>
+							<span class="eig-remove"><img src="<?php echo esc_url( EASY_IMAGE_GALLERY_URL . 'includes/fonts/close.png' ); ?>" alt=""></span>
 							<a href="#" class="button button-primary button-small dx-eig-insert-shortcode">Insert this shortcode in the content</a>
 							<input type="text" class="dx-eig-shortcode" name="image_gallery[{{row-count-placeholder}}][SHORTCODE]" value="" hidden>
 							<input type="text" class="dx-eig-shortcode-show" readonly="" value="">
 							<div class="link-image-to-l">
 								<label for="easy_image_gallery_link_images_{{row-count-placeholder}}">
-									<input type="checkbox" id="easy_image_gallery_link_images_{{row-count-placeholder}}" value="on" name="image_gallery[{{row-count-placeholder}}][OPEN_IMAGES]" checked="checked"/> <?php _e( 'Link images to larger sizes', 'easy-image-gallery' ); ?>
+									<input type="checkbox" id="easy_image_gallery_link_images_{{row-count-placeholder}}" value="on" name="image_gallery[{{row-count-placeholder}}][OPEN_IMAGES]" checked="checked"/> <?php esc_html_e( 'Link images to larger sizes', 'easy-image-gallery' ); ?>
 								</label>
 							</div>
 							<div class="dx-eig-clear"></div>
 						</div>
 						<div class="dx-eig-gallery-row-content" id="gallery-{{row-count-placeholder}}">
-							<p class="no-images-message"><?php echo __( 'Please add images in this gallery', 'easy-image-gallery' ); ?></p>
+							<p class="no-images-message"><?php esc_html_e( 'Please add images in this gallery', 'easy-image-gallery' ); ?></p>
 						</div>
 					</div>
 					<?php
@@ -100,7 +100,7 @@ function easy_image_gallery_metabox() {
 						$get_galleries = array(
 							array(
 								array(
-									'SHORTCODE'   => rand( 100, 999 ),
+									'SHORTCODE'   => wp_rand( 100, 999 ),
 									'DATA'        => $get_gallery_old_data,
 									'OPEN_IMAGES' => $get_open_images[0],
 								),
@@ -133,38 +133,31 @@ function easy_image_gallery_metabox() {
 							?>
 							<div class="dx-eig-gallery-row row">
 								<div class="dx-eig-gallery-row-heading move">
-									<input type="text" hidden="" class="row_count" data-count="<?php echo $gallery_count; ?>">
-									<input type="text" hidden="" id="attachment_ids_<?php echo $gallery_count; ?>" name="image_gallery[<?php echo $gallery_count; ?>][DATA]" value="<?php echo $attachments_string; ?>">
+									<input type="text" hidden="" class="row_count" data-count="<?php echo esc_attr( (string) $gallery_count ); ?>">
+									<input type="text" hidden="" id="attachment_ids_<?php echo esc_attr( (string) $gallery_count ); ?>" name="image_gallery[<?php echo esc_attr( (string) $gallery_count ); ?>][DATA]" value="<?php echo esc_attr( (string) ( $attachments_string ?? '' ) ); ?>">
 									<span class="name">Gallery</span>
-									<a href="#" class="dx-eig-gallery-add-images button" data-count="<?php echo $gallery_count; ?>"><?php _e( 'Add images to the gallery', 'easy-image-gallery' ); ?></a>
-									<span class="eig-remove"><img src="<?php echo EASY_IMAGE_GALLERY_URL . 'includes/fonts/close.png'; ?>"></span>
+									<a href="#" class="dx-eig-gallery-add-images button" data-count="<?php echo esc_attr( (string) $gallery_count ); ?>"><?php esc_html_e( 'Add images to the gallery', 'easy-image-gallery' ); ?></a>
+									<span class="eig-remove"><img src="<?php echo esc_url( EASY_IMAGE_GALLERY_URL . 'includes/fonts/close.png' ); ?>" alt=""></span>
 									<a href="#" class="button button-primary button-small dx-eig-insert-shortcode">Insert this shortcode in the content</a>
-									<input type="text" class="dx-eig-shortcode" name="image_gallery[<?php echo $gallery_count; ?>][SHORTCODE]" value="<?php echo $gallery['SHORTCODE']; ?>" hidden>
-									<input type="text" class="dx-eig-shortcode-show" readonly="" value='[easy_image_gallery gallery="<?php echo $gallery['SHORTCODE']; ?>"]'>
