WP-Safety

Envo Extra Security & Risk Analysis

wordpress.org/plugins/envo-extra

Extra addon for EnvoThemes Themes

20K active installs v1.9.19 PHP 5.6+ WP 4.9+ Updated Feb 12, 2026
demoelementorenvothemeswoocommerce
95
A · Safe
CVEs total7
Unpatched0
Last CVEDec 5, 2025
Plugin page Download
Safety Verdict

Is Envo Extra Safe to Use in 2026?

Generally Safe

Score 95/100

Envo Extra has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Dec 5, 2025Updated 1mo ago
Risk Assessment

The envo-extra plugin v1.9.19 exhibits a mixed security posture. While it demonstrates good practices in handling SQL queries with prepared statements and a high percentage of properly escaped output, significant concerns arise from its attack surface and historical vulnerability patterns. The plugin exposes four AJAX handlers, all of which lack authentication checks. This creates a substantial entry point for potential attackers to exploit, especially when combined with the plugin's history of various vulnerabilities. The presence of multiple medium-severity CVEs in the past, including issues related to missing authorization, authorization bypass, XSS, and CSRF, suggests recurring security weaknesses. Although there are no currently unpatched vulnerabilities or critical findings in the static and taint analysis, the history of past vulnerabilities and the current lack of authorization checks on AJAX endpoints indicate a heightened risk of new vulnerabilities being introduced or discovered. Further investigation into the specific nature of past vulnerabilities and a more robust implementation of authentication and authorization checks are recommended to improve the plugin's overall security.

Key Concerns

  • 4 AJAX handlers without auth checks
  • 7 medium CVEs in vulnerability history
  • 1 nonce check for 4 entry points
  • 2 capability checks for 4 entry points
Vulnerabilities
7

Envo Extra Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
4 CVEs in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
7

7 total CVEs

CVE-2025-66066medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Envo Extra <= 1.9.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 5, 2025 Patched in 1.9.12 (6d)
CVE-2025-47471medium · 4.3Missing Authorization

Envo Extra <= 1.9.9 - Missing Authorization

May 7, 2025 Patched in 1.9.10 (6d)
CVE-2024-10770medium · 4.3Authorization Bypass Through User-Controlled Key

Envo Extra <= 1.9.3 - Authenticated (Contributor+) Post Disclosure

Nov 8, 2024 Patched in 1.9.4 (1d)
CVE-2024-5645medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Envo Extra <= 1.8.23 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget

Jun 6, 2024 Patched in 1.8.25 (1d)
CVE-2024-4385medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Envo Extra <= 1.8.16 - Authenticated (Contributor+) Cross-Site Scripting

May 15, 2024 Patched in 1.8.17 (1d)
CVE-2024-32456medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Envo Extra <= 1.8.11 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 15, 2024 Patched in 1.8.12 (11d)
WF-f709fca2-b7b6-4567-8055-1156f510d1ca-envo-extramedium · 4.3Cross-Site Request Forgery (CSRF)

Envo Extra <= 1.8.3 - Cross-Site Request Forgery

Oct 17, 2023 Patched in 1.8.4 (98d)
Code Analysis
Analyzed Mar 16, 2026

Envo Extra Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
12
105 escaped
Nonce Checks
1
Capability Checks
2
File Operations
3
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

