WP-Safety

HT Builder – WordPress Theme Builder for Elementor Security & Risk Analysis

wordpress.org/plugins/ht-builder

HT Builder is a drag & drop theme builder plugin for Elementor Page Builder. Theme Builder is included in this plugin to build custom blog page, c …

1K active installs v1.3.3 PHP + WP 5.0+ Updated Dec 10, 2025
blog-builderbuilderelementorpage-builderwidget
99
A · Safe
CVEs total2
Unpatched0
Last CVENov 1, 2024
Plugin page Download
Safety Verdict

Is HT Builder – WordPress Theme Builder for Elementor Safe to Use in 2026?

Generally Safe

Score 99/100

HT Builder – WordPress Theme Builder for Elementor has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Nov 1, 2024Updated 3mo ago
Risk Assessment

The ht-builder plugin v1.3.3 exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries, implementing nonce checks for its entry points, and having a relatively small attack surface with no exposed REST API routes or shortcodes, several concerning aspects warrant attention. The presence of dangerous functions like `create_function` and `unserialize` in the code, coupled with 50% of outputs not being properly escaped, indicates potential vulnerabilities. The taint analysis revealing flows with unsanitized paths, although not reaching critical or high severity, highlights areas where input sanitization might be insufficient.

The vulnerability history shows two past medium-severity CVEs, both related to Cross-site Scripting (XSS) and Cross-Site Request Forgery (CSRF). The absence of currently unpatched vulnerabilities is positive, but the recurring nature of these vulnerability types suggests potential for similar issues to emerge if input handling and output escaping are not rigorously addressed. The plugin's strengths lie in its controlled attack surface and database query security. However, the identified code signals and past vulnerability trends point to potential weaknesses in how user-supplied data is handled and rendered, which could be exploited.

In conclusion, while ht-builder v1.3.3 has made strides in secure coding practices regarding database interactions and entry point protection, the use of dangerous functions, incomplete output escaping, and unsanitized input flows present ongoing risks. The historical pattern of XSS and CSRF vulnerabilities further reinforces the need for vigilance in these areas. Developers should prioritize addressing these code signals and ensuring robust input validation and output encoding to mitigate the risk of future exploits.

Key Concerns

  • Presence of 'unserialize' function
  • Presence of 'create_function' function
  • 50% of outputs not properly escaped
  • 2 flows with unsanitized paths
  • 2 medium severity CVEs historically
Vulnerabilities
2

HT Builder – WordPress Theme Builder for Elementor Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-51682medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

HT Builder – WordPress Theme Builder for Elementor <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 1, 2024 Patched in 1.3.1 (6d)
WF-df413b9d-5c22-4276-a11b-4f193c48740d-ht-buildermedium · 4.3Cross-Site Request Forgery (CSRF)

HT Builder <= 1.2.9 - Cross-Site Request Forgery via plugin_activation

Apr 3, 2023 Patched in 1.3.0 (295d)
Code Analysis
Analyzed Mar 16, 2026

HT Builder – WordPress Theme Builder for Elementor Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
0 prepared
Unescaped Output
101
100 escaped
Nonce Checks
2
Capability Checks
3
File Operations
0
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

create_function$callback = create_function('', 'echo "' . str_replace( '"', '\"', $section['desc'] ) . '";');includes\admin\classes\class.settings-api.php:105
unserialize$plugins = unserialize( $response['body'] );includes\helper-function.php:252

Output Escaping

50% escaped201 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
templates_ajax_request (includes\admin\template-library.php:188)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

