Does aThemes Starter Sites have any unpatched vulnerabilities?

No. All known vulnerabilities in aThemes Starter Sites have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is aThemes Starter Sites compatible with WordPress 6.8.5?

According to WordPress.org data, aThemes Starter Sites 1.1.7 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is aThemes Starter Sites compatible with PHP 5.4+?

aThemes Starter Sites requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is aThemes Starter Sites updated?

aThemes Starter Sites was last updated on Mar 3, 2026. Frequent updates are generally a positive security signal.

What is aThemes Starter Sites's security score?

aThemes Starter Sites has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

aThemes Starter Sites Security & Risk Analysis

wordpress.org/plugins/athemes-starter-sites

We've got a full and ever-growing library stocked with ready-made templates for any kind of business.

40K active installs v1.1.7 PHP 5.4+ WP 4.0+ Updated Mar 3, 2026

athemesdemoselementorimportsites

A · Safe

CVEs total1

Unpatched0

Last CVEJul 26, 2024

Download

Safety Verdict

Is aThemes Starter Sites Safe to Use in 2026?

Generally Safe

Score 99/100

aThemes Starter Sites has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jul 26, 2024Updated 1mo ago

Risk Assessment

The 'athemes-starter-sites' plugin v1.1.7 exhibits a generally good security posture with several strengths, including a high percentage of prepared SQL statements and properly escaped output. The absence of critical or high-severity taint analysis findings and a lack of currently unpatched CVEs are positive indicators. However, a notable concern is the presence of 8 AJAX handlers that lack authentication checks, representing a significant attack surface that could be exploited by unauthenticated users. The plugin's history shows one medium-severity Cross-Site Scripting (XSS) vulnerability, suggesting a need for continued vigilance in input sanitization and output encoding, even with the current high rate of proper escaping.

Despite the positive aspects like a lack of critical code signals and a recent focus on patching vulnerabilities, the unprotected AJAX endpoints present a tangible risk. While taint analysis shows no immediate critical or high flows, the 8 unauthenticated entry points are a direct invitation for potential abuse. The past XSS vulnerability, though resolved, serves as a reminder that even with good practices, subtle flaws can emerge. Overall, the plugin is on solid ground with good defensive programming, but the identified unauthenticated AJAX handlers require immediate attention to fully secure it.

Key Concerns

Unprotected AJAX handlers detected
Past medium severity XSS vulnerability

Vulnerabilities

aThemes Starter Sites Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-6897medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

aThemes Starter Sites <= 1.0.53 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

Jul 26, 2024 Patched in 1.0.54 (1d)

Code Analysis

Analyzed Mar 16, 2026

aThemes Starter Sites Code Analysis

Dangerous Functions

Raw SQL Queries

11 prepared

Unescaped Output

200 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

85% prepared13 total queries

Output Escaping

98% escaped204 total outputs

Data Flows

All sanitized

Data Flow Analysis

9 flows

html_import_data (core\class-demos-page.php:113)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