90% escaped117 total outputs
Attack Surface
4 unprotected

Envo Extra Attack Surface

Entry Points4
Unprotected4

AJAX Handlers 4

authwp_ajax_kirki_fonts_google_all_getinclude\packages\kirki-framework\googlefonts\src\GoogleFonts.php:47
noprivwp_ajax_kirki_fonts_google_all_getinclude\packages\kirki-framework\googlefonts\src\GoogleFonts.php:48
authwp_ajax_kirki_fonts_standard_all_getinclude\packages\kirki-framework\module-webfonts\src\Webfonts\Google.php:88
noprivwp_ajax_kirki_fonts_standard_all_getinclude\packages\kirki-framework\module-webfonts\src\Webfonts\Google.php:89
WordPress Hooks 158
filterkirki_control_typescontrols\responsive-devices\control-responsive-devices-typography.php:123
filterkirki_control_typescontrols\responsive-devices\control-responsive-devices.php:65
actioninitenvo-extra.php:34
actionwp_enqueue_scriptsenvo-extra.php:57
actionwp_print_stylesenvo-extra.php:71
filterenvo_extra_footer_textenvo-extra.php:99
actionwp_footerenvo-extra.php:119
filterkirki_modulesenvo-extra.php:190
filterkirki_output_inline_stylesenvo-extra.php:195
actionafter_setup_themeenvo-extra.php:250
actioncustomize_registerenvo-extra.php:255
actionafter_setup_themeenvo-extra.php:294
actioninitenvo-extra.php:297
actioninitenvo-extra.php:298
filteruse_widgets_block_editorenvo-extra.php:300
actionafter_setup_themeenvo-extra.php:302
actioncustomize_registerenvo-extra.php:307
actionafter_setup_themeenvo-extra.php:349
actioninitenvo-extra.php:351
actioninitenvo-extra.php:352
filteruse_widgets_block_editorenvo-extra.php:354
actionafter_setup_themeenvo-extra.php:356
actionplugins_loadedenvo-extra.php:364
actioncustomize_registerenvo-extra.php:372
actionadmin_initenvo-extra.php:395
actionadmin_enqueue_scriptsenvo-extra.php:476
actionafter_switch_themeenvo-extra.php:502
actionadmin_initenvo-extra.php:508
actionafter_switch_themeenvo-extra.php:509
actioncustomize_controls_print_stylesenvo-extra.php:576
actioncustomize_controls_print_stylesenvo-extra.php:587
filterbody_classenvo-extra.php:589
actionwp_enqueue_scriptsenvo-extra.php:658
actionbefore_woocommerce_initenvo-extra.php:707
actioncustomize_registerinclude\packages\kirki-framework\compatibility\src\Aliases.php:152
filterkirki_configinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:4
filterkirki_control_typesinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:8
filterkirki_section_typesinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:12
filterkirki_section_types_excludeinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:16
filterkirki_control_types_excludeinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:20
filterkirki_controlsinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:24
filterkirki_fieldsinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:28
filterkirki_modulesinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:32
filterkirki_panel_typesinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:36
filterkirki_setting_typesinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:40
filterkirki_variableinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:44
filterkirki_values_get_valueinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:48
actioninitinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:52
filterkirki_enqueue_google_fontsinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:82
filterkirki_styles_arrayinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:86
filterkirki_dynamic_css_methodinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:90
filterkirki_postmessage_scriptinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:94
filterkirki_fonts_allinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:98
filterkirki_fonts_standard_fontsinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:102
filterkirki_fonts_google_fontsinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:106
filterkirki_googlefonts_load_methodinclude\packages\kirki-framework\compatibility\src\deprecated\filters.php:110
actionwp_loadedinclude\packages\kirki-framework\compatibility\src\Init.php:43
filterkirki_control_typesinclude\packages\kirki-framework\compatibility\src\Init.php:44
actioncustomize_registerinclude\packages\kirki-framework\compatibility\src\Init.php:46
actionadmin_noticesinclude\packages\kirki-framework\compatibility\src\Init.php:48
