WP-Safety

WordPress.com Editing Toolkit Security & Risk Analysis

wordpress.org/plugins/full-site-editing

Enhances the editing experience in the Block Editor.

1K active installs v4.30504 PHP 5.6.20+ WP 5.5+ Updated Aug 8, 2024
blockblockseditorgutenbergpage
92
A · Safe
CVEs total1
Unpatched0
Last CVEDec 26, 2023
Download
Safety Verdict

Is WordPress.com Editing Toolkit Safe to Use in 2026?

Generally Safe

Score 92/100

WordPress.com Editing Toolkit has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Dec 26, 2023Updated 1yr ago
Risk Assessment

The "full-site-editing" plugin version 4.30504 exhibits a generally strong security posture based on the static analysis. A significant positive is the complete absence of dangerous functions and SQL queries executed without prepared statements. The plugin also demonstrates good practices in output escaping, with a high percentage of outputs being properly handled. Furthermore, the presence of numerous capability checks suggests an effort to control access to potentially sensitive operations. However, there are notable areas for improvement. The lack of nonce checks on any of the entry points, particularly on the single REST API route, presents a potential security gap. While the attack surface is small and the single REST API route has permission callbacks, the absence of nonces means that authenticated users could potentially trigger actions multiple times without proper verification, opening the door for certain types of denial-of-service or unintended state changes if not carefully handled by the REST API's permission callbacks. The plugin's vulnerability history, while currently showing no unpatched CVEs, does indicate a past medium-severity Cross-Site Scripting (XSS) vulnerability. This suggests that while the current version may be clean, there's a precedent for input sanitization or output escaping issues, which warrants continued vigilance.

Key Concerns

  • No nonce checks on entry points
  • 1 medium severity CVE in history
  • Unescaped output percentage (89%)
Vulnerabilities
1

WordPress.com Editing Toolkit Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2023-50879medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress.com Editing Toolkit <= 3.78784 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 26, 2023 Patched in 3.79150 (28d)
Code Analysis
Analyzed Mar 16, 2026

WordPress.com Editing Toolkit Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
22
185 escaped
Nonce Checks
0
Capability Checks
16
File Operations
4
External Requests
2
Bundled Libraries
0

