Does Custom Block Builder – Lazy Blocks have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Custom Block Builder – Lazy Blocks compatible with WordPress 6.9.4?

According to WordPress.org data, Custom Block Builder – Lazy Blocks 4.2.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Custom Block Builder – Lazy Blocks compatible with PHP 8.0+?

Custom Block Builder – Lazy Blocks requires PHP 8.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Custom Block Builder – Lazy Blocks updated?

Custom Block Builder – Lazy Blocks was last updated on Feb 4, 2026. Frequent updates are generally a positive security signal.

What is Custom Block Builder – Lazy Blocks's security score?

Custom Block Builder – Lazy Blocks has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Custom Block Builder – Lazy Blocks Security & Risk Analysis

wordpress.org/plugins/lazy-blocks

Easily create custom blocks and custom meta fields for Gutenberg without hard coding.

20K active installs v4.2.1 PHP 8.0+ WP 6.2+ Updated Feb 4, 2026

blockscustomfieldsgutenbergmeta

A · Safe

CVEs total3

Unpatched0

Last CVEFeb 10, 2026

Plugin page Download

Safety Verdict

Is Custom Block Builder – Lazy Blocks Safe to Use in 2026?

Generally Safe

Score 95/100

Custom Block Builder – Lazy Blocks has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Feb 10, 2026Updated 3mo ago

Risk Assessment

The plugin "lazy-blocks" v4.2.1 exhibits a generally good security posture with a low attack surface and a strong adherence to secure coding practices such as prepared statements for SQL queries and a high percentage of properly escaped output. The absence of any known unpatched vulnerabilities, despite a history of three CVEs, is a positive indicator of prompt security patching by the developers. However, the presence of the `unserialize` function is a notable concern. While not directly flagged by the taint analysis as a vulnerability in this specific version, the function is inherently risky if not used with extremely careful input sanitization, as it can lead to object injection vulnerabilities. The historical vulnerability types, including Code Injection and Cross-site Scripting, suggest that user-supplied data has been a vector for past issues, reinforcing the caution needed around functions like `unserialize`.

Key Concerns

Presence of dangerous function: unserialize
Past vulnerabilities indicate historical input sanitization issues

Vulnerabilities

3 published

Custom Block Builder – Lazy Blocks Security Vulnerabilities

CVEs by Year

2 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2026-1560high · 8.8Improper Control of Generation of Code ('Code Injection')

Custom Block Builder – Lazy Blocks <= 4.2.0 - Authenticated (Contributor+) Remote Code Execution

Feb 10, 2026 Patched in 4.2.1 (1d)

CVE-2025-58258medium · 4.3Missing Authorization

Lazy Blocks <= 4.1.0 - Missing Authorization

Sep 22, 2025 Patched in 4.1.1 (5d)

CVE-2024-12878medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom Block Builder – Lazy Blocks <= 3.8.2 - Reflected Cross-Site Scripting

Feb 4, 2025 Patched in 3.8.3 (9d)

Version History

Custom Block Builder – Lazy Blocks Release Timeline

v4.2.1Current

v4.2.01 CVE

CVE-2026-1560

v4.1.11 CVE

CVE-2026-1560

v4.1.02 CVEs

CVE-2025-58258 CVE-2026-1560

v4.0.32 CVEs

CVE-2025-58258 CVE-2026-1560

v4.0.22 CVEs

CVE-2025-58258 CVE-2026-1560

v4.0.12 CVEs

CVE-2025-58258 CVE-2026-1560

v4.0.02 CVEs

CVE-2025-58258 CVE-2026-1560

v3.8.32 CVEs

CVE-2025-58258 CVE-2026-1560

v2.5.33 CVEs

CVE-2025-58258 CVE-2026-1560 CVE-2024-12878

v1.8.23 CVEs

CVE-2025-58258 CVE-2026-1560 CVE-2024-12878

Code Analysis

Analyzed Mar 16, 2026

Custom Block Builder – Lazy Blocks Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

49 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$output = unserialize($serialized_data);vendors\Handlebars\Cache\Disk.php:106