8 unprotected

aThemes Starter Sites Attack Surface

Entry Points26

Unprotected8

AJAX Handlers 26

authwp_ajax_atss_html_import_datacore\class-demos-page.php:69

noprivwp_ajax_atss_html_import_datacore\class-demos-page.php:70

authwp_ajax_atss_dismissed_handlercore\class-demos-page.php:74

authwp_ajax_atss_import_pluginimport\class-import.php:61

authwp_ajax_atss_import_contentsimport\class-import.php:62

authwp_ajax_atss_import_customizerimport\class-import.php:63

authwp_ajax_atss_import_widgetsimport\class-import.php:64

authwp_ajax_atss_import_optionsimport\class-import.php:65

authwp_ajax_atss_import_finishimport\class-import.php:66

authwp_ajax_atss_notice_dismissed_handlerinc\class-notice.php:15

authwp_ajax_atss_import_datav2\classes\class-demos.php:65

authwp_ajax_atss_html_import_datav2\classes\class-demos.php:66

authwp_ajax_atss_dismissed_handlerv2\classes\class-demos.php:67

authwp_ajax_atss_import_startv2\classes\class-importer.php:96

authwp_ajax_atss_import_cleanv2\classes\class-importer.php:97

authwp_ajax_atss_import_pluginv2\classes\class-importer.php:98

authwp_ajax_atss_import_contentsv2\classes\class-importer.php:99

authwp_ajax_atss_import_widgetsv2\classes\class-importer.php:100

authwp_ajax_atss_import_customizerv2\classes\class-importer.php:101

authwp_ajax_atss_import_finishv2\classes\class-importer.php:102

authwp_ajax_atss_get_wizard_statev2\onboarding\class-onboarding-wizard.php:136

authwp_ajax_atss_save_wizard_statev2\onboarding\class-onboarding-wizard.php:137

authwp_ajax_atss_delete_wizard_statev2\onboarding\class-onboarding-wizard.php:138

authwp_ajax_atss_get_demo_pagesv2\onboarding\class-onboarding-wizard.php:139

authwp_ajax_atss_apply_wizard_customizationsv2\onboarding\class-onboarding-wizard.php:140

authwp_ajax_atss_init_wizard_from_legacyv2\onboarding\class-onboarding-wizard.php:141

WordPress Hooks 72

actionatss_plugin_activationcore\class-core.php:81

actionplugins_loadedcore\class-core.php:82

actionadmin_enqueue_scriptscore\class-core.php:83

actionplugins_loadedcore\class-core.php:84

actioninitcore\class-demos-page.php:62

actioninitcore\class-demos-page.php:63

actioninitcore\class-demos-page.php:65

actionadmin_menucore\class-demos-page.php:66

actionadmin_enqueue_scriptscore\class-demos-page.php:72

actionadmin_noticescore\class-demos-page.php:73

actionatss_plugin_activationcore\class-demos-page.php:76

actionatss_plugin_deactivationcore\class-demos-page.php:77

actionafter_setup_themeimport\class-import.php:51

actionupload_mimesimport\class-import.php:58

filterwp_check_filetype_and_extimport\class-import.php:59

filterwxr_importer.pre_process.userimport\class-import.php:379

filterwxr_importer.pre_process.postimport\class-import.php:382

filterwxr_importer.pre_process.termimport\wp-content-importer-v2\WXRImporter.php:106

