CP Blocks Security & Risk Analysis

wordpress.org/plugins/cp-blocks

CP Blocks allows to insert complementary blocks of code, like buttons, design elements, new functionalities, etc. It supports inserting blocks into th …

1K active installs v1.1.2 PHP + WP 3.0.5+ Updated Apr 1, 2026
blocksbuttoncssdesignscript
99
A · Safe
CVEs total2
Unpatched0
Last CVESep 5, 2023
Safety Verdict

Is CP Blocks Safe to Use in 2026?

Generally Safe

Score 99/100

CP Blocks has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Sep 5, 2023Updated 3mo ago
Risk Assessment

The cp-blocks plugin, version 1.1.1, exhibits a mixed security posture. On the positive side, it demonstrates good practices by implementing nonce and capability checks on all its AJAX handlers, and a high percentage of its SQL queries use prepared statements, alongside a significant portion of its output being properly escaped. The static analysis also shows no critical or high severity taint flows, which is encouraging. However, the presence of the `unserialize` function is a significant concern. This function is notoriously dangerous when used with user-supplied input, as it can lead to arbitrary object injection and remote code execution if not handled with extreme care and strict validation. Furthermore, the plugin has a history of two medium severity vulnerabilities, specifically Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), with the last reported in September 2023. While these are currently patched, this history indicates a potential for vulnerabilities to arise in the plugin's handling of user input or state changes. The overall risk is moderate, stemming primarily from the `unserialize` function and the past vulnerability patterns, despite good practices in other areas.

Key Concerns

  • Use of unserialize function
  • History of 2 medium severity CVEs
Vulnerabilities
2 published

CP Blocks Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2023-41732medium · 4.3Cross-Site Request Forgery (CSRF)

CP Blocks <= 1.0.20 - Cross-Site Request Forgery to Settings Update

Sep 5, 2023 Patched in 1.0.21 (140d)
CVE-2022-0448medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CP Blocks <= 1.0.14 - Authenticated Stored Cross-Site Scripting via License ID settings

Feb 2, 2022 Patched in 1.0.15 (720d)
Version History

CP Blocks Release Timeline

v1.1.2Current
v1.1.1
v1.1.0
v1.0.23
v1.0.22
v1.0.21
v1.0.201 CVE
v1.0.191 CVE
v1.0.181 CVE
v1.0.171 CVE
Code Analysis
Analyzed Mar 16, 2026

CP Blocks Code Analysis

Dangerous Functions
1
Raw SQL Queries
2
3 prepared
Unescaped Output
6
65 escaped
Nonce Checks
4
Capability Checks
4
File Operations
3
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

unserializeif ( ! is_admin() || ( ! $current_user_access && ! @in_array( $current_user->ID, unserialize( $this-admin-int-license.inc.php:6

SQL Query Safety

60% prepared5 total queries

Output Escaping

92% escaped71 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

1 flows
<admin-int-license.inc> (admin-int-license.inc.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

CP Blocks Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_cp_feedbackfeedback\cp-feedback.php:23
WordPress Hooks 14
actionadmin_bar_menubanner.php:106
filteroption_sbp_settingscp-blocks-plugin.php:20
actioninitcp-blocks-plugin.php:51
actionadmin_enqueue_scriptscp-blocks-plugin.php:54
actionadmin_menucp-blocks-plugin.php:55
actionmedia_buttonscp-blocks-plugin.php:56
actionenqueue_block_editor_assetscp-blocks-plugin.php:57
actionmedia_buttonscp-blocks-plugin.php:58
actionwp_dashboard_setupcp-blocks-plugin.php:60
actionplugins_loadedcp-main-class.inc.php:17
actionadmin_initcp-main-class.inc.php:20
filtertiny_mce_before_initcp-main-class.inc.php:21
actionadmin_enqueue_scriptsfeedback\cp-feedback.php:22
actionadmin_footerfeedback\cp-feedback.php:32
Maintenance & Trust

CP Blocks Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedApr 1, 2026
PHP min version
Downloads35K

Community Trust

Rating100/100
Number of ratings12
Active installs1K
Developer Profile

CP Blocks Developer Profile

codepeople

34 plugins · 87K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
909 days
View full developer profile
Detection Fingerprints

How We Detect CP Blocks

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cp-blocks/js/cff.connector.js/wp-content/plugins/cp-blocks/js/wpcf7.connector.js/wp-content/plugins/cp-blocks/js/cfte.connector.js/wp-content/plugins/cp-blocks/js/page.connector.js/wp-content/plugins/cp-blocks/js/gutenberg.js
Script Paths
js/cff.connector.jsjs/wpcf7.connector.jsjs/cfte.connector.jsjs/page.connector.jsjs/gutenberg.js
Version Parameters
cp-blocks/js/cff.connector.js?ver=cp-blocks/js/wpcf7.connector.js?ver=cp-blocks/js/cfte.connector.js?ver=cp-blocks/js/page.connector.js?ver=cp-blocks/js/gutenberg.js?ver=

HTML / DOM Fingerprints

Data Attributes
data-cp-blocks-key
JS Globals
cp_blocks_data
Shortcode Output
<a href="javascript:jQuery(document).trigger('load_blocks_module','wpcf7');" title="Insert Block" class="button button-primary">Insert Block</a>
FAQ

Frequently Asked Questions about CP Blocks