WP-Safety

Live Composer – Free WordPress Website Builder Security & Risk Analysis

wordpress.org/plugins/live-composer-page-builder

Page builder for WordPress with drag and drop header/footer editing, responsive settings, and animations. Compatible with Gutenberg block editor.

10K active installs v2.1.8 PHP 7.4+ WP 6.0+ Updated Mar 6, 2026
drag-and-drop-page-builderfrontend-page-builderlanding-page-builderpage-builderwebsite-builder
60
C · Use Caution
CVEs total11
Unpatched1
Last CVEDec 22, 2025
Plugin page Download
Safety Verdict

Is Live Composer – Free WordPress Website Builder Safe to Use in 2026?

Use With Caution

Score 60/100

Live Composer – Free WordPress Website Builder has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

11 known CVEs 1 unpatched Last CVE: Dec 22, 2025Updated 28d ago
Risk Assessment

The live-composer-page-builder plugin v2.1.8 exhibits several concerning security weaknesses, despite some positive security practices. The presence of 21 AJAX handlers, with two lacking authorization checks, presents a direct attack vector. Furthermore, the taint analysis revealed two high-severity flows with unsanitized paths, indicating potential for code injection or other serious exploits. The plugin's history of 11 known CVEs, including one currently unpatched and three high-severity vulnerabilities, strongly suggests a pattern of recurring security flaws, particularly in areas like missing authorization, CSRF, XSS, and deserialization of untrusted data. While the plugin utilizes prepared statements for the majority of its SQL queries and has a significant number of capability checks, these strengths are overshadowed by the identified vulnerabilities and the apparent ongoing struggle to maintain a secure codebase. The significant number of known CVEs and the single unpatched critical vulnerability are major red flags.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows
  • Unpatched CVE
  • History of high severity CVEs
  • Recurring deserialization vulnerabilities
  • Recurring XSS vulnerabilities
  • Recurring CSRF vulnerabilities
  • Recurring Missing Authorization vulnerabilities
  • Low percentage of properly escaped output
Vulnerabilities
11

Live Composer – Free WordPress Website Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
7 CVEs in 2024
2024
3 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
8

11 total CVEs

CVE-2025-68598medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Live Composer <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 22, 2025Unpatched
CVE-2025-14071high · 7.5Deserialization of Untrusted Data

Live Composer – Free WordPress Website Builder <= 2.0.2 - Authenticated (Contributor+) PHP Object Injection via dslc_module_posts_output Shortcode

Dec 20, 2025 Patched in 2.0.3 (1d)
CVE-2025-13537medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Live Composer – Free WordPress Website Builder <= 2.0.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

Dec 16, 2025 Patched in 2.0.3 (2d)
CVE-2024-35779medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Live Composer <= 1.5.42 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 19, 2024 Patched in 1.5.43 (13d)
CVE-2024-35780high · 7.5Deserialization of Untrusted Data

Page Builder: Live Composer <= 1.5.42 - Authenticated (Contributor+) PHP Object Injection

Jun 19, 2024 Patched in 1.5.43 (13d)
CVE-2024-35768medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Live Composer <= 1.5.47 - Authenticated (Author+) Stored Cross-Site Scripting

Jun 18, 2024 Patched in 1.5.48 (66d)
CVE-2024-32957medium · 4.3Missing Authorization

Page Builder: Live Composer <= 1.5.38 - Missing Authorization

Apr 23, 2024 Patched in 1.5.39 (7d)
CVE-2024-31933medium · 4.3Cross-Site Request Forgery (CSRF)

Page Builder: Live Composer <= 1.5.35 - Cross-Site Request Forgery

Apr 10, 2024 Patched in 1.5.36 (7d)
CVE-2023-52193medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Live Composer <= 1.5.23 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 3, 2024 Patched in 1.5.24 (20d)
CVE-2023-52206high · 8.8Deserialization of Untrusted Data

Page Builder: Live Composer <= 1.5.25 - Authenticated (Author+) PHP Object Injection

Jan 3, 2024 Patched in 1.5.29 (52d)
CVE-2022-4669medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Page Builder: Live Composer <= 1.5.22 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 24, 2023 Patched in 1.5.23 (364d)
Code Analysis
Analyzed Mar 16, 2026

Live Composer – Free WordPress Website Builder Code Analysis

Dangerous Functions
31
Raw SQL Queries
1
4 prepared
Unescaped Output
849
731 escaped
Nonce Checks
19
Capability Checks
71
File Operations
0
External Requests
7
Bundled Libraries
0

