WP-Safety

Post Blocks & Tools Security & Risk Analysis

wordpress.org/plugins/bnm-blocks

Post grid, post list, and post slider Gutenberg blocks to design blog and magazine layouts easily.

300 active installs v1.3.1 PHP 7.0+ WP 6.0+ Updated Apr 7, 2026
gutenberg-blockspost-blockspost-gridpost-listpost-slider
98
A · Safe
CVEs total2
Unpatched0
Last CVEApr 8, 2026
Download
Safety Verdict

Is Post Blocks & Tools Safe to Use in 2026?

Generally Safe

Score 98/100

Post Blocks & Tools has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Apr 8, 2026Updated 1mo ago
Risk Assessment

The 'bnm-blocks' plugin v1.3.0 presents a mixed security posture. On the positive side, it demonstrates strong practices regarding SQL queries, exclusively using prepared statements, and a very high percentage of properly escaped output, which mitigates many common cross-site scripting risks. The plugin also correctly implements a nonce check and a capability check in one instance, indicating an awareness of core WordPress security mechanisms. However, a significant concern lies in its attack surface. All three identified AJAX handlers lack authentication checks, making them potentially vulnerable to unauthorized actions by unauthenticated users. The presence of the `unserialize` function, a known dangerous function, also raises a red flag, especially when combined with unprotected entry points, as it could be exploited if user-controlled data is passed to it without proper sanitization. While the plugin has a history of a medium-severity CVE related to XSS, it is currently unpatched, which is a major concern. The last vulnerability was in November 2025, which suggests the vulnerability is recent or future-dated and therefore unpatched in the current version. Overall, while the plugin has some good security foundations, the unprotected AJAX endpoints and the use of `unserialize` represent significant risks that require immediate attention.

Key Concerns

  • 3 unprotected AJAX handlers
  • Presence of unserialize function
  • 1 medium severity CVE, currently unpatched
Vulnerabilities
2 published

Post Blocks & Tools Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-5711medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Post Blocks & Tools <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'sliderStyle' Block Attribute

Apr 8, 2026 Patched in 1.3.1 (1d)
CVE-2025-11828medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Magazine Companion <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 10, 2025 Patched in 1.2.4 (3d)
Version History

Post Blocks & Tools Release Timeline

v1.3.1Current
v1.3.01 CVE
CVE-2026-5711
v1.2.51 CVE
CVE-2026-5711
v1.2.41 CVE
CVE-2026-5711
v1.2.32 CVEs
CVE-2025-11828 CVE-2026-5711
v1.2.22 CVEs
CVE-2025-11828 CVE-2026-5711
v1.2.12 CVEs
CVE-2025-11828 CVE-2026-5711
v1.2.02 CVEs
CVE-2025-11828 CVE-2026-5711
v1.1.02 CVEs
CVE-2025-11828 CVE-2026-5711
v1.0.32 CVEs
CVE-2025-11828 CVE-2026-5711
v1.0.22 CVEs
CVE-2025-11828 CVE-2026-5711
Code Analysis
Analyzed Mar 16, 2026

Post Blocks & Tools Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
1
148 escaped
Nonce Checks
1
Capability Checks
1
File Operations
1
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

unserialize$data = unserialize( $raw , array( 'allowed_classes' => false ) );inc\demo-import\class-customizer-importer.php:91