SQL Query Safety

100% prepared2 total queries

Output Escaping

88% escaped56 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

2 flows

import_json (classes\class-tools.php:362)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Custom Block Builder – Lazy Blocks Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 84

actionenqueue_block_editor_assetsclasses\3rd\class-astra.php:20

actionadmin_menuclasses\class-admin.php:20

actionadmin_menuclasses\class-admin.php:21

actionadmin_enqueue_scriptsclasses\class-admin.php:26

actionenqueue_block_editor_assetsclasses\class-admin.php:27

actionenqueue_block_editor_assetsclasses\class-admin.php:28

actionenqueue_block_editor_assetsclasses\class-admin.php:29

actionenqueue_block_assetsclasses\class-admin.php:30

actionin_admin_headerclasses\class-admin.php:32

filteradmin_footer_textclasses\class-admin.php:33

actionenqueue_block_editor_assetsclasses\class-assets.php:20

actioninitclasses\class-blocks.php:74

actioninitclasses\class-blocks.php:76

filterallowed_block_types_allclasses\class-blocks.php:80

actionadmin_initclasses\class-blocks.php:83

filterdisplay_post_statesclasses\class-blocks.php:86

filterdisable_months_dropdownclasses\class-blocks.php:87

filterpost_classclasses\class-blocks.php:88

filterpost_row_actionsclasses\class-blocks.php:89

filtermanage_lazyblocks_posts_columnsclasses\class-blocks.php:90

filtermanage_lazyblocks_posts_custom_columnclasses\class-blocks.php:91

filterbulk_actions-edit-lazyblocksclasses\class-blocks.php:94

filterhandle_bulk_actions-edit-lazyblocksclasses\class-blocks.php:95

filterlzb/get_blocksclasses\class-blocks.php:98

actionsave_postclasses\class-blocks.php:101

filterviews_edit-lazyblocksclasses\class-blocks.php:104

actionsave_post_lazyblocksclasses\class-blocks.php:107

actiondelete_postclasses\class-blocks.php:108

actionwp_trash_postclasses\class-blocks.php:109

actionuntrash_postclasses\class-blocks.php:110

actionactivated_pluginclasses\class-blocks.php:113

actiondeactivated_pluginclasses\class-blocks.php:114

actionswitch_themeclasses\class-blocks.php:115

actionupgrader_process_completeclasses\class-blocks.php:116

actionadmin_initclasses\class-blocks.php:119

filterviews_edit-lazyblocksclasses\class-blocks.php:122

filterblock_categories_allclasses\class-blocks.php:127

actioninitclasses\class-blocks.php:131

actioninitclasses\class-blocks.php:132

actionsave_postclasses\class-blocks.php:214

actionadmin_noticesclasses\class-blocks.php:1356

actionlzb/initclasses\class-controls.php:20

actionactivated_pluginclasses\class-deactivate-duplicate-plugin.php:20

actionpre_current_active_pluginsclasses\class-deactivate-duplicate-plugin.php:21

filterlzb/add_user_templateclasses\class-deprecated.php:21

filterlzb/import_jsonclasses\class-deprecated.php:22

filterlzb/add_user_blockclasses\class-deprecated.php:25

actionlzb/handlebars/objectclasses\class-deprecated.php:28

actioninitclasses\class-deprecated.php:31

actionclassic_editor_enabled_editors_for_post_typeclasses\class-force-gutenberg.php:22

actionuse_block_editor_for_post_typeclasses\class-force-gutenberg.php:23

actionuse_block_editor_for_postclasses\class-force-gutenberg.php:24

filteruser_can_richeditclasses\class-force-gutenberg.php:27

actioninitclasses\class-handlebars.php:27

actionadmin_initclasses\class-migration.php:28

actionwpclasses\class-migration.php:30

actionrest_api_initclasses\class-rest.php:34

actioninitclasses\class-templates.php:20

filterregister_post_type_argsclasses\class-templates.php:23

actionenqueue_block_editor_assetsclasses\class-templates.php:26

filterdisable_months_dropdownclasses\class-templates.php:29

filterpost_row_actionsclasses\class-templates.php:30

filtermanage_lazyblocks_templates_posts_columnsclasses\class-templates.php:31

filtermanage_lazyblocks_templates_posts_custom_columnclasses\class-templates.php:32