actionadmin_initinclude\packages\kirki-framework\compatibility\src\Init.php:49
actioncustomize_registerinclude\packages\kirki-framework\compatibility\src\Init.php:102
actioncustomize_registerinclude\packages\kirki-framework\compatibility\src\Init.php:103
actionafter_setup_themeinclude\packages\kirki-framework\compatibility\src\Modules.php:49
actionafter_setup_themeinclude\packages\kirki-framework\compatibility\src\Modules.php:50
actionwp_enqueue_scriptsinclude\packages\kirki-framework\compatibility\src\Scripts.php:38
actionadmin_register_scriptsinclude\packages\kirki-framework\compatibility\src\Scripts.php:39
actioncustomize_controls_enqueue_scriptsinclude\packages\kirki-framework\compatibility\src\Scripts.php:40
filterkirki_output_item_argsinclude\packages\kirki-framework\control-image\src\Field\Image.php:56
filterkirki_output_control_classnamesinclude\packages\kirki-framework\control-image\src\Field\Image.php:57
actioncustomize_preview_initinclude\packages\kirki-framework\control-react-colorful\src\Field\ReactColorful.php:60
filterkirki_output_control_classnamesinclude\packages\kirki-framework\control-react-colorful\src\Field\ReactColorful.php:61
filterkirki_field_add_setting_argsinclude\packages\kirki-framework\data-option\src\Option.php:27
filterkirki_field_add_control_argsinclude\packages\kirki-framework\data-option\src\Option.php:28
filterkirki_get_valueinclude\packages\kirki-framework\data-option\src\Option.php:29
actionwp_loadedinclude\packages\kirki-framework\field\src\Field.php:90
actionwpinclude\packages\kirki-framework\field\src\Field.php:97
actioncustomize_registerinclude\packages\kirki-framework\field\src\Field.php:107
actioncustomize_registerinclude\packages\kirki-framework\field\src\Field.php:110
actioncustomize_registerinclude\packages\kirki-framework\field\src\Field.php:113
filterkirki_field_add_setting_argsinclude\packages\kirki-framework\field\src\Field.php:116
filterkirki_field_add_control_argsinclude\packages\kirki-framework\field\src\Field.php:117
actioncustomize_preview_initinclude\packages\kirki-framework\field-background\src\Background.php:246
filterkirki_output_control_classnamesinclude\packages\kirki-framework\field-background\src\Background.php:247
actioncustomize_controls_enqueue_scriptsinclude\packages\kirki-framework\field-dimensions\src\Dimensions.php:43
actioncustomize_preview_initinclude\packages\kirki-framework\field-dimensions\src\Dimensions.php:44
filterkirki_output_control_classnamesinclude\packages\kirki-framework\field-dimensions\src\Dimensions.php:45
filterkirki_output_control_classnamesinclude\packages\kirki-framework\field-multicolor\src\Field\Multicolor.php:41
actioncustomize_controls_enqueue_scriptsinclude\packages\kirki-framework\field-typography\src\Field\Typography.php:209
actioncustomize_preview_initinclude\packages\kirki-framework\field-typography\src\Field\Typography.php:210
filterkirki_output_control_classnamesinclude\packages\kirki-framework\field-typography\src\Field\Typography.php:211
actioninitinclude\packages\kirki-framework\l10n\src\L10n.php:62
filteroverride_load_textdomaininclude\packages\kirki-framework\l10n\src\L10n.php:66
actionkirki_field_initinclude\packages\kirki-framework\module-css\src\CSS.php:82
actioninitinclude\packages\kirki-framework\module-css\src\CSS.php:83
actionwpinclude\packages\kirki-framework\module-css\src\CSS.php:96
actionwp_enqueue_scriptsinclude\packages\kirki-framework\module-css\src\CSS.php:106
actionwp_headinclude\packages\kirki-framework\module-css\src\CSS.php:108
actionadmin_initinclude\packages\kirki-framework\module-editor-styles\src\Editor_Styles.php:80
actionenqueue_block_editor_assetsinclude\packages\kirki-framework\module-editor-styles\src\Editor_Styles.php:107
actionafter_setup_themeinclude\packages\kirki-framework\module-editor-styles\src\Editor_Styles.php:108
actioncustomize_controls_enqueue_scriptsinclude\packages\kirki-framework\module-field-dependencies\src\Field_Dependencies.php:38
filterkirki_field_add_control_argsinclude\packages\kirki-framework\module-field-dependencies\src\Field_Dependencies.php:39
actioncustomize_registerinclude\packages\kirki-framework\module-panels\src\Panel.php:63
actioncustomize_controls_enqueue_scriptsinclude\packages\kirki-framework\module-panels\src\Panel.php:65
actioncustomize_registerinclude\packages\kirki-framework\module-panels\src\Panel.php:112
