Kadence Blocks — Page Builder Toolkit for Gutenberg Editor Security & Risk Analysis
wordpress.org/plugins/kadence-blocks20+ AI-powered Gutenberg Blocks with endless options, enabling top-notch efficiency for high-performance dynamic website creation.
Is Kadence Blocks — Page Builder Toolkit for Gutenberg Editor Safe to Use in 2026?
Generally Safe
Score 86/100Kadence Blocks — Page Builder Toolkit for Gutenberg Editor has a strong security track record. Known vulnerabilities have been patched promptly.
Kadence Blocks v3.6.6 presents a mixed security posture. While the plugin demonstrates strong practices in areas like SQL query sanitization (100% prepared statements) and output escaping (94%), significant concerns arise from its attack surface and historical vulnerability patterns.
The static analysis reveals a substantial number of unprotected entry points, with 10 out of 18 AJAX handlers and 1 out of 1 REST API route lacking proper authorization or permission checks. This directly translates to an increased risk of unauthorized actions or data manipulation by unauthenticated users. The taint analysis, though limited in scope (9 flows), identified one flow of high severity with unsanitized paths, indicating a potential for vulnerabilities if such paths are exploitable.
The plugin's history of 31 known CVEs, including critical and high-severity issues such as missing authorization, XSS, SSRF, and unrestricted uploads, is a major red flag. While there are currently no unpatched CVEs, the sheer volume and diversity of past vulnerabilities suggest a recurring tendency to introduce security flaws. This history, coupled with the identified unprotected entry points and high-severity taint flow, necessitates a cautious approach. The plugin has strengths in secure coding practices for SQL and output, but the recurring vulnerability history and substantial unprotected attack surface are significant weaknesses.
Key Concerns
- High number of AJAX handlers without auth checks
- REST API route without permission callbacks
- High severity taint flow with unsanitized paths
- Large number of historical CVEs (31 total)
- Historical critical CVEs
- Historical high severity CVEs
- Historical SSRF vulnerabilities
- Historical unrestricted upload vulnerabilities
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor Security Vulnerabilities
CVEs by Year
Severity Breakdown
32 total CVEs
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor <= 3.6.3 - Missing Authorization to Authenticated (Contributor+) Media Upload
Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Missing Authorization to Authenticated (Contributor+) Unauthorized Media Upload
Gutenberg Blocks with AI by Kadence WP <= 3.6.1 - Authenticated (Contributor+) Server-Side Request Forgery via 'endpoint' Parameter
Gutenberg Blocks by Kadence Blocks <= 3.5.32 - Missing Authorization
Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.5.32 - Incorrect Authorization to Authenticated (Contributor+) Post Publication
Kadence Blocks – Gutenberg Blocks for Page Builder Features <= 3.5.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via `redirectURL` Parameter
Gutenberg Blocks by Kadence Blocks <= 3.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'icon'
Gutenberg Blocks by Kadence Blocks <= 3.3.1 - Missing Authorization
Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.4.2 - Authenticated (contributor+) Stored Cross-Site Scripting via Button Link
Kadence Blocks <= 3.2.53 - Authenticated (Admin+) Stored Cross-Site Scripting
Kadence Blocks <= 3.2.53 - Authenticated (Contributor+) Stored Cross-Site Scripting
Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting
Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Icon Widget
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.38 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown
Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.2.45 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via HTML Data Attributes
Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.2.42 - Authenticated (Contributor+) Stored Cross-Site Scripting in Google Maps Widget
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.38 - Authenticated (Contributor+) Stored Cross-Site Scripting via titleFont Parameter
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.37 - Authenticated (Contributor+) Stored Cross-Site Scripting
