PublishPress Blocks – Block Controls, Block Visibility, Block Permissions Security & Risk Analysis

wordpress.org/plugins/advanced-gutenberg

PublishPress Blocks is your complete solution for the WordPress block editor. You can control block permissions, styles, visibility, usage and more.

20K active installs v3.6.2 PHP 7.2.5+ WP 5.5+ Updated Dec 16, 2025

block-permissionsblock-visibilityblock-editorgutenberggutenberg-blocks

A · Safe

CVEs total3

Unpatched0

Last CVEOct 24, 2025

Plugin page Download

Safety Verdict

Is PublishPress Blocks – Block Controls, Block Visibility, Block Permissions Safe to Use in 2026?

Generally Safe

Score 92/100

PublishPress Blocks – Block Controls, Block Visibility, Block Permissions has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Oct 24, 2025Updated 3mo ago

Risk Assessment

The "advanced-gutenberg" v3.6.2 plugin presents a mixed security posture. While it demonstrates good practices in output escaping (94% properly escaped) and has a substantial number of nonce and capability checks (27 and 34 respectively), significant concerns arise from its attack surface and historical vulnerability patterns. The presence of 15 AJAX handlers, with 2 lacking authentication checks, and 5 REST API routes without explicit permission callbacks, creates potential entry points for unauthorized actions.

Static analysis reveals 2 flows with unsanitized paths, indicating a potential risk of directory traversal or other file-related vulnerabilities, though no critical or high severity taint flows were found. The plugin's vulnerability history is a more alarming indicator, with 3 known CVEs, including one critical and two medium, primarily related to PHP Remote File Inclusion and Cross-site Scripting. The fact that the last vulnerability was in late 2025 (though this is a future date and likely a data anomaly) and that there are currently no unpatched vulnerabilities is a positive sign, but the recurring nature of these vulnerability types suggests a recurring weakness in input sanitization and file handling.

In conclusion, while the plugin shows some strengths in output handling and checks, the significant unprotected entry points and a history of critical and medium vulnerabilities, particularly RFI and XSS, warrant careful consideration. The identified unsanitized path flows, though not currently critical, could be exploited in conjunction with the unprotected entry points.

Key Concerns

AJAX handlers without authentication checks
REST API routes without permission callbacks
SQL queries without prepared statements
Flows with unsanitized paths
Critical historical CVE
Medium historical CVEs
Bundled library (Select2) potential for outdated versions

Vulnerabilities

PublishPress Blocks – Block Controls, Block Visibility, Block Permissions Security Vulnerabilities

CVEs by Year

3 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

Medium

3 total CVEs

CVE-2025-8588medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gutenberg Blocks – PublishPress Blocks Controls, Visibility, Reusable Blocks <= 3.3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 24, 2025 Patched in 3.4.0 (1d)

CVE-2025-48332critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Gutenberg Blocks <= 3.3.1 - Unauthenticated Local File Inclusion

Jul 28, 2025 Patched in 3.3.2 (8d)

CVE-2025-49032medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gutenberg Blocks <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jul 1, 2025 Patched in 3.3.2 (8d)

Code Analysis

Analyzed Mar 16, 2026

PublishPress Blocks – Block Controls, Block Visibility, Block Permissions Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

633 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

0% prepared2 total queries

Output Escaping

94% escaped670 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths

updateBlocksList (incl\advanced-gutenberg-main.php:1014)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

PublishPress Blocks – Block Controls, Block Visibility, Block Permissions Attack Surface

Entry Points20

Unprotected2

AJAX Handlers 15

authwp_ajax_advgb_contact_form_saveincl\advanced-gutenberg-main.php:63

noprivwp_ajax_advgb_contact_form_saveincl\advanced-gutenberg-main.php:64

authwp_ajax_advgb_newsletter_saveincl\advanced-gutenberg-main.php:65

noprivwp_ajax_advgb_newsletter_saveincl\advanced-gutenberg-main.php:66

authwp_ajax_advgb_lores_validateincl\advanced-gutenberg-main.php:67

noprivwp_ajax_advgb_lores_validateincl\advanced-gutenberg-main.php:68

authwp_ajax_advgb_update_blocks_listincl\advanced-gutenberg-main.php:105

authwp_ajax_advgb_block_config_saveincl\advanced-gutenberg-main.php:106

authwp_ajax_advgb_feature_saveincl\advanced-gutenberg-main.php:107

authwp_ajax_pp_blocks-usage_scan_batchincl\advanced-gutenberg-main.php:108

authwp_ajax_advgb_search_taxonomy_termsincl\auto-insert-blocks\class-auto-insert-blocks.php:38

authwp_ajax_advgb_insert_search_authorincl\auto-insert-blocks\class-auto-insert-blocks.php:39

authwp_ajax_advgb_insert_search_blockincl\auto-insert-blocks\class-auto-insert-blocks.php:40

authwp_ajax_advgb_insert_search_postsincl\auto-insert-blocks\class-auto-insert-blocks.php:41

authwp_ajax_advgb_custom_styles_ajaxincl\block-styles\block-styles.php:192

REST API Routes 5

GET/wp-json/advgb/v1/termsincl\block-controls-main.php:1758

GET/wp-json/advgb/v1/presetsincl\rest-api\presets.php:14

POST/wp-json/advgb/v1/presetsincl\rest-api\presets.php:20

DELETE/wp-json/advgb/v1/presets/(?P<id>[a-zA-Z0-9_-]+)incl\rest-api\presets.php:26

