Global AI Gallery

Global AI Gallery creates clean, functional galleries on any WordPress site:

• Dedicated Custom Post Types for Galleries and Albums
• Responsive Grid layout (1–6 configurable columns)
• PhotoSwipe 5 lightbox with keyboard, arrow and touch swipe navigation
• YouTube support — paste a URL and the plugin handles the thumbnail and playback
• Native Elementor widget
• Schema.org ImageGallery markup for SEO
• Accessible — ARIA, focus trap, screen-reader friendly
• Multi-language ready — Polylang/WPML compatible, .pot file included
• No external dependencies — everything is vendored, no CDN calls

Pro Version

The Pro add-on (sold separately) adds Masonry, Justified and Carousel layouts, Vimeo and self-hosted videos, premium lightbox with zoom/share/download, animated filters, interactive albums, and premium templates. Learn more at https://globalai.software/plugin-global-ai-gallery

External services

This plugin connects to YouTube to display video content that the site administrator has chosen to add to a gallery or album. No data is sent unless an admin explicitly adds a YouTube URL to a gallery item.

YouTube thumbnail lookup (i.ytimg.com)
When a gallery item is a YouTube video, the plugin requests the thumbnail URL from https://i.ytimg.com/vi/<video-id>/maxresdefault.jpg (with a fallback to hqdefault.jpg) using wp_remote_head(). Only the video ID is sent in the URL. The result (a URL string) is cached locally for 24 hours via WordPress transients to avoid repeat requests.
– Data sent: the YouTube video ID that the administrator added.
– When: the first time a gallery containing that video is rendered, and every 24 hours after the cache expires.
– Service provider: Google LLC.
– Terms of service: https://www.youtube.com/t/terms
– Privacy policy: https://policies.google.com/privacy

YouTube embed iframe (youtube.com or youtube-nocookie.com)
When a visitor opens a YouTube video in the lightbox, the browser loads the embed from https://www.youtube.com/embed/<video-id> — or, if the “Use youtube-nocookie.com” setting is enabled (Settings → Global AI Gallery), from https://www.youtube-nocookie.com/embed/<video-id>. This is a standard browser iframe; the plugin does not perform any server-side request.
– Data sent: the YouTube video ID, plus whatever YouTube itself collects from the visitor’s browser (User-Agent, Referer, cookies — unless the cookieless host is used).
– When: only when a visitor actually plays a YouTube video on the page.
– Service provider: Google LLC.
– Terms and privacy: same links as above.

The plugin does not contact any other external service. No telemetry, analytics, license servers, or auto-update endpoints are called by this Free version.

Security

This plugin exposes one public REST endpoint to support deferred rendering of galleries from the frontend without requiring a logged-in user:

GET /wp-json/global-ai-gallery/v1/render/<id> — returns the HTML for a single published gallery. The endpoint declares `permission_callback => __return_true` (public) because a published gallery is public content by definition, exactly like the post that embeds it. The handler then enforces a real read-permission check before rendering anything:

1. <id> is sanitised with absint() and validated to be a positive integer before reaching the handler.
2. The post must exist and be of the gawpg_gallery custom post type; otherwise a 404 WP_Error is returned.
3. Read access is checked the same way WordPress core checks it (WP_REST_Posts_Controller::check_read_permission()): a publish gallery is readable by anyone, but any non-public status (draft, pending, private, future, trash) only renders when the current user actually has read access to that specific post (current_user_can( 'read_post', $id )) — otherwise 404.
4. Password-protected galleries are never rendered without the password. post_password_required() is honoured (respecting the wp-postpass cookie), returning a 401/403 WP_Error when the password has not been entered.
5. The endpoint only returns rendered HTML; it never reads or writes user data, options, transients, or any other server state.

This is the same content the visitor can already see by visiting the gallery’s public page or any post that embeds it via the shortcode, so making the endpoint authenticated would add no privacy or security benefit.