HT Builder – WordPress Theme Builder for Elementor Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_htbuilder_ajax_requestincludes\admin\template-library.php:26
noprivwp_ajax_htbuilder_ajax_requestincludes\admin\template-library.php:27
WordPress Hooks 33
actioninitclasses\class.enqueue_scripts.php:27
actionwp_enqueue_scriptsclasses\class.enqueue_scripts.php:30
actionelementor/editor/before_enqueue_scriptsclasses\class.enqueue_scripts.php:33
actionafter_setup_themeclasses\class.header_footer.php:29
actionelementor/documents/register_controlsclasses\class.header_footer.php:32
actionwpclasses\class.header_footer.php:35
actionhtbuilder_header_contentclasses\class.header_footer.php:58
actionhtbuilder_footer_contentclasses\class.header_footer.php:59
actionget_headerclasses\class.header_footer.php:63
actionget_footerclasses\class.header_footer.php:68
actioninitclasses\class.template_builder.php:18
filtertemplate_includeclasses\class.template_builder.php:27
actionhtbuilder_single_blog_contentclasses\class.template_builder.php:28
actionhtbuilder_blog_contentclasses\class.template_builder.php:31
actionelementor/widgets/widgets_registeredclasses\class.widgets_control.php:32
actionadmin_initincludes\admin\admin-setting.php:13
actionadmin_menuincludes\admin\admin-setting.php:14
actionadmin_enqueue_scriptsincludes\admin\admin-setting.php:15
actionwsa_form_bottom_htbuilder_general_tabsincludes\admin\admin-setting.php:16
actionwsa_form_top_htbuilder_element_tabsincludes\admin\admin-setting.php:17
actionadmin_enqueue_scriptsincludes\admin\classes\class.settings-api.php:28
actionadmin_menuincludes\admin\recommended-plugins\class.recommended-plugins.php:80
actionadmin_enqueue_scriptsincludes\admin\recommended-plugins\class.recommended-plugins.php:81
actionadmin_menuincludes\admin\template-library.php:25
actionadmin_enqueue_scriptsincludes\admin\template-library.php:29
actioninitincludes\base.php:20
actionplugins_loadedincludes\base.php:21
actionadmin_initincludes\base.php:26
actionadmin_noticesincludes\base.php:44
actionadmin_noticesincludes\base.php:50
actionadmin_noticesincludes\base.php:56
actionelementor/elements/categories_registeredincludes\base.php:67
actioninitincludes\base.php:90
Maintenance & Trust

HT Builder – WordPress Theme Builder for Elementor Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedDec 10, 2025
PHP min version
Downloads23K

Community Trust

Rating50/100
Number of ratings2
Active installs1K
Alternatives

HT Builder – WordPress Theme Builder for Elementor Alternatives

Elementor Custom Skin

Elementor Custom Skin

ele-custom-skin

A
92

Create new skins for Elementor PRO 3.x page builder. Design your own skins for Post and Post Archive Widgets using Elementor Loop Templates.

100K No CVEs
HT Mega Addons for Elementor – Elementor Widgets & Template Builder

HT Mega Addons for Elementor – Elementor Widgets & Template Builder

ht-mega-for-elementor

B
82

Elementor addon offering 135+ widgets — Mega Menu, Ready Templates, Page Builder, Slider, Gallery, Post Grid, AI Writer & more.

80K 32 CVEs
Livemesh Addons by Elementor

Livemesh Addons by Elementor

addons-for-elementor

A
94

Elementor Addons that saves time with multiple ready-to-use drag and drop styles for 30+ essential widgets built for Elementor page builder.

40K 18 CVEs
UiCore Elements – Free widgets and templates for Elementor

UiCore Elements – Free widgets and templates for Elementor

uicore-elements

A
96

Enhance your website with UiCore Elements – a free plugin offering diverse widgets for effortless design enrichment.

40K 3 CVEs
Apollo13 Framework Extensions

Apollo13 Framework Extensions

apollo13-framework-extensions

A
95

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs
Developer Profile

HT Builder – WordPress Theme Builder for Elementor Developer Profile

HasThemes

14 plugins · 16K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
179 days
View full developer profile
Detection Fingerprints

How We Detect HT Builder – WordPress Theme Builder for Elementor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ht-builder/assets/css/htbuilder.css/wp-content/plugins/ht-builder/assets/js/htbuilder.js/wp-content/plugins/ht-builder/assets/js/goodshare.min.js/wp-content/plugins/ht-builder/includes/admin/assets/css/admin_optionspanel.css/wp-content/plugins/ht-builder/includes/admin/assets/js/admin_scripts.js
Script Paths
/wp-content/plugins/ht-builder/assets/js/goodshare.min.js/wp-content/plugins/ht-builder/assets/js/htbuilder.js/wp-content/plugins/ht-builder/includes/admin/assets/js/admin_scripts.js
Version Parameters
ht-builder/assets/css/htbuilder.css?ver=ht-builder/assets/js/htbuilder.js?ver=ht-builder/assets/js/goodshare.min.js?ver=ht-builder/includes/admin/assets/css/admin_optionspanel.css?ver=ht-builder/includes/admin/assets/js/admin_scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes
htbuilder_table_rowhtproelement
Data Attributes
data-htbuilderdata-htbuilder-settings
JS Globals
HTBuilder
FAQ

Frequently Asked Questions about HT Builder – WordPress Theme Builder for Elementor