WP-Safety

Css Magician Page Builder Security & Risk Analysis

wordpress.org/plugins/css-magician

Css Magician is a Frontend page configurator and page builder that work with all themes.

10 active installs v1.0.1 PHP 5.6+ WP 5.0+ Updated Aug 10, 2020
buildereditorpagetemplatetheme
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Css Magician Page Builder Safe to Use in 2026?

Generally Safe

Score 85/100

Css Magician Page Builder has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5yr ago
Risk Assessment

The "css-magician" v1.0.1 plugin exhibits a mixed security posture. While it has a clean vulnerability history with no known CVEs, the static analysis reveals significant concerns. A substantial attack surface exists with 40 AJAX handlers, two of which lack any authentication checks, posing a direct risk of unauthorized actions. The code also shows a concerning lack of adherence to secure coding practices, with only 3% of outputs being properly escaped and a mere 11% of SQL queries utilizing prepared statements. This widespread lack of sanitization and proper query handling significantly increases the potential for cross-site scripting (XSS) and SQL injection vulnerabilities, despite the absence of critical taint flows in the current analysis. The presence of dangerous `exec` functions, though not currently exploited by taint analysis, also warrants caution.

While the plugin's lack of bundled libraries and a robust number of nonce checks are positive indicators, the identified weaknesses in authentication and output escaping are critical. The absence of any recorded vulnerabilities is not a guarantee of safety; rather, it might indicate a lack of in-depth security auditing or a history of undiscovered issues. The plugin's strengths lie in its clean CVE history, but its weaknesses, particularly the unprotected AJAX endpoints and poor sanitization practices, create a notable risk profile that requires immediate attention and remediation.

Key Concerns

  • AJAX handlers without authentication
  • Low percentage of properly escaped output
  • Low percentage of SQL queries using prepared statements
  • Use of dangerous 'exec' function
  • No capability checks found
Vulnerabilities
None known

Css Magician Page Builder Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Css Magician Page Builder Code Analysis

Dangerous Functions
3
Raw SQL Queries
49
6 prepared
Unescaped Output
1301
38 escaped
Nonce Checks
38
Capability Checks
0
File Operations
34
External Requests
1
Bundled Libraries
0

Dangerous Functions Found

exec$mimeType = trim(exec('file -b --mime-type ' . escapeshellarg($filename)));classes\Tools.php:228
exec$mimeType = trim(exec('file --mime ' . escapeshellarg($filename)));classes\Tools.php:230
exec$mimeType = trim(exec('file -bi ' . escapeshellarg($filename)));classes\Tools.php:233

SQL Query Safety

11% prepared55 total queries

Output Escaping

3% escaped1339 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
cssm_getip (includes\cssm-functions.php:16)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Css Magician Page Builder Attack Surface

Entry Points40
Unprotected2

AJAX Handlers 40

authwp_ajax_updatenamecontrollers\admin\cssm-admin-ajax.php:24
authwp_ajax_getipcontrollers\admin\cssm-admin-ajax.php:25
authwp_ajax_saveallsettingscontrollers\admin\cssm-admin-ajax.php:26
authwp_ajax_getallsettingscontrollers\admin\cssm-admin-ajax.php:27
authwp_ajax_deletethemecontrollers\admin\cssm-admin-ajax.php:28
authwp_ajax_getCsscontrollers\admin\cssm-admin-ajax.php:31
authwp_ajax_saveBlockcontrollers\admin\cssm-admin-ajax.php:32
authwp_ajax_dupplicateBlockLangcontrollers\admin\cssm-admin-ajax.php:33
authwp_ajax_removeBlockcontrollers\admin\cssm-admin-ajax.php:34
authwp_ajax_deleteGalleryImagecontrollers\admin\cssm-admin-ajax.php:35
authwp_ajax_deleteGalleryVideocontrollers\admin\cssm-admin-ajax.php:36
authwp_ajax_deleteGalleryAudiocontrollers\admin\cssm-admin-ajax.php:37
authwp_ajax_deleteGallerySvgcontrollers\admin\cssm-admin-ajax.php:38
authwp_ajax_deleteAllcontrollers\admin\cssm-admin-ajax.php:39
authwp_ajax_publishcontrollers\admin\cssm-admin-ajax.php:40
authwp_ajax_chooseBackgroundImagecontrollers\admin\cssm-admin-ajax.php:41
authwp_ajax_chooseBackgroundVideocontrollers\admin\cssm-admin-ajax.php:42
authwp_ajax_chooseAudiocontrollers\admin\cssm-admin-ajax.php:43
authwp_ajax_chooseSvgcontrollers\admin\cssm-admin-ajax.php:44
authwp_ajax_uploadImagecontrollers\admin\cssm-admin-ajax.php:45
authwp_ajax_uploadVideocontrollers\admin\cssm-admin-ajax.php:46
authwp_ajax_uploadAudiocontrollers\admin\cssm-admin-ajax.php:47
authwp_ajax_uploadSvgcontrollers\admin\cssm-admin-ajax.php:48
authwp_ajax_copySvgCodecontrollers\admin\cssm-admin-ajax.php:49
authwp_ajax_openHelpcontrollers\admin\cssm-admin-ajax.php:50
authwp_ajax_cleanCsscontrollers\admin\cssm-admin-ajax.php:51
authwp_ajax_getActiveHistoriccontrollers\admin\cssm-admin-ajax.php:52
authwp_ajax_cleanCssCommentscontrollers\admin\cssm-admin-ajax.php:53
authwp_ajax_loadCsscontrollers\admin\cssm-admin-ajax.php:54
authwp_ajax_loadJscontrollers\admin\cssm-admin-ajax.php:55
authwp_ajax_deleteHistorycontrollers\admin\cssm-admin-ajax.php:56
authwp_ajax_deleteCsscontrollers\admin\cssm-admin-ajax.php:57
authwp_ajax_saveCsscontrollers\admin\cssm-admin-ajax.php:58
authwp_ajax_saveJscontrollers\admin\cssm-admin-ajax.php:59
authwp_ajax_updateCsscontrollers\admin\cssm-admin-ajax.php:60
authwp_ajax_deleteVideocontrollers\admin\cssm-admin-ajax.php:61
authwp_ajax_deleteAudiocontrollers\admin\cssm-admin-ajax.php:62
authwp_ajax_deleteSvgcontrollers\admin\cssm-admin-ajax.php:63
authwp_ajax_updatenameincludes\cssm-functions.php:32
authwp_ajax_getipincludes\cssm-functions.php:33
WordPress Hooks 7
filterplugin_action_linkscss-magician.php:34
filterplugin_row_metacss-magician.php:35
actioninitcss-magician.php:37
actionwp_footercss-magician.php:38
actionplugins_loadedcss-magician.php:39
actionadmin_menucss-magician.php:193
actionadmin_initcss-magician.php:194
Maintenance & Trust