Output Escaping

99% escaped149 total outputs
Attack Surface
3 unprotected

Post Blocks & Tools Attack Surface

Entry Points3
Unprotected3

AJAX Handlers 3

authwp_ajax_bnmbt_import_demo_datainc\demo-import\class-demo-import.php:122
authwp_ajax_bnmbt_import_customizer_datainc\demo-import\class-demo-import.php:123
authwp_ajax_bnmbt_importer_after_import_datainc\demo-import\class-demo-import.php:124
WordPress Hooks 30
actionenqueue_block_editor_assetsinc\class-main.php:18
actionafter_setup_themeinc\class-main.php:19
filterblock_categories_allinc\class-main.php:20
actionwp_enqueue_scriptsinc\class-main.php:21
actionadmin_menuinc\demo-import\class-demo-import.php:118
actionafter_setup_themeinc\demo-import\class-demo-import.php:119
actionbnmbt_display_demo_showcaseinc\demo-import\class-demo-import.php:120
actionadmin_enqueue_scriptsinc\demo-import\class-demo-import.php:121
actionwp_import_insert_postinc\demo-import\class-demo-import.php:125
actionbnmbt_importer_after_importinc\demo-import\class-demo-import.php:126
filterupload_mimesinc\demo-import\class-helpers.php:362
actionbnmbt_importer_before_content_import_executioninc\demo-import\class-import-actions.php:21
actionbnmbt_importer_after_content_import_executioninc\demo-import\class-import-actions.php:24
actionbnmbt_importer_after_content_import_executioninc\demo-import\class-import-actions.php:25
actionbnmbt_importer_after_content_import_executioninc\demo-import\class-import-actions.php:26
actionbnmbt_importer_customizer_import_executioninc\demo-import\class-import-actions.php:29
actionbnmbt_importer_after_all_import_executioninc\demo-import\class-import-actions.php:32
actionbnmbt_importer_widget_settings_arrayinc\demo-import\class-import-actions.php:36
filterwxr_importer.pre_process.userinc\demo-import\class-importer.php:133
filterwxr_importer.pre_process.postinc\demo-import\class-importer.php:136
filterintermediate_image_sizes_advancedinc\demo-import\class-importer.php:140
filterwxr_importer.pre_process.terminc\demo-import\class-wxr-importer2.php:34
filterthe_categoryinc\template-functions.php:124
actioninitsrc\block-styles\block-styles.php:23
actioninitsrc\blocks\posts\featured-posts-1\view.php:18
actioninitsrc\blocks\posts\featured-posts-2\view.php:18
actioninitsrc\blocks\posts\post-block-1\view.php:19
actioninitsrc\blocks\posts\post-block-2\view.php:19
actioninitsrc\blocks\posts\posts-ultra\view.php:18
actioninitsrc\blocks\posts\slider\view.php:25
Maintenance & Trust

Post Blocks & Tools Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedApr 7, 2026
PHP min version7.0
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs300
Alternatives

Post Blocks & Tools Alternatives

BoldPost – Gutenberg Post Grid & Layout Blocks

BoldPost – Gutenberg Post Grid & Layout Blocks

boldpost

A
100

Display posts beautifully with customizable grids, lists, sliders & category displays. Perfect for blogs, magazines & content-rich sites.

0 No CVEs
Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX

ultimate-post

A
88

A highly customizable plugin to create news, magazines, and any kind of blog site with post grid, post filter, post slider, and post blocks.

40K 24 CVEs
Advanced Post Block – Showcase Posts with Grid, List, Card Layouts and Filters

Advanced Post Block – Showcase Posts with Grid, List, Card Layouts and Filters

advanced-post-block

A
100

Advanced Post Block lets you add dynamic post grids, lists, sliders, and tickers. Filter content by category, tag, author, or custom post type.

10K 1 CVE
Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget

Post Grid, Slider & Carousel Ultimate – with Shortcode, Gutenberg Block & Elementor Widget

post-grid-carousel-ultimate

A
86

The easiest and most useful plugin to display blog posts, pages, or custom posts in beautiful post layouts like post grid, post carousel & post slider

1K 7 CVEs
PostExtra – News and Magazine Blog Post Blocks for Gutenberg & FSE

PostExtra – News and Magazine Blog Post Blocks for Gutenberg & FSE

post-extra

A
100

Magazine‑style post grids, lists, and carousels for Gutenberg and FSE – design high‑engagement blog and news layouts without coding.

100 No CVEs
Developer Profile

Post Blocks & Tools Developer Profile

ThemezHut

7 plugins · 25K total installs

96
trust score
Avg Security Score
94/100
Avg Patch Time
2 days
View full developer profile
Detection Fingerprints

How We Detect Post Blocks & Tools

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bnm-blocks/public/css/style.css/wp-content/plugins/bnm-blocks/admin/js/blocks.js/wp-content/plugins/bnm-blocks/admin/css/editor.css
Script Paths
/wp-content/plugins/bnm-blocks/admin/js/blocks.js
Version Parameters
/wp-content/plugins/bnm-blocks/public/css/style.css?ver=/wp-content/plugins/bnm-blocks/admin/css/editor.css?ver=

HTML / DOM Fingerprints

CSS Classes
bnm-blocks-slider-1bnm-post-block-1bnm-post-block-2bnm-posts-ultrabnm-featured-posts-1bnm-featured-posts-2
Data Attributes
data-block="bnm-blocks/post-block-1"data-block="bnm-blocks/post-block-2"data-block="bnm-blocks/post-slider-1"data-block="bnm-blocks/posts-ultra"data-block="bnm-blocks/featured-posts-1"data-block="bnm-blocks/featured-posts-2"
JS Globals
themezHutGutenberg
FAQ

Frequently Asked Questions about Post Blocks & Tools