Dangerous Functions Found

unserialize$raw_code = unserialize($raw_code, ['allowed_classes' => false]);includes\display-functions.php:1094
unserialize$decoded = unserialize($decoded_base64, ['allowed_classes' => false]);includes\display-functions.php:1126
unserialize$data = @unserialize( $content );modules\blog\module.php:6617
unserialize$options = unserialize( $content );modules\blog\module.php:6620
unserialize$options = unserialize( $fixed_data );modules\blog\module.php:6625
unserialize$data = @unserialize( $content );modules\downloads\module.php:4947
unserialize$options = unserialize( $content );modules\downloads\module.php:4950
unserialize$options = unserialize( $fixed_data );modules\downloads\module.php:4955
unserialize$data = @unserialize( $content );modules\galleries\module.php:5577
unserialize$options = unserialize( $content );modules\galleries\module.php:5580
unserialize$options = unserialize( $fixed_data );modules\galleries\module.php:5585
unserialize$options = @unserialize( $content, $unserialize_args );modules\loops\module.php:5689
unserialize$options = @unserialize( $fixed_data, $unserialize_args );modules\loops\module.php:5695
unserialize$data = @unserialize( $content );modules\partners\module.php:2733
unserialize$options = unserialize( $content );modules\partners\module.php:2736
unserialize$options = unserialize( $fixed_data );modules\partners\module.php:2741
unserialize$options = @unserialize( $content, $unserialize_args );modules\posts\module.php:5636
unserialize$options = @unserialize( $fixed_data, $unserialize_args );modules\posts\module.php:5644
unserialize$data = @unserialize( $content );modules\projects\module.php:5995
unserialize$options = unserialize( $content );modules\projects\module.php:5998
unserialize$options = unserialize( $fixed_data );modules\projects\module.php:6003
unserialize$options = @unserialize( $content, array( 'allowed_classes' => false ) );modules\section\module.php:897
unserialize$data = @unserialize( $content );modules\staff\module.php:4309
unserialize$options = unserialize( $content );modules\staff\module.php:4312
unserialize$options = unserialize( $fixed_data );modules\staff\module.php:4317
unserialize$data = @unserialize( $content );modules\testimonials\module.php:5021
unserialize$options = unserialize( $content );modules\testimonials\module.php:5024
unserialize$options = unserialize( $fixed_data );modules\testimonials\module.php:5029
unserialize$options = unserialize( $content );modules\tp-comments\module.php:3735
unserialize$options = unserialize( $content );modules\tp-comments-form\module.php:3242
unserialize$options = unserialize( $content );modules\woocommerce\module.php:4803

SQL Query Safety

80% prepared5 total queries

Output Escaping

46% escaped1580 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

9 flows5 with unsanitized paths
dslc_ajax_add_module (includes\ajax.php:109)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Live Composer – Free WordPress Website Builder Attack Surface

Entry Points64
Unprotected2

AJAX Handlers 21

authwp_ajax_dslc-ajax-add-modules-sectionincludes\ajax.php:69
authwp_ajax_dslc-ajax-add-modules-areaincludes\ajax.php:102
authwp_ajax_dslc-ajax-add-moduleincludes\ajax.php:259
authwp_ajax_dslc-ajax-display-module-optionsincludes\ajax.php:336
authwp_ajax_dslc-ajax-save-composerincludes\ajax.php:426
authwp_ajax_dslc-ajax-save-draft-composerincludes\ajax.php:470
authwp_ajax_dslc-ajax-load-templateincludes\ajax.php:507
authwp_ajax_dslc-ajax-import-templateincludes\ajax.php:546
authwp_ajax_dslc-ajax-save-templateincludes\ajax.php:608
authwp_ajax_dslc-ajax-delete-templateincludes\ajax.php:650
authwp_ajax_dslc-ajax-import-modules-sectionincludes\ajax.php:683
authwp_ajax_dslc-ajax-dm-module-defaultsincludes\ajax.php:757
authwp_ajax_dslc-ajax-save-presetincludes\ajax.php:806
authwp_ajax_dslc-ajax-delete-presetincludes\ajax.php:853
authwp_ajax_dslc_ajax_clear_cacheincludes\ajax.php:882
authwp_ajax_dslc-ajax-toggle-extensionincludes\ajax.php:929
authwp_ajax_dslc_dismiss_noticeincludes\other-functions.php:433
authwp_ajax_dslc-ajax-toggle-licenseincludes\plugin-updates\lc-license-manager.class.php:50
authwp_ajax_dslc-ajax-activate-pluginincludes\plugin-updates\lc-license-manager.class.php:51
authwp_ajax_dslc-download-count-incrementmodules\downloads\inc\ajax.php:44
noprivwp_ajax_dslc-download-count-incrementmodules\downloads\inc\ajax.php:45