actioncustomize_preview_initinclude\packages\kirki-framework\module-postmessage\src\Postmessage.php:37
actionkirki_field_add_setting_argsinclude\packages\kirki-framework\module-postmessage\src\Postmessage.php:38
actioncustomize_controls_print_footer_scriptsinclude\packages\kirki-framework\module-preset\src\Preset.php:38
filterkirki_field_add_control_argsinclude\packages\kirki-framework\module-preset\src\Preset.php:39
actioncustomize_controls_enqueue_scriptsinclude\packages\kirki-framework\module-section-icons\src\Section_Icons.php:56
actionkirki_panel_addedinclude\packages\kirki-framework\module-section-icons\src\Section_Icons.php:57
actionkirki_section_addedinclude\packages\kirki-framework\module-section-icons\src\Section_Icons.php:58
actioncustomize_registerinclude\packages\kirki-framework\module-sections\src\Section.php:65
actioncustomize_registerinclude\packages\kirki-framework\module-sections\src\Section.php:68
actioncustomize_controls_enqueue_scriptsinclude\packages\kirki-framework\module-sections\src\Section.php:70
actioncustomize_controls_print_footer_scriptsinclude\packages\kirki-framework\module-sections\src\Section.php:71
actioncustomize_registerinclude\packages\kirki-framework\module-sections\src\Section.php:142
filterkirki_field_add_setting_argsinclude\packages\kirki-framework\module-selective-refresh\src\Selective_Refresh.php:35
actioncustomize_controls_print_footer_scriptsinclude\packages\kirki-framework\module-tooltips\src\Tooltips.php:41
filterkirki_field_add_control_argsinclude\packages\kirki-framework\module-tooltips\src\Tooltips.php:42
actionwp_headinclude\packages\kirki-framework\module-webfonts\src\Webfonts\Async.php:82
actionwp_headinclude\packages\kirki-framework\module-webfonts\src\Webfonts\Async.php:83
actionadmin_enqueue_scriptsinclude\packages\kirki-framework\module-webfonts\src\Webfonts\Async.php:86
actionadmin_enqueue_scriptsinclude\packages\kirki-framework\module-webfonts\src\Webfonts\Async.php:87
actionwpinclude\packages\kirki-framework\module-webfonts\src\Webfonts\Embed.php:72
actionkirki_dynamic_cssinclude\packages\kirki-framework\module-webfonts\src\Webfonts\Embed.php:85
actionkirki_field_initinclude\packages\kirki-framework\module-webfonts\src\Webfonts.php:51
actionwp_loadedinclude\packages\kirki-framework\module-webfonts\src\Webfonts.php:52
filterhttp_request_argsinclude\packages\kirki-framework\util\src\Util.php:37
actionkirki_field_initinclude\packages\kirki-framework\util\src\Util.php:38
actionwp_headoptions\envo-royal\custom-codes.php:29
actionwp_footeroptions\envo-royal\custom-codes.php:49
actioncustomize_registeroptions\envo-royal\woocommerce.php:2
actionafter_setup_themeoptions\envo-royal\woocommerce.php:12
filterloop_shop_per_pageoptions\envo-royal\woocommerce.php:31
filterloop_shop_columnsoptions\envo-royal\woocommerce.php:40
actionwp_enqueue_scriptsoptions\envo-royal\woocommerce.php:126
actionwoocommerce_before_shop_loop_item_titleoptions\envo-royal\woocommerce.php:133
actionwoocommerce_before_shop_loop_item_titleoptions\envo-royal\woocommerce.php:139
actionwoocommerce_before_shop_loop_item_titleoptions\envo-royal\woocommerce.php:141
actionwoocommerce_before_shop_loop_item_titleoptions\envo-royal\woocommerce.php:144
actionwoocommerce_archive_descriptionoptions\envo-royal\woocommerce.php:153
actionwoocommerce_single_product_summaryoptions\envo-royal\woocommerce.php:156
actionwp_headoptions\enwoo\custom-codes.php:29
actionwp_footeroptions\enwoo\custom-codes.php:49
actioncustomize_registeroptions\enwoo\woocommerce.php:2
actionafter_setup_themeoptions\enwoo\woocommerce.php:12
filterloop_shop_per_pageoptions\enwoo\woocommerce.php:31
filterloop_shop_columnsoptions\enwoo\woocommerce.php:40
actionwp_enqueue_scriptsoptions\enwoo\woocommerce.php:126
actionwoocommerce_before_shop_loop_item_titleoptions\enwoo\woocommerce.php:133
actionwoocommerce_before_shop_loop_item_titleoptions\enwoo\woocommerce.php:139
actionwoocommerce_before_shop_loop_item_titleoptions\enwoo\woocommerce.php:141
actionwoocommerce_before_shop_loop_item_titleoptions\enwoo\woocommerce.php:144
actionwoocommerce_archive_descriptionoptions\enwoo\woocommerce.php:153
actionwoocommerce_single_product_summaryoptions\enwoo\woocommerce.php:156
actionadmin_initoptions\extra.php:6
Maintenance & Trust