+									<input type="text" class="dx-eig-shortcode" name="image_gallery[<?php echo esc_attr( (string) $gallery_count ); ?>][SHORTCODE]" value="<?php echo esc_attr( (string) $gallery['SHORTCODE'] ); ?>" hidden>
+									<input type="text" class="dx-eig-shortcode-show" readonly="" value="<?php echo esc_attr( '[easy_image_gallery gallery="' . $gallery['SHORTCODE'] . '"]' ); ?>">
 									<div class="link-image-to-l">
-										<label for="easy_image_gallery_link_images_<?php echo $gallery_count; ?>">
-											<?php
-											if ( isset( $gallery['OPEN_IMAGES'] ) && $gallery['OPEN_IMAGES'] == 'on' ) {
-												$checked = ' checked="checked"';
-											} else {
-												$checked = null;
-											}
-											?>
-											<input type="checkbox" id="easy_image_gallery_link_images_<?php echo $gallery_count; ?>" value="on" name="image_gallery[<?php echo $gallery_count; ?>][OPEN_IMAGES]"<?php echo $checked; ?> /> <?php _e( 'Link images to larger sizes', 'easy-image-gallery' ); ?>
+										<label for="easy_image_gallery_link_images_<?php echo esc_attr( (string) $gallery_count ); ?>">
+											<input type="checkbox" id="easy_image_gallery_link_images_<?php echo esc_attr( (string) $gallery_count ); ?>" value="on" name="image_gallery[<?php echo esc_attr( (string) $gallery_count ); ?>][OPEN_IMAGES]" <?php checked( isset( $gallery['OPEN_IMAGES'] ) ? $gallery['OPEN_IMAGES'] : '', 'on' ); ?> /> <?php esc_html_e( 'Link images to larger sizes', 'easy-image-gallery' ); ?>
 										</label>
 									</div>
 									<div class="dx-eig-clear"></div>
 								</div>
-								<div class="dx-eig-gallery-row-content" id="gallery-<?php echo $gallery_count; ?>">
+								<div class="dx-eig-gallery-row-content" id="gallery-<?php echo esc_attr( (string) $gallery_count ); ?>">
 									<?php
 									if ( isset( $get_attachments ) && $get_attachments != null ) {
 										?>
-									<p class="no-images-message" style="display: none;"><?php echo __( 'Please add images in this gallery', 'easy-image-gallery' ); ?></p>
+									<p class="no-images-message" style="display: none;"><?php esc_html_e( 'Please add images in this gallery', 'easy-image-gallery' ); ?></p>
 									<ul class="gallery_images">
 										<div class="dx-eig-images sortable">
 										<?php
 										foreach ( $get_attachments as $attachemnt ) {
-											echo '<li class="image attachment details" data-attachment_id="' . $attachemnt . '" data-gallery="' . $gallery_count . '">
+											echo '<li class="image attachment details" data-attachment_id="' . esc_attr( (string) $attachemnt ) . '" data-gallery="' . esc_attr( (string) $gallery_count ) . '">
                                                 <div class="attachment-preview">
                                                     <div class="thumbnail">
                                                         ' . wp_get_attachment_image( $attachemnt, 'thumbnail' ) . '
@@ -179,7 +172,9 @@ function easy_image_gallery_metabox() {
 									</ul>
 										<?php
 									} else {
-										echo '<p class="no-images-message">' . __( 'Please add images in this gallery', 'easy-image-gallery' ) . '</p>';
+										echo '<p class="no-images-message">';
+										esc_html_e( 'Please add images in this gallery', 'easy-image-gallery' );
+										echo '</p>';
 									}
 									?>
 								</div>
@@ -282,7 +277,7 @@ function eig_sortable() {
 								<div class="thumbnail">\
 									<img src="' + attachment_url + '" />\
 								</div>\
-							   <a href="#" class="delete_dx_image check" title="<?php _e( 'Remove image', 'easy-image-gallery' ); ?>"><div class="media-modal-icon"></div></a>\
+							   <a href="#" class="delete_dx_image check" title="<?php esc_attr_e( 'Remove image', 'easy-image-gallery' ); ?>"><div class="media-modal-icon"></div></a>\
 							</div>\
 						</li>');
 					}
@@ -365,31 +360,53 @@ function easy_image_gallery_save_post( $post_id ) {
 		return;
 	}
 