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typer Effect
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Countdown Timer
Gutenberg Blocks with AI by Kadence WP <= 3.2.36 - Authenticated (Contributor+) Stored Cross-Site Scripting via Block Link
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.34 - Authenticated (Contributor+) Stored Cross-Site Scripting
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.1.26 - Authenticated(Contributor+) Server-Side Request Forgery (SSRF)
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.31 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via CountUp Widget
Gutenberg Blocks by Kadence Blocks <= 3.2.17 - Authenticated(Editor+) Stored Cross-Site Scripting via Contact Form Message Settings
Gutenberg Blocks by Kadence Blocks <= 3.2.25 - Authenticated (Author+) Server-Side Request Forgery
Gutenberg Blocks with AI by Kadence WP – Page Builder Features <= 3.2.19 - Authenticated (Contributor+) Server-Side Request Forgery
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.25 - Authenticated (Contributor+) Stored Cross-Site Scripting via Testimonial Widget
Gutenberg Blocks by Kadence Blocks <= 3.2.25 - Authenticated (Contributor+) Stored Cross-Site Scripting
Gutenberg Blocks by Kadence Blocks – Page Builder Features <= 3.2.23 - Authenticated (Contributor+) Stored Cross-Site Scripting
Kadence Blocks <= 3.1.10 - Unauthenticated Arbitrary File Upload
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor Code Analysis
SQL Query Safety
Output Escaping
Data Flow Analysis
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor Attack Surface
AJAX Handlers 18
REST API Routes 1
WordPress Hooks 144
Scheduled Events 2
Maintenance & Trust
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor Maintenance & Trust
Maintenance Signals
Community Trust
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor Alternatives
Page Builder: Pagelayer – Drag and Drop website builder
pagelayer
The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.
GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor
gutenkit-blocks-addon
GutenKit – Ultimate no-code Gutenberg blocks to design stunning web pages and visually stunning posts in WordPress block editor.
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor
gutentor
Advanced yet easy, Gutenberg editor page builder blocks. Create a masterpiece, pixel perfect website using modern WordPress Gutenberg blocks.
Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem
gutenverse
The best Gutenberg blocks editor, block addons, page builder and website builder for Full Site Editing FSE with ready to import template library.
BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library
blockart-blocks
Enhance the power of your WordPress editor with the dynamic Gutenberg blocks by BlockArt Blocks. Build any layout imaginable.
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor Developer Profile
26 plugins · 3.1M total installs
How We Detect Kadence Blocks — Page Builder Toolkit for Gutenberg Editor
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/kadence-blocks/assets/css//wp-content/plugins/kadence-blocks/assets/js//wp-content/plugins/kadence-blocks/dist/blocks.style.build.css/wp-content/plugins/kadence-blocks/dist/blocks.editor.build.css/wp-content/plugins/kadence-blocks/dist/blocks.build.js/wp-content/plugins/kadence-blocks/assets/js/kadence-blocks-pro-frontend.js/wp-content/plugins/kadence-blocks/assets/js/kadence-blocks-frontend.js/wp-content/plugins/kadence-blocks/assets/js/kadence-blocks-editor.js/wp-content/plugins/kadence-blocks/assets/js/kadence-blocks-frontend.asset.php/wp-content/plugins/kadence-blocks/assets/js/kadence-blocks-editor.asset.phpkadence-blocks/dist/blocks.style.build.css?ver=kadence-blocks/dist/blocks.editor.build.css?ver=kadence-blocks/dist/blocks.build.js?ver=HTML / DOM Fingerprints
kb-row-layoutkb-advanced-formkadence-tabskadence-tabkadence-tab-headerkadence-tab-contentkadence-accordionkadence-accordion-item+12 moredata-kb-blockdata-kb-block-unique-iddata-kb-settingskadence_blocks_paramskadence_blocks_editor_paramskadence_blocks_frontend_params/wp-json/kadence-blocks/v1/posts/wp-json/kadence-blocks/v1/prebuilt-library/wp-json/kadence-blocks/v1/mailerlite-form/wp-json/kadence-blocks/v1/fluentcrm-form/wp-json/kadence-blocks/v1/lottie-animation-get/wp-json/kadence-blocks/v1/lottie-animation-post/wp-json/kadence-blocks/v1/vector-post