Css Magician Page Builder Maintenance & Trust

Maintenance Signals

WordPress version tested5.5.18
Last updatedAug 10, 2020
PHP min version5.6
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Css Magician Page Builder Alternatives

Better Block Editor (BBE)

Better Block Editor (BBE)

better-block-editor

A
100

Better Block Editor (BBE) — responsive layout controls, on-scroll animations, and pre-made site templates for Block Editor.

4K No CVEs
Responsive Blocks – Page Builder for Blocks & Patterns

Responsive Blocks – Page Builder for Blocks & Patterns

responsive-block-editor-addons

A
95

50+ blocks to create rich sections in the Gutenberg editor. Use professional starter block patterns & templates to create websites within minutes.

4K 8 CVEs
Vayu Blocks – Website Builder for the Block Editor

Vayu Blocks – Website Builder for the Block Editor

vayu-blocks

C
66

Vayu Blocks - Page Builder For Gutenberg Editor, Block Addons & FSE Templates

1K 1 unpatched
Grigora's Kit For Website Building

Grigora's Kit For Website Building

grigora-kit

A
85

Your only requirement to create a beautiful website. Import from many prebuilt templates, or build with scratch from blocks.

200 No CVEs
FSE Themes Builder

FSE Themes Builder

gutenverse-themes-builder

A
100

Begin creating your theme effortlessly, with no coding required.

100 No CVEs
Developer Profile

Css Magician Page Builder Developer Profile

prestamagician

2 plugins · 20 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Css Magician Page Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/css-magician/assets/css/vmutcworkmytheme/wp-content/plugins/css-magician/assets/css/vmutcworkmytheme_mobile/wp-content/plugins/css-magician/assets/css/vmutcworkmytheme_inspector/wp-content/plugins/css-magician/assets/css/vmutcworkmytheme_tablet/wp-content/plugins/css-magician/assets/img/logo.png
Script Paths
/wp-content/plugins/css-magician/assets/js/stylizer/stylizer.js/wp-content/plugins/css-magician/assets/js/stylizer/stylizer.min.js/wp-content/plugins/css-magician/assets/js/stylizer/stylizer.css/wp-content/plugins/css-magician/assets/js/stylizer/stylizer.min.css/wp-content/plugins/css-magician/assets/js/stylizer/stylizer.js.map/wp-content/plugins/css-magician/assets/js/stylizer/stylizer.min.js.map
Version Parameters
css-magician/style.css?ver=css-magician/assets/css/vmutcworkmythemecss-magician/assets/css/vmutcworkmytheme_mobilecss-magician/assets/css/vmutcworkmytheme_inspectorcss-magician/assets/css/vmutcworkmytheme_tablet

HTML / DOM Fingerprints

CSS Classes
vmutc_front_styles_containervmutcworkmythemevmutcworkmytheme_mobilevmutcworkmytheme_inspectorvmutcworkmytheme_tabletstylizer-wrapperstylizer-content
Data Attributes
id="vmutc_animations"id="cssm_base_dir"id="vmutc_lang"id="vmutc_allblocks"data-plugin-path="css-magician"
JS Globals
window.cssm_base_dirwindow.vmutc_animationswindow.vmutc_langwindow.vmutc_allblocksvar CSSM_VERSIONvar CSSM_PLUGIN_URL+2 more
Shortcode Output
[css_magician_editor][css_magician_apply]
FAQ

Frequently Asked Questions about Css Magician Page Builder