filterimport_post_meta_keyimport\wp-content-importer-v2\WXRImporter.php:330

filterhttp_request_timeoutimport\wp-content-importer-v2\WXRImporter.php:331

actionadmin_enqueue_scriptsinc\class-notice.php:13

actionadmin_noticesinc\class-notice.php:14

filteratss_register_demos_listthemes\airi.php:297

actionatss_finish_importthemes\airi.php:415

filteratss_register_demos_listthemes\botiga.php:160

actionatss_finish_importthemes\botiga.php:281

filterwoocommerce_create_pagesthemes\botiga.php:287

filteratss_register_demos_listthemes\sydney-pro.php:705

actionatss_finish_importthemes\sydney-pro.php:778

filteratss_register_demos_listthemes\sydney.php:521

actionatss_finish_importthemes\sydney.php:556

actioninitv2\classes\class-core.php:49

actionplugins_loadedv2\classes\class-core.php:52

actionadmin_enqueue_scriptsv2\classes\class-core.php:53

actioninitv2\classes\class-demos.php:56

actioninitv2\classes\class-demos.php:57

actionadmin_noticesv2\classes\class-demos.php:59

actionadmin_footerv2\classes\class-demos.php:60

actionadmin_footerv2\classes\class-demos.php:61

actionatss_starter_sitesv2\classes\class-demos.php:63

actionatss_plugin_activationv2\classes\class-demos.php:69

actionatss_plugin_deactivationv2\classes\class-demos.php:70

actionafter_setup_themev2\classes\class-importer.php:62

actionupload_mimesv2\classes\class-importer.php:93

filterwp_check_filetype_and_extv2\classes\class-importer.php:94

filterwxr_importer.pre_process.userv2\classes\class-importer.php:626

filterwxr_importer.pre_process.postv2\classes\class-importer.php:629

filterwxr_importer.pre_process.postv2\classes\class-importer.php:632

filterwxr_importer.pre_process.post_metav2\classes\class-importer.php:635

filterwxr_importer.processed.postv2\classes\class-importer.php:638

filterwxr_importer.processed.termv2\classes\class-importer.php:641

filteratss_importer.processed.attachmentv2\classes\class-importer.php:645

filterwxr_importer.pre_process.termv2\classes\class-importer.php:650

filteradd_term_metadatav2\classes\class-importer.php:651

actionadmin_menuv2\onboarding\class-onboarding-wizard.php:132

actionadmin_enqueue_scriptsv2\onboarding\class-onboarding-wizard.php:133

actionatss_import_startv2\onboarding\class-onboarding-wizard.php:144

filterwxr_importer.pre_process.postv2\onboarding\includes\class-contact-replacer.php:47

filterwxr_importer.pre_process.post_metav2\onboarding\includes\class-contact-replacer.php:48

filteratss_before_widgets_import_datav2\onboarding\includes\class-contact-replacer.php:49

actionatss_import_customizerv2\onboarding\includes\class-contact-replacer.php:50

filterwp_resource_hintsv2\onboarding\includes\class-enqueue-assets.php:88

filterwxr_importer.pre_process.postv2\onboarding\includes\class-page-filter.php:32

filteratss_register_demos_listv2\themes\botiga.php:448

actionatss_import_startv2\themes\botiga.php:535

actionatss_finish_importv2\themes\botiga.php:743

filterwoocommerce_create_pagesv2\themes\botiga.php:769

filteratss_register_demos_listv2\themes\sydney.php:908

actionatss_import_startv2\themes\sydney.php:929

actionatss_finish_importv2\themes\sydney.php:1092

filteratss_register_customize_tooltipsv2\themes\sydney.php:1112

filteratss_customizer_import_theme_matchv2\themes\sydney.php:1136

Maintenance & Trust

aThemes Starter Sites Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedMar 3, 2026

PHP min version5.4

Downloads1.9M

Community Trust

Rating40/100

Number of ratings2

Active installs40K

Alternatives

aThemes Starter Sites Alternatives

Emoza Starter Sites

emoza-starter-sites

100

Quickly import demo content for the Emoza theme and launch your site with a professional look in minutes!

80 No CVEs

Aarambha Demo Sites

aarambha-demo-sites

Import Aarambha Themes inbuilt themes demo content, widgets and its all settings with one click.

200 No CVEs

Xolo Websites

xolo-websites

FREE TEMPLATES FOR ELEMENTOR PAGE BUILDER

100 No CVEs

YalaThemes ToolKit

yala-themes-toolkit

Import YalaThemes Official Themes Demo Content, Widgets and Theme settings with just one click.

60 No CVEs

Novex Demo Importer

novex-demo-importer

100

One click demo import for Novex themes — instantly import free & premium Elementor sites to launch a fully designed WordPress site in seconds.

0 No CVEs

Developer Profile

aThemes Starter Sites Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

trust score

Avg Security Score

91/100

Avg Patch Time

795 days

View full developer profile

Detection Fingerprints

How We Detect aThemes Starter Sites

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/athemes-starter-sites/assets/js/select2.min.js/wp-content/plugins/athemes-starter-sites/assets/js/stylefire.min.js/wp-content/plugins/athemes-starter-sites/assets/js/popmotion.global.min.js

Script Paths

Version Parameters

athemes-starter-sites/athemes-starter-sites.php?ver=select2.min.js?ver=stylefire.min.js?ver=popmotion.global.min.js?ver=

HTML / DOM Fingerprints

JS Globals

ATSS_URL

FAQ