WP-Safety

aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder Security & Risk Analysis

wordpress.org/plugins/ablocks

aBlocks is a Gutenberg-based website builder with 100+ free flexible blocks and powerful form solutions, allowing you to build any type of form!

2K active installs v2.7.7 PHP 7.4+ WP 6.3+ Updated Mar 13, 2026
blockblockseditorgutenberggutenberg-blocks
74
B · Generally Safe
CVEs total3
Unpatched1
Last CVEJan 6, 2026
Download
Safety Verdict

Is aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder Safe to Use in 2026?

Mostly Safe

Score 74/100

aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder is generally safe to use. 3 past CVEs were resolved. Keep it updated.

3 known CVEs 1 unpatched Last CVE: Jan 6, 2026Updated 21d ago
Risk Assessment

The ablocks plugin v2.7.7 exhibits a mixed security posture. While it demonstrates good practices in many areas, such as high percentages of prepared SQL statements and properly escaped output, significant concerns remain. The presence of two AJAX handlers without authentication checks presents a clear attack vector for unauthorized actions. The use of the `unserialize` function is a notable risk, as it can lead to Remote Code Execution if used with untrusted input. The plugin's history of three known CVEs, with one currently unpatched, and a pattern of Missing Authorization and Cross-Site Scripting vulnerabilities, indicates a recurring struggle with secure input handling and access control. Although taint analysis showed no critical or high severity flows, the historical context and the identified code-level weaknesses warrant caution.

Key Concerns

  • Two AJAX handlers without authentication checks
  • Use of dangerous function: unserialize
  • One unpatched CVE of medium severity
  • History of missing authorization vulnerabilities
  • History of XSS vulnerabilities
Vulnerabilities
3

aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-12449medium · 5.4Missing Authorization

aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification

Jan 6, 2026Unpatched
CVE-2025-47616medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

aBlocks <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 7, 2025 Patched in 1.9.3 (80d)
CVE-2024-13465medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

aBlocks – WordPress Gutenberg Blocks <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 17, 2025 Patched in 1.6.2 (1d)
Code Analysis
Analyzed Mar 16, 2026

aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder Code Analysis

Dangerous Functions
2
Raw SQL Queries
5
55 prepared
Unescaped Output
59
648 escaped
Nonce Checks
8
Capability Checks
13
File Operations
28
External Requests
10
Bundled Libraries
0

Dangerous Functions Found

unserialize'location' => unserialize( $local_post->meta_value ),addons\theme-builder\helper.php:172
unserialize$data = unserialize( $raw, array( 'allowed_classes' => false ) );includes\import\customizer-importer.php:101

SQL Query Safety

92% prepared60 total queries

Output Escaping

92% escaped707 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
<insights> (includes\admin\insights.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder Attack Surface

Entry Points7
Unprotected2

AJAX Handlers 6

authwp_ajax_ablocks/addons/get_all_addonsincludes\addons.php:16
authwp_ajax_ablocks/addons/saved_addon_statusincludes\addons.php:17
authwp_ajax_insights_deactivate_sendincludes\admin\insights.php:58
authwp_ajax_insights_optinincludes\admin\insights.php:81
authwp_ajax_ablocks/get_academy_termsincludes\ajax.php:26
authwp_ajax_ablocks/get_storeengine_termsincludes\ajax.php:27

