Does ExploreXR have any unpatched vulnerabilities?

No. All known vulnerabilities in ExploreXR have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is ExploreXR compatible with WordPress 6.9.4?

According to WordPress.org data, ExploreXR 1.1.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is ExploreXR compatible with PHP 7.4+?

ExploreXR requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is ExploreXR updated?

ExploreXR was last updated on Mar 9, 2026. Frequent updates are generally a positive security signal.

What is ExploreXR's security score?

ExploreXR has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

ExploreXR Security & Risk Analysis

wordpress.org/plugins/explorexr

Interactive 3D models for WordPress. Upload GLB/GLTF files, embed via shortcode, and extend with modular add-ons. No coding required.

30 active installs v1.1.0 PHP 7.4+ WP 5.0+ Updated Mar 9, 2026

3d-model3d-viewerelementorglbwoocommerce

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is ExploreXR Safe to Use in 2026?

Generally Safe

Score 100/100

ExploreXR has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 25d ago

Risk Assessment

The "explorexr" v1.1.0 plugin exhibits a generally strong security posture, with excellent adherence to secure coding practices. The plugin demonstrates a high level of output escaping, utilizes prepared statements for all SQL queries, and incorporates a significant number of nonce and capability checks. This indicates a proactive approach to security by the developers. However, a single unprotected AJAX handler represents a notable concern, as it could potentially be exploited by attackers if it performs sensitive operations or accepts user-supplied input without proper authentication or authorization.

The static analysis did not reveal any dangerous functions or critical/high severity taint flows, which is highly encouraging. The absence of known vulnerabilities in its history further reinforces the idea that this plugin has been developed with security in mind. The limited attack surface, with only one unprotected entry point, is also a positive sign. Despite this, the presence of any unprotected entry point, no matter how small, should be addressed to maintain a robust security profile.

In conclusion, "explorexr" v1.1.0 is a well-developed plugin with commendable security practices. The strong emphasis on prepared SQL statements and output escaping are significant strengths. The primary weakness lies in the single unprotected AJAX handler, which, while isolated, warrants immediate attention to eliminate a potential avenue for attack.

Key Concerns

AJAX handler without authentication check

Vulnerabilities

None known

ExploreXR Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

ExploreXR Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

753 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

98% escaped770 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

13 flows1 with unsanitized paths

explorexr_modern_model_browser_page (admin\models\modern-model-browser.php:15)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

ExploreXR Attack Surface

Entry Points7

Unprotected1

AJAX Handlers 4

authwp_ajax_explorexr_delete_modeladmin\ajax\ajax-handlers.php:89

authwp_ajax_EXPLOREXR_get_premium_infoadmin\core\admin-menu.php:324

authwp_ajax_explorexr_cleanup_modelsincludes\models\model-cleanup.php:123

authwp_ajax_explorexr_dismiss_premium_noticeincludes\premium\upgrade-system.php:306

Shortcodes 3

[EXPLOREXR_model] includes\core\shortcodes.php:167

[explorexr] includes\core\shortcodes.php:366

[explorexr_model] includes\core\shortcodes.php:371

WordPress Hooks 64

actionadmin_menuadmin\core\admin-menu.php:60

filterparent_fileadmin\core\admin-menu.php:77

filteradmin_titleadmin\core\admin-menu.php:102

actionadmin_headadmin\core\admin-menu.php:121

actionadmin_enqueue_scriptsadmin\core\admin-menu.php:237

actionadmin_headadmin\core\admin-menu.php:252

actioncurrent_screenadmin\core\admin-menu.php:255

filteradmin_body_classadmin\core\admin-menu.php:269

actionadmin_initadmin\core\admin-menu.php:272

actionadmin_enqueue_scriptsadmin\core\admin-ui.php:421

filterget_edit_post_linkadmin\core\edit-redirector.php:41

actioninitadmin\core\edit-redirector.php:72

filterpost_row_actionsadmin\core\edit-redirector.php:96

actionadmin_enqueue_scriptsadmin\core\functions.php:86

filteradmin_body_classadmin\models\modern-model-browser.php:17

actionadmin_initadmin\pages\create-model-page.php:140

actionadmin_initadmin\pages\loading-options-page.php:82

actionadmin_initadmin\pages\settings-page.php:384

actionadmin_initadmin\settings\import-export.php:36

actionadmin_initadmin\settings\import-export.php:219

actionadmin_initadmin\settings\import-export.php:507

actionadmin_enqueue_scriptsadmin\settings\import-export.php:535

actionadmin_initadmin\settings\loading-options.php:41

filterexplorexr_model_viewer_attributesadmin\settings\loading-options.php:119

actionadmin_initadmin\settings\uninstall-settings.php:56

actionadmin_noticesadmin\templates\notifications-area.php:21

actionadmin_noticesadmin\templates\notifications-area.php:33

actionadmin_noticesadmin\templates\notifications-area.php:45

actionadmin_noticesexplorexr.php:33

actionplugins_loadedexplorexr.php:46

actionplugins_loadedexplorexr.php:56

actioninitincludes\core\post-types\class-post-types.php:22

actionpost_edit_form_tagincludes\core\post-types\class-post-types.php:25

actionadd_meta_boxesincludes\core\post-types\class-post-types.php:28

actionsave_postincludes\core\post-types\class-post-types.php:31

actionadmin_headincludes\core\post-types\class-post-types.php:34

actionadmin_enqueue_scriptsincludes\core\post-types\class-post-types.php:37

actionadmin_enqueue_scriptsincludes\core\post-types\metaboxes\model-size-enqueue.php:51