Output Escaping

89% escaped207 total outputs
Attack Surface

WordPress.com Editing Toolkit Attack Surface

Entry Points1
Unprotected0

REST API Routes 1

GET/wp-json/newspack-blocks/v1/video-playlistnewspack-blocks\synced-newspack-blocks\class-newspack-blocks-api.php:232
WordPress Hooks 80
actionenqueue_block_editor_assetsblock-inserter-modifications\index.php:68
actioninitcommon\index.php:32
actionafter_setup_themecommon\index.php:52
actionenqueue_block_editor_assetscommon\index.php:104
actioninitdotcom-fse\class-full-site-editing.php:39
actioninitdotcom-fse\class-full-site-editing.php:40
actionswitch_themedotcom-fse\helpers.php:202
actionadmin_print_scriptserror-reporting\index.php:120
filterscript_loader_tagerror-reporting\index.php:121
actioninitevent-countdown-block\index.php:8
actionwp_enqueue_scriptsfull-site-editing-plugin.php:212
actionplugins_loadedfull-site-editing-plugin.php:381
actionrest_api_initglobal-styles\class-global-styles.php:231
filterjetpack_global_styles_data_set_get_dataglobal-styles\class-global-styles.php:233
filterjetpack_global_styles_data_set_save_dataglobal-styles\class-global-styles.php:234
actionenqueue_block_editor_assetsglobal-styles\class-global-styles.php:238
filterblock_editor_settingsglobal-styles\class-global-styles.php:242
actioncustomize_registerglobal-styles\class-global-styles.php:247
actionwp_enqueue_scriptsglobal-styles\class-global-styles.php:251
actionwp_enqueue_scriptsglobal-styles\class-global-styles.php:267
actioninitglobal-styles\class-global-styles.php:621
actioninitjetpack-timeline\index.php:9
filtersafe_style_cssjetpack-timeline\index.php:51
actionwidgets_initmailerlite\subscriber-popup.php:129
filternewspack_blocks_block_namenewspack-blocks\index.php:34
actionnewspack_blocks_render_post_carouselnewspack-blocks\index.php:98
actionnewspack_blocks_render_homepage_articlesnewspack-blocks\index.php:107
filternewspack_blocks_block_argsnewspack-blocks\index.php:119
filterplugins_urlnewspack-blocks\index.php:136
actionrest_api_initnewspack-blocks\index.php:164
actioninitnewspack-blocks\synced-newspack-blocks\blocks\carousel\view.php:389
filterwp_calculate_image_sizesnewspack-blocks\synced-newspack-blocks\blocks\homepage-articles\templates\article.php:75
actioninitnewspack-blocks\synced-newspack-blocks\blocks\homepage-articles\view.php:267
filterposts_wherenewspack-blocks\synced-newspack-blocks\class-newspack-blocks-api.php:359
actionrest_api_initnewspack-blocks\synced-newspack-blocks\class-newspack-blocks-api.php:402
actionafter_setup_themenewspack-blocks\synced-newspack-blocks\class-newspack-blocks.php:54
actionjetpack_register_gutenberg_extensionsnewspack-blocks\synced-newspack-blocks\class-newspack-blocks.php:57
filterthe_contentnewspack-blocks\synced-newspack-blocks\class-newspack-blocks.php:58
filterposts_clausesnewspack-blocks\synced-newspack-blocks\class-newspack-blocks.php:59
filterposts_groupbynewspack-blocks\synced-newspack-blocks\class-newspack-blocks.php:60
filterbody_classnewspack-blocks\synced-newspack-blocks\class-newspack-blocks.php:94
filternewspack_popups_assess_has_disabled_popupsnewspack-blocks\synced-newspack-blocks\class-newspack-blocks.php:103
filterget_the_excerptnewspack-blocks\synced-newspack-blocks\class-newspack-blocks.php:1157
filterexcerpt_lengthnewspack-blocks\synced-newspack-blocks\class-newspack-blocks.php:1178
filterwc_memberships_trimmed_restricted_excerptnewspack-blocks\synced-newspack-blocks\class-newspack-blocks.php:1188
filterexcerpt_morenewspack-blocks\synced-newspack-blocks\class-newspack-blocks.php:1224
actionenqueue_block_editor_assetsparagraph-block\index.php:39
filterenter_title_hereparagraph-block\index.php:67
filterwrite_your_storyparagraph-block\index.php:86
actioninitposts-list-block\class-posts-list-block.php:33
actionenqueue_block_editor_assetsposts-list-block\class-posts-list-block.php:34
actionenqueue_block_assetsposts-list-block\class-posts-list-block.php:35
filterexcerpt_moreposts-list-block\class-posts-list-block.php:127
actioninitstarter-page-templates\class-starter-page-templates.php:36
actioninitstarter-page-templates\class-starter-page-templates.php:37
actionrest_api_initstarter-page-templates\class-starter-page-templates.php:38
actionenqueue_block_editor_assetsstarter-page-templates\class-starter-page-templates.php:39
actiondelete_attachmentstarter-page-templates\class-starter-page-templates.php:40
actionswitch_themestarter-page-templates\class-starter-page-templates.php:41
actionblock_editor_settings_allstarter-page-templates\class-starter-page-templates.php:42
actionenqueue_block_editor_assetstags-education\class-tags-education.php:25
actioninittags-education\class-tags-education.php:67
actionenqueue_block_editor_assetswhats-new\class-whats-new.php:27
actionrest_api_initwhats-new\class-whats-new.php:28
actioninitwhats-new\class-whats-new.php:99
actionenqueue_block_editor_assetswpcom-block-description-links\class-wpcom-block-description-links.php:25
actioninitwpcom-block-description-links\class-wpcom-block-description-links.php:70
actionenqueue_block_editor_assetswpcom-block-editor-nux\class-wp-rest-wpcom-block-editor-first-post-published-modal-controller.php:21
actionenqueue_block_editor_assetswpcom-block-editor-nux\class-wp-rest-wpcom-block-editor-sharing-modal-controller.php:21
actionenqueue_block_editor_assetswpcom-block-editor-nux\class-wpcom-block-editor-nux.php:25
actionrest_api_initwpcom-block-editor-nux\class-wpcom-block-editor-nux.php:26
actioninitwpcom-block-editor-nux\class-wpcom-block-editor-nux.php:104
actionenqueue_block_editor_assetswpcom-documentation-links\class-wpcom-documentation-links.php:25
actioninitwpcom-documentation-links\class-wpcom-documentation-links.php:87
actionrest_api_initwpcom-global-styles\api\class-global-styles-status-rest-api.php:21
actionenqueue_block_editor_assetswpcom-global-styles\index.php:192
actionwp_enqueue_scriptswpcom-global-styles\index.php:229
filterwp_theme_json_data_userwpcom-global-styles\index.php:252
actionsave_post_wp_global_styleswpcom-global-styles\index.php:297
filterwpcom_launch_bar_controlswpcom-global-styles\index.php:563
Maintenance & Trust