actionadmin_menuclasses\class-tools.php:27

actionadmin_initclasses\class-tools.php:30

actionadmin_initclasses\class-tools.php:33

actionadmin_initclasses\class-tools.php:36

actionadmin_footerclasses\class-tools.php:39

actionadmin_noticesclasses\class-tools.php:42

filterwpml_config_arrayclasses\class-wpml.php:20

filterlzb/prepare_block_attributecontrols\checkbox\index.php:37

filterlzb/block_render/attributescontrols\inner_blocks\index.php:36

filterlzb/prepare_block_attributecontrols\repeater\index.php:40

filterlzb/prepare_block_attributecontrols\select\index.php:33

filterlzb/prepare_block_attributecontrols\toggle\index.php:34

filterlzb/controls/allcontrols\_base\index.php:130

filterlzb/control_valuecontrols\_base\index.php:131

actionenqueue_block_editor_assetscontrols\_base\index.php:145

actionenqueue_block_editor_assetscontrols\_base\index.php:146

actionenqueue_block_assetscontrols\_base\index.php:163

actioninitlazy-blocks.php:147

filterlzb/plugin_urllazy-blocks.php:335

filterlzb_pro/plugin_urllazy-blocks.php:342

Maintenance & Trust

Custom Block Builder – Lazy Blocks Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 4, 2026

PHP min version8.0

Downloads415K

Community Trust

Rating98/100

Number of ratings80

Active installs20K

Alternatives

Custom Block Builder – Lazy Blocks Alternatives

Custom Fields for Gutenberg

custom-fields-gutenberg

100

Restores the Custom Field meta box for the Gutenberg Block Editor.

1K No CVEs

IT Listings

it-listings

100

Custom Post Types and additional Functionality for IT Residence WordPress Theme

300 No CVEs

Stepfox Looks

stepfox-looks

100

Enhances the block editor with responsive controls, custom blocks, and extensions for modern magazine and news sites.

30 No CVEs

Voxycure Framework

voxycure-framework

100

Create custom fields, blocks, and post types with no limitations. A flexible, free solution for building with custom data in WordPress.

10 No CVEs

Native Custom Fields – Custom Content Types and Meta Fields

native-custom-fields

100

Custom Content Types and Meta Fields built with WordPress native components. Modern, clean, and performance-focused.

0 No CVEs

Developer Profile

Custom Block Builder – Lazy Blocks Developer Profile

Danny van Kooten

94 plugins · 2.1M total installs

trust score

Avg Security Score

90/100

Avg Patch Time

514 days

View full developer profile

Detection Fingerprints

How We Detect Custom Block Builder – Lazy Blocks

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/lazy-blocks/assets/css/lazy-blocks-editor.css/wp-content/plugins/lazy-blocks/assets/css/lazy-blocks.css/wp-content/plugins/lazy-blocks/assets/js/lazy-blocks-editor.js/wp-content/plugins/lazy-blocks/assets/js/lazy-blocks.js/wp-content/plugins/lazy-blocks/assets/js/frontend.js

Script Paths

/wp-content/plugins/lazy-blocks/assets/js/lazy-blocks-editor.js/wp-content/plugins/lazy-blocks/assets/js/lazy-blocks.js/wp-content/plugins/lazy-blocks/assets/js/frontend.js

Version Parameters

lazy-blocks/assets/css/lazy-blocks-editor.css?ver=lazy-blocks/assets/css/lazy-blocks.css?ver=lazy-blocks/assets/js/lazy-blocks-editor.js?ver=lazy-blocks/assets/js/lazy-blocks.js?ver=lazy-blocks/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

lazy-blocks-editorlazy-blocks-frontendlzb-blocklzb-frontend-wrapperlzb-frontend-block

Data Attributes

data-lazy-blockdata-lazy-block-iddata-lazy-block-name

JS Globals

LazyBlockslazyBlockswp.blocks.registerBlockTypewp.element.createElementwp.editor.registerBlockTypewp.i18n.__+23 more

REST Endpoints

/wp-json/lazy-blocks/v1/blocks/wp-json/lazy-blocks/v1/template

Shortcode Output

[lazy-blocks][lazy-blocks id=

FAQ

Custom Block Builder – Lazy Blocks Security & Risk Analysis

Is Custom Block Builder – Lazy Blocks Safe to Use in 2026?

Generally Safe

Key Concerns

Custom Block Builder – Lazy Blocks Security Vulnerabilities

CVEs by Year

Severity Breakdown

Custom Block Builder – Lazy Blocks Release Timeline

Custom Block Builder – Lazy Blocks Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

Custom Block Builder – Lazy Blocks Attack Surface

Custom Block Builder – Lazy Blocks Maintenance & Trust

Maintenance Signals

Community Trust

Custom Block Builder – Lazy Blocks Alternatives

Custom Fields for Gutenberg

IT Listings

Stepfox Looks

Voxycure Framework

Native Custom Fields – Custom Content Types and Meta Fields

Custom Block Builder – Lazy Blocks Developer Profile

How We Detect Custom Block Builder – Lazy Blocks

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Custom Block Builder – Lazy Blocks