POST/wp-json/advgb/v1/sample-presetsincl\rest-api\presets.php:32

WordPress Hooks 66

actionplugins_loadedadvanced-gutenberg.php:121

actioninitincl\advanced-gutenberg-main.php:45

actionadmin_initincl\advanced-gutenberg-main.php:46

actionadmin_initincl\advanced-gutenberg-main.php:47

actionwp_loadedincl\advanced-gutenberg-main.php:48

filterrest_pre_dispatchincl\advanced-gutenberg-main.php:49

actionwp_enqueue_scriptsincl\advanced-gutenberg-main.php:50

actionenqueue_block_assetsincl\advanced-gutenberg-main.php:51

actionplugins_loadedincl\advanced-gutenberg-main.php:52

actionrest_api_initincl\advanced-gutenberg-main.php:53

actionadmin_print_scriptsincl\advanced-gutenberg-main.php:54

actionwp_login_failedincl\advanced-gutenberg-main.php:58

filtersafe_style_cssincl\advanced-gutenberg-main.php:59

filterwp_kses_allowed_htmlincl\advanced-gutenberg-main.php:60

actionadmin_footerincl\advanced-gutenberg-main.php:72

actionadmin_menuincl\advanced-gutenberg-main.php:73

actionadmin_menuincl\advanced-gutenberg-main.php:74

actionplugins_loadedincl\advanced-gutenberg-main.php:75

actionenqueue_block_editor_assetsincl\advanced-gutenberg-main.php:76

filtermce_external_pluginsincl\advanced-gutenberg-main.php:77

filtermce_buttons_2incl\advanced-gutenberg-main.php:78

filteradmin_body_classincl\advanced-gutenberg-main.php:79

filteradmin_footer_textincl\advanced-gutenberg-main.php:80

actionadmin_enqueue_scriptsincl\advanced-gutenberg-main.php:81

actionactivated_pluginincl\advanced-gutenberg-main.php:82

filterplugin_row_metaincl\advanced-gutenberg-main.php:83

actionadmin_enqueue_scriptsincl\advanced-gutenberg-main.php:86

filterblock_editor_settings_allincl\advanced-gutenberg-main.php:87

filterblock_categories_allincl\advanced-gutenberg-main.php:90

filterblock_editor_settingsincl\advanced-gutenberg-main.php:93

filterblock_categoriesincl\advanced-gutenberg-main.php:96

actionadmin_initincl\advanced-gutenberg-main.php:101

filterrender_block_dataincl\advanced-gutenberg-main.php:111

filterrender_blockincl\advanced-gutenberg-main.php:112

filterrender_blockincl\advanced-gutenberg-main.php:113

filterwidget_display_callbackincl\advanced-gutenberg-main.php:114

filterthe_contentincl\advanced-gutenberg-main.php:115

filterwidget_block_contentincl\advanced-gutenberg-main.php:118

filterregister_post_type_argsincl\advanced-gutenberg-main.php:122

filterregister_taxonomy_argsincl\advanced-gutenberg-main.php:123

actionwp_headincl\advanced-gutenberg-main.php:691

actionadmin_headincl\advanced-gutenberg-main.php:692

actionadmin_headincl\advanced-gutenberg-main.php:695

filterscript_loader_tagincl\advanced-gutenberg-main.php:770

filterblock_editor_settings_allincl\advanced-gutenberg-main.php:3087

actioninitincl\auto-insert-blocks\class-auto-insert-blocks.php:30

actionsave_postincl\auto-insert-blocks\class-auto-insert-blocks.php:31

filterthe_contentincl\auto-insert-blocks\class-auto-insert-blocks.php:32

filterparent_fileincl\auto-insert-blocks\class-auto-insert-blocks.php:33

filtersubmenu_fileincl\auto-insert-blocks\class-auto-insert-blocks.php:34

actionadmin_noticesincl\auto-insert-blocks\class-auto-insert-blocks.php:35

filtermanage_advgb_insert_block_posts_columnsincl\auto-insert-blocks\class-auto-insert-blocks.php:44

actionmanage_advgb_insert_block_posts_custom_columnincl\auto-insert-blocks\class-auto-insert-blocks.php:45