actionadmin_enqueue_scriptsincludes\core\shortcodes.php:377

actionfusion_builder_before_initincludes\integrations\avada\class-fusion-element.php:23

actionet_builder_readyincludes\integrations\divi\class-divi-module.php:23

actionelementor/widgets/registerincludes\integrations\elementor\class-elementor-widget.php:21

actionplugins_loadedincludes\integrations\index.php:31

actionplugins_loadedincludes\integrations\index.php:44

actionplugins_loadedincludes\integrations\index.php:60

filterupload_mimesincludes\models\file-handler.php:8

actionadd_attachmentincludes\models\file-handler.php:16

actionadmin_noticesincludes\models\model-cleanup.php:178

actionwp_dashboard_setupincludes\models\model-cleanup.php:324

actionadmin_noticesincludes\premium\upgrade-system.php:302

actionadd_meta_boxesincludes\premium\upgrade-system.php:303

actionsend_headersincludes\security\security-handler.php:317

actioninitincludes\security\security-handler.php:342

actionadmin_enqueue_scriptsincludes\ui\deactivation-handler.php:48

actionadmin_noticesincludes\ui\deactivation-handler.php:78

actionadmin_footerincludes\ui\deactivation-handler.php:108

actionsave_post_explorexr_modelincludes\utils\cache-manager.php:220

actionupdated_optionincludes\utils\cache-manager.php:238

actionbefore_delete_postincludes\utils\cache-manager.php:266

filteradmin_titleincludes\utils\strip-tags-fix.php:25

filterdocument_title_partsincludes\utils\strip-tags-fix.php:30

actionwp_footertemplate-parts\model-viewer-script.php:64

actionadmin_noticestemplate-parts\model-viewer-script.php:102

actionadmin_noticestemplate-parts\model-viewer-script.php:118

Maintenance & Trust

ExploreXR Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 9, 2026

PHP min version7.4

Downloads484

Community Trust

Rating100/100

Number of ratings1

Active installs30

Alternatives

ExploreXR Alternatives

3D Viewer – glb/gltf Viewer by WPSE

advanced-3d-model-viewer

100

Embed and interact with 3D models in your WordPress content using a block, shortcode, or custom post type.

40 No CVEs

3D Viewer Online

3dvieweronline-wp

An easy, realistic and customizable 3D Viewer to embed 3D models of your products/designs into your Wordpress/WooCommerce website (responsive layout)

40 1 CVE

Reality shop – Unlimited 3D for Elementor and WooCommerce

reality-shop-3d

100

🔥 Reality Shop 3D – WooCommerce 3D & 360° Product Viewer for WordPress

0 No CVEs

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Elementor addon offering 110+ widgets and templates — Elementor Gallery, Slider, Form, Post Grid, Menu, Accordion, WooCommerce & more.

2.0M 56 CVEs

ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution

shopengine

WooCommerce builder for Elementor and Gutenberg. It offers product templates, product sliders, shopping cart, quick view, Woo wishlist, product filter …

90K 4 CVEs

Developer Profile

ExploreXR Developer Profile

Ayal Othman

1 plugin · 30 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect ExploreXR

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/explorexr/assets/css/explorexr.css/wp-content/plugins/explorexr/assets/js/explorexr.js/wp-content/plugins/explorexr/assets/js/three.min.js/wp-content/plugins/explorexr/assets/js/STLLoader.js/wp-content/plugins/explorexr/assets/js/GLTFLoader.js/wp-content/plugins/explorexr/assets/js/OBJLoader.js/wp-content/plugins/explorexr/assets/js/FBXLoader.js/wp-content/plugins/explorexr/assets/js/USDZLoader.js+15 more

Script Paths

/wp-content/plugins/explorexr/assets/js/explorexr.js/wp-content/plugins/explorexr/assets/js/three.min.js/wp-content/plugins/explorexr/assets/js/STLLoader.js/wp-content/plugins/explorexr/assets/js/GLTFLoader.js/wp-content/plugins/explorexr/assets/js/OBJLoader.js/wp-content/plugins/explorexr/assets/js/FBXLoader.js+16 more

Version Parameters

explorexr/style.css?ver=explorexr.js?ver=three.min.js?ver=STLLoader.js?ver=GLTFLoader.js?ver=OBJLoader.js?ver=FBXLoader.js?ver=USDZLoader.js?ver=OrbitControls.js?ver=TrackballControls.js?ver=VRControls.js?ver=VREffect.js?ver=WebXRPolyfill.js?ver=

HTML / DOM Fingerprints

CSS Classes

explorexr-viewer-containerexplorexr-controls-containerexplorexr-fullscreen-buttonexplorexr-vr-buttonexplorexr-model-loadingexplorexr-model-errorexplorexr-model-loaded

HTML Comments

Data Attributes

data-explorexr-modeldata-explorexr-iddata-explorexr-widthdata-explorexr-heightdata-explorexr-controlsdata-explorexr-autoplay+3 more

JS Globals

ExploreXRExploreXRViewerExploreXRControlsExploreXRModelLoaderExploreXRVRManagerExploreXRUtils+2 more

REST Endpoints

/wp-json/explorexr/v1/models

Shortcode Output

[explorexr_viewer][explorexr_model]

FAQ