+	if ( wp_is_post_revision( $post_id ) ) {
+		return;
+	}
+
+	$post_id = (int) $post_id;
+	if ( $post_id <= 0 ) {
+		return;
+	}
+
 	$post_types = easy_image_gallery_allowed_post_types();
+	if ( empty( $post_types ) || ! is_array( $post_types ) ) {
+		return;
+	}
 
-	// check user permissions
-	if ( isset( $_POST['post_type'] ) && ! array_key_exists( $_POST['post_type'], $post_types ) ) {
+	// Check user permissions (use stored post type, not $_POST — avoids unverified POST reads).
+	$easy_image_gallery_current_post_type = get_post_type( $post_id );
+	if ( $easy_image_gallery_current_post_type && ! array_key_exists( $easy_image_gallery_current_post_type, $post_types ) ) {
 		if ( ! current_user_can( 'edit_page', $post_id ) ) {
 			return;
 		}
-	} else {
-		if ( ! current_user_can( 'edit_post', $post_id ) ) {
-			return;
-		}
+	} elseif ( ! current_user_can( 'edit_post', $post_id ) ) {
+		return;
 	}
 
-	if ( isset( $_POST['action'] ) && $_POST['action'] === 'inline-save' ) {
+	// Require core post update nonce before any $_POST reads (incl. action / gallery fields).
+	if ( ! isset( $_POST['_wpnonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_POST['_wpnonce'] ) ), 'update-post_' . $post_id ) ) {
+		return;
+	}
+
+	if ( isset( $_POST['action'] ) && 'inline-save' === $_POST['action'] ) {
 		return;
 	}
 
 	if ( isset( $_POST['image_gallery'] ) && ! empty( $_POST['image_gallery'] ) ) {
 		$galleries = array();
 
-		foreach ( $_POST['image_gallery'] as $gallery ) {
-			$gallery['DATA'] = sanitize_text_field( $gallery['DATA'] );
+		$easy_image_gallery_post = map_deep( wp_unslash( $_POST['image_gallery'] ), 'sanitize_text_field' );
+
+		foreach ( $easy_image_gallery_post as $gallery ) {
+			if ( ! is_array( $gallery ) ) {
+				continue;
+			}
+
+			$gallery_data = isset( $gallery['DATA'] ) ? $gallery['DATA'] : '';
 
-			if ( $gallery['DATA'] != null ) {
-				$convert_to_arr = explode( ',', $gallery['DATA'] );
+			if ( '' !== $gallery_data ) {
+				$convert_to_arr = explode( ',', $gallery_data );
 			} else {
 				$convert_to_arr = null;
 			}
@@ -400,13 +417,17 @@ function easy_image_gallery_save_post( $post_id ) {
 
 		update_post_meta( $post_id, '_easy_image_gallery_v2', $galleries );
 		delete_post_meta( $post_id, '_easy_image_gallery' );
-	} elseif ( isset( $_POST['action'] ) && 'editpost' == $_POST['action'] ) {
+	} elseif ( isset( $_POST['action'] ) && 'editpost' === $_POST['action'] ) {
 		delete_post_meta( $post_id, '_easy_image_gallery_v2' );
 	}
 
-	// link to larger images
+	// Link to larger images (legacy POST key).
 	if ( isset( $_POST['easy_image_gallery_link_images'] ) ) {
-		update_post_meta( $post_id, '_easy_image_gallery_link_images', $_POST['easy_image_gallery_link_images'] );
+		update_post_meta(
+			$post_id,
+			'_easy_image_gallery_link_images',
+			sanitize_text_field( wp_unslash( $_POST['easy_image_gallery_link_images'] ) )
+		);
 	} else {
 		update_post_meta( $post_id, '_easy_image_gallery_link_images', 'on' );
 	}

diff --git a/includes/scripts.php b/includes/scripts.php
@@ -46,13 +46,18 @@ function easy_image_gallery_scripts() {
 
 	$linked_images       = true;
 	$gutenberg_galleries = easy_image_gallery_if_gutenberg_block();
+	$known_lightboxes    = array( 'pretty-photo', 'fancybox', 'luminous' );
 
 	if ( ! empty( $gutenberg_galleries ) ) {
 		foreach ( $gutenberg_galleries as $value ) {
-			// CSS
-			wp_enqueue_style( $value );
+			if ( ! in_array( $value, $known_lightboxes, true ) ) {
+				continue;
+			}
+
+			if ( 'luminous' !== $value ) {
+				wp_enqueue_style( $value );
+			}
 