Envo Extra Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 12, 2026
PHP min version5.6
Downloads668K

Community Trust

Rating0/100
Number of ratings0
Active installs20K
Alternatives

Envo Extra Alternatives

Futurio Extra

Futurio Extra

futurio-extra

A
96

Futurio Extra add extra features to Futurio theme like widgets, WooCommerce options, Elementor widgets, one click demo import and much more.

20K 7 CVEs
Free WooCommerce Theme 99fy Extension

Free WooCommerce Theme 99fy Extension

99fy-core

A
91

Elementor Addon Pack For 99fy - Free WooCommerce Theme

100 2 CVEs
Admire Extra

Admire Extra

admire-extra

A
91

Admire extra is a elementor as well as Gutenberg template library where you can choose from available designs and use them with any WordPress theme fr &hellip;

40 1 CVE
Essential Addons for Elementor – Popular Elementor Templates & Widgets

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

B
76

Elementor addon offering 110+ widgets and templates — Elementor Gallery, Slider, Form, Post Grid, Menu, Accordion, WooCommerce & more.

2.0M 56 CVEs
ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution

ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution

shopengine

A
96

WooCommerce builder for Elementor and Gutenberg. It offers product templates, product sliders, shopping cart, quick view, Woo wishlist, product filter &hellip;

90K 4 CVEs
Developer Profile

Envo Extra Developer Profile

EnvoThemes

16 plugins · 90K total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
27 days
View full developer profile
Detection Fingerprints

How We Detect Envo Extra

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/envo-extra/css/gutenberg.css/wp-content/plugins/envo-extra/css/style.css/wp-content/plugins/envo-extra/js/envo.js
Script Paths
/wp-content/plugins/envo-extra/lib/elementor/assets/js/elementor.js
Version Parameters
envo-extra/css/gutenberg.css?ver=envo-extra/css/style.css?ver=envo-extra/js/envo.js?ver=envo-extra/lib/elementor/assets/js/elementor.js?ver=

HTML / DOM Fingerprints

CSS Classes
envo-credits-textelementor-footer-credits
HTML Comments
<!-- Return to Top -->
Shortcode Output
[elementor-template id=
FAQ

Frequently Asked Questions about Envo Extra