WordPress.com Editing Toolkit Maintenance & Trust

Maintenance Signals

WordPress version tested6.3.8
Last updatedAug 8, 2024
PHP min version5.6.20
Downloads830K

Community Trust

Rating48/100
Number of ratings13
Active installs1K
Alternatives

WordPress.com Editing Toolkit Alternatives

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

kadence-blocks

A
86

20+ AI-powered Gutenberg Blocks with endless options, enabling top-notch efficiency for high-performance dynamic website creation.

600K 31 CVEs
Page Builder: Pagelayer – Drag and Drop website builder

Page Builder: Pagelayer – Drag and Drop website builder

pagelayer

A
88

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K 25 CVEs
GenerateBlocks

GenerateBlocks

generateblocks

A
95

A small collection of lightweight WordPress blocks that can accomplish nearly anything.

200K 5 CVEs
GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

gutenkit-blocks-addon

A
93

GutenKit – Ultimate no-code Gutenberg blocks to design stunning web pages and visually stunning posts in WordPress block editor.

70K 3 CVEs
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor

Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor

gutentor

B
74

Advanced yet easy, Gutenberg editor page builder blocks. Create a masterpiece, pixel perfect website using modern WordPress Gutenberg blocks.

30K 1 unpatched
Developer Profile

WordPress.com Editing Toolkit Developer Profile

Automattic

213 plugins · 19.2M total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
1384 days
View full developer profile
Detection Fingerprints

How We Detect WordPress.com Editing Toolkit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/full-site-editing/dotcom-fse/templates/class-wp-template.php/wp-content/plugins/full-site-editing/posts-list-block/utils.php/wp-content/plugins/full-site-editing/posts-list-block/class-posts-list-block.php/wp-content/plugins/full-site-editing/starter-page-templates/class-starter-page-templates.php/wp-content/plugins/full-site-editing/global-styles/class-global-styles.php/wp-content/plugins/full-site-editing/event-countdown-block/index.php/wp-content/plugins/full-site-editing/jetpack-timeline/index.php/wp-content/plugins/full-site-editing/newspack-blocks/index.php+4 more
Script Paths
/wp-content/plugins/full-site-editing/dotcom-fse/templates/class-wp-template.php/wp-content/plugins/full-site-editing/posts-list-block/utils.php/wp-content/plugins/full-site-editing/posts-list-block/class-posts-list-block.php/wp-content/plugins/full-site-editing/starter-page-templates/class-starter-page-templates.php/wp-content/plugins/full-site-editing/global-styles/class-global-styles.php/wp-content/plugins/full-site-editing/event-countdown-block/index.php+6 more

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about WordPress.com Editing Toolkit