-			// JS
 			wp_enqueue_script( $value );
 		}
 	}
@@ -153,7 +158,6 @@ function easy_image_gallery_js() {
 			case 'prettyphoto':
 					ob_start();
 				?>
-
 					<script>
 						jQuery(document).ready(function() {
 							jQuery("a[rel^='prettyPhoto']").prettyPhoto({
@@ -162,10 +166,13 @@ function easy_image_gallery_js() {
 							});
 						});
 					</script>
-
 					<?php
 					$js = ob_get_clean();
-					echo apply_filters( 'easy_image_gallery_prettyphoto_js', $js );
+					$js = apply_filters( 'easy_image_gallery_prettyphoto_js', $js );
+					if ( preg_match( '/<script\b[^>]*>(.*)<\/script>/is', $js, $matches ) ) {
+						$js = $matches[1];
-					if ( preg_match( '/<script\b[^>]*>(.*)<\/script>/is', $js, $matches ) ) {
-						$js = $matches[1];
+					if ( preg_match_all( '/<script\b[^>]*>(.*?)<\/script>/is', $js, $matches ) ) {
+						$js = implode( "\n", $matches[1] );
-					if ( preg_match( '/<script\b[^>]*>(.*)<\/script>/is', $js, $matches ) ) {
-						$js = $matches[1];
+					if ( preg_match_all( '/<script\b[^>]*>(.*?)<\/script>/is', $js, $matches ) ) {
+						$js = implode( "\n", $matches[1] );
+					}
+					wp_print_inline_script_tag( trim( $js ) );
 					?>
 
 				<?php
@@ -174,7 +181,6 @@ function easy_image_gallery_js() {
 			case 'fancybox':
 					ob_start();
 				?>
-
 					<script>
 						jQuery(document).ready(function() {
 
@@ -188,10 +194,13 @@ function easy_image_gallery_js() {
 
 						});
 					</script>
-
 					<?php
 					$js = ob_get_clean();
-					echo apply_filters( 'easy_image_gallery_fancybox_js', $js );
+					$js = apply_filters( 'easy_image_gallery_fancybox_js', $js );
+					if ( preg_match( '/<script\b[^>]*>(.*)<\/script>/is', $js, $matches ) ) {
+						$js = $matches[1];
+					}
+					wp_print_inline_script_tag( trim( $js ) );
-					if ( preg_match( '/<script\b[^>]*>(.*)<\/script>/is', $js, $matches ) ) {
-						$js = $matches[1];
-					}
-					wp_print_inline_script_tag( trim( $js ) );
+					if ( preg_match_all( '/<script\b[^>]*>(.*?)<\/script>/is', $js, $matches ) && ! empty( $matches[1] ) ) {
+						$scripts = array();
+						foreach ( $matches[1] as $script_content ) {
+							$script_content = trim( $script_content );
+							if ( '' !== $script_content ) {
+								$scripts[] = $script_content;
+							}
+						}
+						if ( ! empty( $scripts ) ) {
+							$js = implode( "\n", $scripts );
+						} else {
+							$js = '';
+						}
+					}
+					$js = trim( $js );
+					if ( '' !== $js ) {
+						wp_print_inline_script_tag( $js );
+					}
-					if ( preg_match( '/<script\b[^>]*>(.*)<\/script>/is', $js, $matches ) ) {
-						$js = $matches[1];
-					}
-					wp_print_inline_script_tag( trim( $js ) );
+					if ( preg_match_all( '/<script\b[^>]*>(.*?)<\/script>/is', $js, $matches ) && ! empty( $matches[1] ) ) {
+						$scripts = array();
+						foreach ( $matches[1] as $script_content ) {
+							$script_content = trim( $script_content );
+							if ( '' !== $script_content ) {
+								$scripts[] = $script_content;
+							}
+						}
+						if ( ! empty( $scripts ) ) {
+							$js = implode( "\n", $scripts );
+						} else {
+							$js = '';
+						}
+					}
+					$js = trim( $js );
+					if ( '' !== $js ) {
+						wp_print_inline_script_tag( $js );
+					}
 					?>
 
 				<?php
@@ -213,8 +222,20 @@ function easy_image_gallery_js() {
 
 
 function easy_image_gallery_admin_scripts() {
-	wp_enqueue_script( 'repeatable-fields', EASY_IMAGE_GALLERY_URL . 'includes/lib/repeatable-fields.js', array( 'jquery', 'jquery-ui-core' ) );
-	wp_enqueue_style( 'easy_image_gallery_admin_css', EASY_IMAGE_GALLERY_URL . 'includes/css/easy-image-gallery-admin.css' );
+	wp_enqueue_script(
+		'repeatable-fields',
+		EASY_IMAGE_GALLERY_URL . 'includes/lib/repeatable-fields.js',
+		array( 'jquery', 'jquery-ui-core' ),
+		EASY_IMAGE_GALLERY_VERSION,
+		false
+	);
+
+	wp_enqueue_style(
+		'easy_image_gallery_admin_css',
+		EASY_IMAGE_GALLERY_URL . 'includes/css/easy-image-gallery-admin.css',
+		array(),
+		EASY_IMAGE_GALLERY_VERSION
+	);
 }
 
-add_action( 'admin_head', 'easy_image_gallery_admin_scripts' );
+add_action( 'admin_enqueue_scripts', 'easy_image_gallery_admin_scripts' );