Shortcodes 1

[ablocks_template] addons\theme-builder\shortcode.php:15
WordPress Hooks 90
actionplugins_loadedablocks.php:28
actionablocks_loadedablocks.php:29
actionget_headeraddons\theme-builder\abstract-compatibility-base.php:28
actionget_footeraddons\theme-builder\abstract-compatibility-base.php:36
filterablocks/assets/dashboard_scripts_dataaddons\theme-builder\assets.php:16
actionwp_enqueue_scriptsaddons\theme-builder\assets.php:17
actiontemplate_redirectaddons\theme-builder\compatibility\astra.php:22
actiontemplate_redirectaddons\theme-builder\compatibility\astra.php:31
actionwpaddons\theme-builder\compatibility-manager.php:18
actioninitaddons\theme-builder\database.php:11
actionrest_api_initaddons\theme-builder\database.php:12
actionwp_body_openaddons\theme-builder\frontend.php:12
filterablocks/is_allow_block_inline_assetsaddons\theme-builder\frontend.php:18
filterablocks/is_enabled_assets_generationaddons\theme-builder\frontend.php:19
filterablocks/is_allow_block_inline_assetsaddons\theme-builder\shortcode.php:31
filterablocks/is_enabled_assets_generationaddons\theme-builder\shortcode.php:32
actionrss2_headincludes\admin\export.php:16
actionexport_filtersincludes\admin\export.php:17
actioninitincludes\admin\export.php:18
actionadmin_noticesincludes\admin\insights.php:53
actionadmin_initincludes\admin\insights.php:54
actionadmin_enqueue_scriptsincludes\admin\insights.php:55
actionadmin_enqueue_scriptsincludes\admin\insights.php:56
actionadmin_footerincludes\admin\insights.php:191
actionadmin_menuincludes\admin\menu.php:14
actionadmin_headincludes\admin\menu.php:15
actionadmin_noticesincludes\admin\notice.php:13
actionadmin_initincludes\admin\notice.php:14
filterupload_mimesincludes\admin.php:13
filterwp_check_filetype_and_extincludes\admin.php:14
filterallowed_redirect_hostsincludes\admin.php:37
actioncurrent_screenincludes\admin.php:38
filterplugin_row_metaincludes\admin.php:40
actionadmin_initincludes\admin.php:41
actionrest_api_initincludes\api\loop-builder-controller.php:16
actionrest_api_initincludes\api\search-controller.php:19
actionrest_api_initincludes\api.php:15
actionadmin_enqueue_scriptsincludes\assets.php:26
actionadmin_enqueue_scriptsincludes\assets.php:27
actionenqueue_block_assetsincludes\assets.php:28
actionenqueue_block_assetsincludes\assets.php:29
actionwp_enqueue_scriptsincludes\assets.php:30
actionwp_enqueue_scriptsincludes\assets.php:32
actionwp_enqueue_block_assetsincludes\assets.php:34
actionwp_enqueue_scriptsincludes\assets.php:35
actionenqueue_block_editor_assetsincludes\assets.php:36
actionenqueue_block_editor_assetsincludes\assets.php:37
actionwpincludes\assets.php:40
filterpre_render_blockincludes\assets.php:44
actionablocks/before_enqueue_frontend_scriptsincludes\assets.php:45
actionablocks_theme_builder_after_dispatchincludes\assets.php:47
actionwpincludes\assets.php:48
actionwp_print_scriptsincludes\assets.php:213
actionwp_print_scriptsincludes\assets.php:261
filterablocks/is_allow_block_inline_assetsincludes\assets.php:386
filteracademy/shortcode/instructor_registration_form_is_user_logged_inincludes\blocks\academy-instructor-registration-form\block.php:23
filteracademy/shortcode/login_form_is_user_logged_inincludes\blocks\academy-login-form\block.php:24
filteracademy/shortcode/password_reset_form_is_user_logged_inincludes\blocks\academy-password-reset-form\block.php:23
filteracademy/shortcode/student_registration_form_is_user_logged_inincludes\blocks\academy-student-registration-form\block.php:24
actionsave_postincludes\blocks\form-builder\block-attr-sanitizer\sanitizer.php:39
filterablocks/get_render_block_contentincludes\blocks\form-builder\block.php:24
filterrender_block_contextincludes\blocks\loop-template\block.php:159
filterablocks/get_render_block_contentincludes\blocks\modal-panel\block.php:18
filterstoreengine/shortcode/login_form_is_user_logged_inincludes\blocks\storeengine-login-form\block.php:25
filterstoreengine/shortcode/login_form_is_user_logged_inincludes\blocks\storeengine-login-form\block.php:243
filterthe_contentincludes\blocks\table-of-content\block.php:256
actioninitincludes\blocks.php:19
actionenqueue_block_assetsincludes\blocks.php:20
filterblock_categories_allincludes\blocks.php:21
actionsave_postincludes\blocks.php:23
actionswitch_themeincludes\blocks.php:24
actionsave_postincludes\blocks.php:25
filteracademy/is_load_common_scriptsincludes\blocks.php:43
filteracademy/is_load_common_js_scriptsincludes\blocks.php:45
filterablocks/assets/editor_scripts_dataincludes\blocks.php:260
actioninitincludes\classes\block-base-abstract.php:34
filterdisplay_post_statesincludes\create-page\page\show-page-state.php:11
filterthe_contentincludes\frontend\link.php:14
filterbody_classincludes\frontend\template.php:20
filtertheme_page_templatesincludes\frontend\template.php:21
filtertemplate_includeincludes\frontend\template.php:22
actiontemplate_includeincludes\frontend\template.php:24
filterablocks/is_enabled_assets_generationincludes\frontend\template.php:25
actiontemplate_redirectincludes\frontend\template.php:29
filterrender_blockincludes\frontend.php:18
filterimport_post_meta_keyincludes\import\wp-import.php:56
filterhttp_request_timeoutincludes\import\wp-import.php:57
filterrender_block_dataincludes\migration.php:15
filterquery_varsincludes\permalink-rewrite.php:11
actiongenerate_rewrite_rulesincludes\permalink-rewrite.php:12
Maintenance & Trust

aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 13, 2026
PHP min version7.4
Downloads63K

Community Trust

Rating100/100
Number of ratings22
Active installs2K
Alternatives

aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder Alternatives

Spectra Gutenberg Blocks – Website Builder for the Block Editor

Spectra Gutenberg Blocks – Website Builder for the Block Editor

ultimate-addons-for-gutenberg

A
92

Power-up Gutenberg with advanced blocks for faster website creation. Build your WordPress website effortlessly using powerful building blocks!

1.0M 26 CVEs
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

kadence-blocks

A
86

20+ AI-powered Gutenberg Blocks with endless options, enabling top-notch efficiency for high-performance dynamic website creation.

600K 31 CVEs
Page Builder: Pagelayer – Drag and Drop website builder

Page Builder: Pagelayer – Drag and Drop website builder

pagelayer

A
88

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K 25 CVEs
Superb Addons: Blocks, Patterns & Theme Designer for the Block Editor & FSE

Superb Addons: Blocks, Patterns & Theme Designer for the Block Editor & FSE

superb-blocks

A
100

Create beautiful WordPress websites easily with 10+ blocks, 200+ patterns, 100+ pre-built pages, animations and Theme Designer. No coding needed!

80K No CVEs
GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

gutenkit-blocks-addon

A
93

GutenKit – Ultimate no-code Gutenberg blocks to design stunning web pages and visually stunning posts in WordPress block editor.

70K 3 CVEs
Developer Profile

aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder Developer Profile

Kodezen LLC

7 plugins · 5K total installs

89
trust score
Avg Security Score
93/100
Avg Patch Time
15 days
View full developer profile
Detection Fingerprints

How We Detect aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ablocks/assets/css/frontend.css/wp-content/plugins/ablocks/assets/js/frontend.js/wp-content/plugins/ablocks/assets/css/blocks.style.build.css/wp-content/plugins/ablocks/assets/js/blocks.editor.build.js/wp-content/plugins/ablocks/assets/js/blocks.build.js/wp-content/plugins/ablocks/assets/css/theme-builder/frontend.css/wp-content/plugins/ablocks/assets/js/theme-builder/frontend.js/wp-content/plugins/ablocks/assets/css/blocks.style.css+3 more
Script Paths
/wp-content/plugins/ablocks/assets/js/frontend.js/wp-content/plugins/ablocks/assets/js/blocks.editor.build.js/wp-content/plugins/ablocks/assets/js/blocks.build.js/wp-content/plugins/ablocks/assets/js/theme-builder/frontend.js/wp-content/plugins/ablocks/assets/js/blocks.js/wp-content/plugins/ablocks/assets/js/theme-builder/editor.js
Version Parameters
ablocks/assets/css/frontend.css?ver=ablocks/assets/js/frontend.js?ver=ablocks/assets/css/blocks.style.build.css?ver=ablocks/assets/js/blocks.editor.build.js?ver=ablocks/assets/js/blocks.build.js?ver=ablocks/assets/css/theme-builder/frontend.css?ver=ablocks/assets/js/theme-builder/frontend.js?ver=ablocks/assets/css/blocks.style.css?ver=ablocks/assets/js/blocks.js?ver=ablocks/assets/js/theme-builder/editor.js?ver=ablocks/assets/css/theme-builder/editor.css?ver=

HTML / DOM Fingerprints

CSS Classes
ablocks-frontend-wrapper
HTML Comments
ABLOCKS_ASSETS_URLABLOCKS_ROOT_URLABLOCKS_ROOT_DIR_PATHABLOCKS_ASSETS_PATH+12 more
Data Attributes
data-ablocks-block-options
JS Globals
ablocks_params
REST Endpoints
/wp-json/ablocks/v1/get-blocks
FAQ

Frequently Asked Questions about aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder