WP-Safety

Ibtana – WordPress Website Builder Security & Risk Analysis

wordpress.org/plugins/ibtana-visual-editor

Build your dream WordPress website with Ibtana, a powerful website builder with customizable templates and drag-and-drop elements for customization.

20K active installs v1.2.5.7 PHP 7.2+ WP 5.2+ Updated Mar 4, 2026
gutenbergone-click-demo-importpage-buildertemplateswebsite-builder
74
B · Generally Safe
CVEs total7
Unpatched1
Last CVESep 22, 2025
Plugin page Download
Safety Verdict

Is Ibtana – WordPress Website Builder Safe to Use in 2026?

Mostly Safe

Score 74/100

Ibtana – WordPress Website Builder is generally safe to use. 7 past CVEs were resolved. Keep it updated.

7 known CVEs 1 unpatched Last CVE: Sep 22, 2025Updated 1mo ago
Risk Assessment

The "ibtana-visual-editor" plugin v1.2.5.7 presents a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and properly escaping almost all output. The absence of dangerous functions and bundled libraries is also a strength. However, the plugin has a significant attack surface with 29 entry points, of which 6 are unprotected, including AJAX handlers and REST API routes that lack proper authorization checks. This indicates a potential for unauthorized actions and privilege escalation.

The taint analysis, while limited, did reveal one flow with unsanitized paths, which could lead to path traversal vulnerabilities. The plugin's vulnerability history is a major concern, with a total of 7 known CVEs, one of which remains unpatched. The common vulnerability types, Cross-site Scripting and Missing Authorization, directly align with the findings from the static analysis, particularly the unprotected AJAX handlers and REST API routes. The recency of the last vulnerability (September 2025) suggests ongoing security issues.

In conclusion, while the plugin has some fundamental security strengths in its data handling, the substantial number of unprotected entry points and the history of critical vulnerabilities, especially missing authorization, create a considerable risk. The unpatched CVE is a direct and pressing threat that requires immediate attention. Mitigation efforts should focus on securing all entry points and addressing the historical vulnerability patterns.

Key Concerns

  • Unpatched CVE
  • Unprotected REST API routes
  • Unprotected AJAX handlers
  • Flows with unsanitized paths
  • Large attack surface without auth checks
Vulnerabilities
7

Ibtana – WordPress Website Builder Security Vulnerabilities

CVEs by Year

2 CVEs in 2022
2022
1 CVE in 2023
2023
2 CVEs in 2024
2024
2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
7

7 total CVEs

CVE-2025-59581medium · 4.3Missing Authorization

Ibtana <= 1.2.5.3 - Missing Authorization to Authenticated (Contributor+) Arbitrary Content Deletion

Sep 22, 2025 Patched in 1.2.5.4 (5d)
CVE-2025-26891medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ibtana <= 1.2.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 24, 2025Unpatched
CVE-2024-8282medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ibtana – WordPress Website Builder <= 1.2.4.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Attribute

Oct 1, 2024 Patched in 1.2.4.5 (1d)
CVE-2024-5541medium · 5.3Missing Authorization

Ibtana - WordPress Website Builder <= 1.2.3.3 - Unauthenticated reCAPTCHA Settings Update

Jun 17, 2024 Patched in 1.2.3.4 (9d)
CVE-2023-6684medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ibtana – WordPress Website Builder <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 7, 2023 Patched in 1.2.2.1 (47d)
CVE-2022-4674medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ibtana – WordPress Website Builder <= 1.1.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 20, 2022 Patched in 1.1.8.8 (399d)
CVE-2021-25014medium · 6.4Missing Authorization

Ibtana – WordPress Website Builder <= 1.1.4.7 - Missing Authorization to Stored Cross-Site Scripting

Jan 12, 2022 Patched in 1.1.4.9 (741d)
Code Analysis
Analyzed Mar 16, 2026

Ibtana – WordPress Website Builder Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
7
504 escaped
Nonce Checks
25
Capability Checks
41
File Operations
9
External Requests
13
Bundled Libraries
0

Output Escaping

99% escaped511 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

8 flows1 with unsanitized paths
get_post_data (src\blocks\form\block.php:61)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

Ibtana – WordPress Website Builder Attack Surface

Entry Points29
Unprotected6

AJAX Handlers 25

authwp_ajax_ive_install_and_activate_pluginactivation\activation.php:2
authwp_ajax_ive_file_generationadmin\settings.php:104
authwp_ajax_ive_save_general_settingsadmin\settings.php:130
authwp_ajax_ibtana_visual_editor_setup_free_demoadmin-menu.php:24
authwp_ajax_ibtana_visual_editor_insert_componentadmin-menu.php:25
authwp_ajax_ibtana_visual_editor_activate_pluginadmin-menu.php:29
authwp_ajax_ive_addons_page_cardsadmin-menu.php:32
authwp_ajax_ive_ajax_save_templateclasses\class-cpt.php:31
authwp_ajax_ive_get_saved_ibtana_templates_by_termsclasses\class-cpt.php:32
authwp_ajax_ive_get_saved_ibtana_templates_by_term_slugclasses\class-cpt.php:34
authwp_ajax_ive_import_saved_single_ibtana_templateclasses\class-cpt.php:36
authwp_ajax_ive_export_saved_single_ibtana_templateclasses\class-cpt.php:38
authwp_ajax_ive_delete_saved_single_ibtana_templateclasses\class-cpt.php:40
authwp_ajax_ive_delete_saved_all_ibtana_templatesclasses\class-cpt.php:42
authwp_ajax_set_default_save_template_limit_infoclasses\class-cpt.php:44
authwp_ajax_ive-get-installed-themeclasses\class-ive-admin.php:30
authwp_ajax_ive-theme-activateclasses\class-ive-admin.php:31
authwp_ajax_ive-check-plugin-existsclasses\class-ive-admin.php:33
authwp_ajax_ive_get_admin_noticesclasses\ive-notice.php:15
authwp_ajax_ive_admin_notice_ignoreclasses\ive-notice.php:16
authwp_ajax_ive_get_theme_license_activation_durationclasses\ive-notice.php:17
authwp_ajax_ive_get_client_meta_box_infoclasses\ive-notice.php:18
authwp_ajax_setup_plugins_freeSWwhizzie\whizzie.php:106
authwp_ajax_setup_widgets_freeSWwhizzie\whizzie.php:107
authwp_ajax_setup_elementor_freeSWwhizzie\whizzie.php:108

REST API Routes 3

POST/wp-json/ibtana-visual-editor/v1/update_google_recaptcha_keysadmin\settings.php:11
GET/wp-json/ibtana-visual-editor/v1/get_google_recaptcha_keysadmin\settings.php:21
GET/wp-json/ibtana-visual-editor/v1getAllCategories/admin\settings.php:37

Shortcodes 1

[ive] ive-countdown.php:79
WordPress Hooks 63
actionrest_api_initadmin\settings.php:32
actionrest_api_initadmin\settings.php:47
actionadmin_enqueue_scriptsadmin-menu.php:17
actionactivated_pluginadmin-menu.php:35
actionupgrader_process_completeadmin-menu.php:36
filteradd_meta_boxesadmin-menu.php:37
actionadmin_menuadmin-menu.php:1685
actionnetwork_admin_menuadmin-menu.php:1689
actionadmin_enqueue_scriptsadmin-menu.php:1751
filterinitclasses\class-cpt.php:19
actionadmin_headclasses\class-cpt.php:21
actionwpclasses\class-ive-helper.php:151
actionwp_enqueue_scriptsclasses\class-ive-helper.php:152
actionwp_enqueue_scriptsclasses\class-ive-helper.php:153
actionwp_headclasses\class-ive-helper.php:154
actionwp_headclasses\class-ive-helper.php:155
actionwp_footerclasses\class-ive-helper.php:156
actionplugins_loadedclasses\class-ive-loader.php:36
actionadmin_noticesclasses\class-ive-loader.php:50
actionnetwork_admin_noticesclasses\class-ive-loader.php:51
actionadmin_noticesclasses\ive-notice.php:13
actionadmin_enqueue_scriptsclasses\ive-notice.php:20
actionadmin_noticesclasses\ive-notice.php:31
actionadmin_initclasses\ive-notice.php:32
actioninitive-countdown.php:69
actionwp_headive-countdown.php:71
actionwp_enqueue_scriptsive-countdown.php:72
actionplugins_loadedive-countdown.php:73
actionrest_api_initive-countdown.php:76
actionadmin_enqueue_scriptsive-custom-fields\custom-fields.php:9
actionadmin_initive-custom-fields\custom-fields.php:13
actionsave_postive-custom-fields\custom-fields.php:102
actionadd_meta_boxesive-custom-fields\custom-post-select.php:61
actionsave_postive-custom-fields\custom-post-select.php:76
actioninitive-custom-fields\fields\is-text.php:2
actionadd_meta_boxesive-custom-fields\fields\is-text.php:100
actionsave_postive-custom-fields\fields\is-text.php:256
actioninitive-custom-fields\ive-custom-fields-posttype.php:46
actiontemplate_redirectsrc\blocks\form\block.php:45
actionwp_footersrc\blocks\form\block.php:46
actioninitsrc\blocks\form\block.php:48
actionive_form_email_before_sendsrc\blocks\form\block.php:52
actionive_form_email_after_sendsrc\blocks\form\block.php:53
filterrender_blocksrc\blocks\form\block.php:55
filterwp_mail_content_typesrc\blocks\form\block.php:544
actioninitsrc\blocks\form\fields\checkbox\block.php:20
actioninitsrc\blocks\form\fields\date\block.php:20
actioninitsrc\blocks\form\fields\email\block.php:20
actioninitsrc\blocks\form\fields\hidden\block.php:20
actioninitsrc\blocks\form\fields\name\block.php:20
actioninitsrc\blocks\form\fields\number\block.php:20
actioninitsrc\blocks\form\fields\phone\block.php:20
actioninitsrc\blocks\form\fields\radio\block.php:20
actioninitsrc\blocks\form\fields\select\block.php:20
actioninitsrc\blocks\form\fields\text\block.php:20
actioninitsrc\blocks\form\fields\textarea\block.php:20
actioninitsrc\blocks\form\fields\url\block.php:20
actionenqueue_block_editor_assetssrc\init.php:39
actionwp_enqueue_scriptssrc\init.php:40
filterblock_categories_allsrc\init.php:41
actionafter_switch_themewhizzie\whizzie.php:103
actionadmin_enqueue_scriptswhizzie\whizzie.php:104
actionadmin_menuwhizzie\whizzie.php:105
Maintenance & Trust

Ibtana – WordPress Website Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 4, 2026
PHP min version7.2
Downloads1.5M

Community Trust

Rating86/100
Number of ratings30
Active installs20K
Alternatives

Ibtana – WordPress Website Builder Alternatives

Sirat Demo Importer

Sirat Demo Importer

sirat-demo-importer

A
100

Sirat Demo Importer

10 No CVEs
Kubio AI Page Builder

Kubio AI Page Builder

kubio

A
92

Using the power of AI, Kubio gives you a head start by generating a first draft of your website, which you can further customize to your liking.

100K 4 CVEs
SKT Templates – 100% Free Templates for Elementor & Gutenberg

SKT Templates – 100% Free Templates for Elementor & Gutenberg

skt-templates

A
99

Import professionally designed Elementor and Gutenberg website templates with one click. Build websites faster without coding.

20K 1 CVE
WPElemento Importer

WPElemento Importer

wpelemento-importer

A
99

Effortlessly set up WordPress themes with WPelemento Importer. One-click demo imports, Elementor compatibility, and support for diverse themes.

10K 1 CVE
aThemes Blocks

aThemes Blocks

athemes-blocks

A
100

Extend the Gutenberg Block Editor with additional functionality.

7K No CVEs
Developer Profile

Ibtana – WordPress Website Builder Developer Profile

VW THEMES

213 plugins · 66K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
206 days
View full developer profile
Detection Fingerprints

How We Detect Ibtana – WordPress Website Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ibtana-visual-editor/dist/post/plugin-post.css/wp-content/plugins/ibtana-visual-editor/src/blocks/form/fields/text/style.css/wp-content/plugins/ibtana-visual-editor/src/blocks/form/fields/email/style.css/wp-content/plugins/ibtana-visual-editor/src/blocks/form/fields/name/style.css/wp-content/plugins/ibtana-visual-editor/src/blocks/form/fields/url/style.css/wp-content/plugins/ibtana-visual-editor/src/blocks/form/fields/phone/style.css/wp-content/plugins/ibtana-visual-editor/src/blocks/form/fields/number/style.css/wp-content/plugins/ibtana-visual-editor/src/blocks/form/fields/date/style.css+12 more
Script Paths
/wp-content/plugins/ibtana-visual-editor/dist/post/plugin-post.js/wp-content/plugins/ibtana-visual-editor/assets/js/common.js/wp-content/plugins/ibtana-visual-editor/assets/js/custom-fields.js/wp-content/plugins/ibtana-visual-editor/assets/js/elementor-addon.js
Version Parameters
ibtana-visual-editor/style.css?ver=ibtana-visual-editor/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
ibtana-visual-editor-template-listibtana-visual-editor-template-itemibtana-visual-editor-template-previewibtana-visual-editor-template-titleibtana-visual-editor-template-actionsibtana-visual-editor-template-settingsibtana-visual-editor-editor-wrapperibtana-visual-editor-canvas+17 more
HTML Comments
<!-- IVE Custom Fields Start --><!-- IVE Custom Fields End --><!-- Admin Menu To Display Premium Products --><!-- Admin Menu To Display Premium Products END -->+6 more
Data Attributes
data-ibtana-editor-configdata-ibtana-template-iddata-ibtana-template-namedata-ibtana-template-slugdata-ibtana-component-typedata-ibtana-block-id+2 more
JS Globals
IBTANA_PLUGIN_URIIBTANA_PLUGIN_DIRIBTANA_PLUGIN_DIR_URLIBTANA_PLUGIN_THEMEIVE_DESKTOP_STARTPOINTIVE_TABLET_BREAKPOINT+15 more
REST Endpoints
/wp-json/ibtana-licence/v2/get_client_add_on_list
FAQ

Frequently Asked Questions about Ibtana – WordPress Website Builder