actionadmin_head-edit.phpincl\auto-insert-blocks\class-auto-insert-blocks.php:46

filterpost_row_actionsincl\auto-insert-blocks\class-auto-insert-blocks.php:47

actionadmin_post_duplicate_auto_insert_blockincl\auto-insert-blocks\class-auto-insert-blocks.php:48

actionmonths_dropdown_resultsincl\auto-insert-blocks\class-auto-insert-blocks.php:49

actionadmin_enqueue_scriptsincl\auto-insert-blocks\class-auto-insert-blocks.php:52

filterthe_contentincl\auto-insert-blocks\class-auto-insert-blocks.php:424

actionadd_meta_boxesincl\auto-insert-blocks\class-auto-insert-metaboxes.php:29

actionadmin_noticesincl\block-styles\block-styles.php:193

actionrest_api_initincl\rest-api\presets.php:9

actioninitinit.php:28

actionadmin_initinit.php:82

actioninitinit.php:150

filterpublishpress_wp_reviews_display_banner_publishpressreview\review-request.php:24

Maintenance & Trust

PublishPress Blocks – Block Controls, Block Visibility, Block Permissions Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 16, 2025

PHP min version7.2.5

Downloads1.8M

Community Trust

Rating94/100

Number of ratings202

Active installs20K

Alternatives

PublishPress Blocks – Block Controls, Block Visibility, Block Permissions Alternatives

GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

gutenkit-blocks-addon

GutenKit – Ultimate no-code Gutenberg blocks to design stunning web pages and visually stunning posts in WordPress block editor.

70K 3 CVEs

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor

ultimate-blocks

Create Better Content With The Block Editor. Custom Blocks for Bloggers and Content Marketers.

50K 14 CVEs

BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library

blockart-blocks

Enhance the power of your WordPress editor with the dynamic Gutenberg blocks by BlockArt Blocks. Build any layout imaginable.

10K 3 CVEs

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder

the-plus-addons-for-block-editor

90+ Gutenberg Blocks & AI Website Builder with 1000+ Templates. Complete Page Builder, Popup Builder, Mega Menu, Form Builder & More. No Code.

10K 8 CVEs

Kenta Blocks – Responsive Blocks and block templates library

kenta-blocks

Kenta Blocks is a set of responsive blocks with powerful options and pre-designed templates library.

3K 2 CVEs

Developer Profile

PublishPress Blocks – Block Controls, Block Visibility, Block Permissions Developer Profile

PublishPress

11 plugins · 272K total installs

trust score

Avg Security Score

98/100

Avg Patch Time

321 days

View full developer profile

Detection Fingerprints

How We Detect PublishPress Blocks – Block Controls, Block Visibility, Block Permissions

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/advanced-gutenberg/assets/css/advgb-frontend.css/wp-content/plugins/advanced-gutenberg/assets/css/advgb-editor.css/wp-content/plugins/advanced-gutenberg/assets/js/advgb-editor.js/wp-content/plugins/advanced-gutenberg/assets/js/advgb-frontend.js/wp-content/plugins/advanced-gutenberg/assets/js/advgb-blocks.js/wp-content/plugins/advanced-gutenberg/assets/js/advgb-block-editor.js/wp-content/plugins/advanced-gutenberg/assets/js/advgb-common.js/wp-content/plugins/advanced-gutenberg/assets/js/advgb-backend.js

Script Paths

/wp-content/plugins/advanced-gutenberg/assets/js/advgb-editor.js/wp-content/plugins/advanced-gutenberg/assets/js/advgb-frontend.js/wp-content/plugins/advanced-gutenberg/assets/js/advgb-blocks.js/wp-content/plugins/advanced-gutenberg/assets/js/advgb-block-editor.js/wp-content/plugins/advanced-gutenberg/assets/js/advgb-common.js/wp-content/plugins/advanced-gutenberg/assets/js/advgb-backend.js

Version Parameters

advanced-gutenberg/assets/css/advgb-frontend.css?ver=advanced-gutenberg/assets/css/advgb-editor.css?ver=advanced-gutenberg/assets/js/advgb-editor.js?ver=advanced-gutenberg/assets/js/advgb-frontend.js?ver=advanced-gutenberg/assets/js/advgb-blocks.js?ver=advanced-gutenberg/assets/js/advgb-block-editor.js?ver=advanced-gutenberg/assets/js/advgb-common.js?ver=advanced-gutenberg/assets/js/advgb-backend.js?ver=

HTML / DOM Fingerprints

CSS Classes

advgb-contact-formadvgb-blockadvgb-block-editoradvgb-block-editor-wrapperadvgb-block-controlsadvgb-settings-pageadvgb-settings-tab

HTML Comments

+4 more

Data Attributes

data-advgb-block-typedata-advgb-block-id

JS Globals

window.advgb

REST Endpoints

/wp-json/advgb/v1/presets/wp-json/advgb/v1/settings

FAQ