Shortcodes 43

[dslc_modules_section_gen_css] includes\css-generation.php:400
[dslc_modules_area_gen_css] includes\css-generation.php:409
[dslc_module_gen_css] includes\css-generation.php:487
[dslc_module] includes\display-functions.php:1292
[dslc_modules_section] includes\display-functions.php:1956
[dslc_modules_area] includes\display-functions.php:2176
[dslc_notification] includes\shortcodes.php:43
[dslc_custom_field] includes\shortcodes.php:92
[dslc_site_url] includes\shortcodes.php:109
[dslc_icon] includes\shortcodes.php:140
[dslc_user_avatar] includes\shortcodes.php:177
[dslc_category_description] includes\shortcodes.php:217
[dslc_page_title] includes\shortcodes.php:230
[lbmn_pagetitle] includes\shortcodes.php:231
[dslc_bloghome] includes\shortcodes.php:241
[lbmn_bloghome] includes\shortcodes.php:242
[dslc_authorbio] includes\shortcodes.php:268
[lbmn_authorbio] includes\shortcodes.php:269
[dslc_commentscount] includes\shortcodes.php:277
[lbmn_commentscount] includes\shortcodes.php:278
[dslc_archive_heading] includes\shortcodes.php:301
[lbmn_archive_heading] includes\shortcodes.php:302
[dslc_nextpost_url] includes\shortcodes.php:391
[lbmn_nextpost_url] includes\shortcodes.php:392
[dslc_prevpost_url] includes\shortcodes.php:419
[lbmn_prevpost_url] includes\shortcodes.php:420
[dslc_postpagination] includes\shortcodes.php:452
[lbmn_postpagination] includes\shortcodes.php:453
[dslc_module_blog_output] modules\blog\module.php:7477
[dslc_module_downloads_output] modules\downloads\module.php:5653
[dslc_module_galleries_output] modules\galleries\module.php:6277
[dslc_module_loops_output] modules\loops\module.php:5994
[dslc_nav_render_menu] modules\navigation\functions.php:86
[dslc_nav_render_mobile_menu] modules\navigation\functions.php:137
[dslc_module_partners_output] modules\partners\module.php:3358
[dslc_module_posts_output] modules\posts\module.php:6407
[dslc_module_projects_output] modules\projects\module.php:6712
[dslc_module_section_output] modules\section\module.php:946
[dslc_module_staff_output] modules\staff\module.php:4960
[dslc_module_testimonials_output] modules\testimonials\module.php:5523
[dslc_module_comments_output] modules\tp-comments\module.php:3902
[dslc_module_comments_form_output] modules\tp-comments-form\module.php:3402
[dslc_module_woocommerce_output] modules\woocommerce\module.php:5463
WordPress Hooks 115
actionadmin_noticesds-live-composer.php:167
actionactivated_pluginds-live-composer.php:236
filtertemplate_includeincludes\archive-templates.php:71
actionpre_get_postsincludes\archive-templates.php:212
actiontemplate_redirectincludes\archive-templates.php:266
actiontemplate_redirectincludes\archive-templates.php:282
actionsave_postincludes\class-dslc-cache.php:69
actionadded_post_metaincludes\class-dslc-cache.php:70
actionload-options.phpincludes\class-dslc-cache.php:244
actionwp_headincludes\css-generation.php:47
actionwp_footerincludes\css-generation.php:49
actionwp_loadedincludes\css-generation.php:52
actionadmin_footerincludes\display-functions.php:522
filterthe_contentincludes\display-functions.php:915
actiondslca_editing_screen_footerincludes\display-functions.php:1058
actionadmin_bar_menuincludes\display-functions.php:2448
actionadmin_menuincludes\editing-screen.php:59
actionadmin_headincludes\editing-screen.php:194
actionadmin_footerincludes\editing-screen.php:228
actionwp_headincludes\editing-screen.php:251
filteradmin_titleincludes\editing-screen.php:274
actionwp_footerincludes\editorinterface.class.php:22
actionplugins_loadedincludes\functions.php:43
actioninitincludes\functions.php:111
filterdslc_filter_modulesincludes\functions.php:136
actioninitincludes\functions.php:258
filterbody_classincludes\functions.php:417
filterdslc_get_templatesincludes\functions.php:674
filterdslc_get_templatesincludes\functions.php:695
actioninitincludes\header-footer.php:153
filtermanage_dslc_hf_posts_columnsincludes\header-footer.php:173
actionmanage_dslc_hf_posts_custom_columnincludes\header-footer.php:197
actionsave_postincludes\header-footer.php:265
actioninitincludes\header-footer.php:351
actiontemplate_redirectincludes\header-footer.php:720
actioninitincludes\modules-area-system\inc\modules-area-options.php:767
filterimage_resize_dimensionsincludes\other-functions.php:66
actionadmin_footerincludes\other-functions.php:461
filterdslc_admin_interface_onincludes\other-functions.php:506
filterdslc_text_block_renderincludes\other-functions.php:522
filterrun_wptexturizeincludes\other-functions.php:732
actioninitincludes\other-functions.php:734
actioninitincludes\other.php:86
actionadmin_footerincludes\other.php:142
actionadmin_noticesincludes\other.php:239
actionadmin_noticesincludes\other.php:284
filterdslc_module_optionsincludes\other.php:296
actionadd_meta_boxesincludes\other.php:316
actionadmin_noticesincludes\other.php:402
actiondslc_hook_register_optionsincludes\plugin-options-framework\inc\access-control.php:120
actionplugins_loadedincludes\plugin-options-framework\inc\init.php:33
actionadmin_menuincludes\plugin-options-framework\inc\init.php:62
actionadmin_initincludes\plugin-options-framework\inc\init.php:245
actionplugins_loadedincludes\plugin-options-framework\inc\options.php:9
actiondslc_hook_register_modulesincludes\plugin-options-framework\inc\options.php:283
actiondslc_hook_unregister_modulesincludes\plugin-options-framework\inc\options.php:297
actiondslc_hook_register_optionsincludes\plugin-options-framework\inc\options.php:371
actiondslc_hook_register_optionsincludes\plugin-options-framework\inc\options.php:416
actiondslc_hook_register_optionsincludes\plugin-options-framework\inc\performance.php:156
actionadmin_enqueue_scriptsincludes\plugin-updates\lc-license-manager.class.php:47
actionadmin_initincludes\plugin-updates\lc-license-manager.class.php:48
actioncurrent_screenincludes\plugin-updates\lc-license-manager.class.php:52
filterpre_set_site_transient_update_pluginsincludes\plugin-updates\lc-plugins-updater.class.php:61
filterplugins_apiincludes\plugin-updates\lc-plugins-updater.class.php:62
actionadmin_initincludes\plugin-updates\lc-plugins-updater.class.php:65
filterpre_set_site_transient_update_pluginsincludes\plugin-updates\lc-plugins-updater.class.php:186
actioninitincludes\post-options-framework\post-options-framework.php:94
actionadd_meta_boxesincludes\post-options-framework\post-options-framework.php:104
actionsave_postincludes\post-options-framework\post-options-framework.php:107
actionload-post-new.phpincludes\post-options-framework\post-options-framework.php:110
actionload-post.phpincludes\post-options-framework\post-options-framework.php:111
filterpost_row_actionsincludes\post-options-framework\post-options-framework.php:533
filterpage_row_actionsincludes\post-options-framework\post-options-framework.php:534
filterget_sample_permalink_htmlincludes\post-options-framework\post-options-framework.php:555
actionpost_submitbox_startincludes\post-options-framework\post-options-framework.php:575
filterthe_editorincludes\post-options-framework\post-options-framework.php:595
filterthe_editorincludes\post-options-framework\post-options-framework.php:613
actioninitincludes\post-templates.php:54
filterdslc_can_edit_in_lcincludes\post-templates.php:104
actioninitincludes\row-system\inc\options.php:702
actionwp_enqueue_scriptsincludes\scripts.php:27
actionadmin_enqueue_scriptsincludes\scripts.php:28
actionwp_enqueue_scriptsincludes\scripts.php:30
actionwp_enqueue_scriptsincludes\scripts.php:31
actionadmin_enqueue_scriptsincludes\scripts.php:32
actionadmin_footerincludes\scripts.php:33
actionenqueue_block_editor_assetsincludes\scripts.php:35
actionafter_wp_tiny_mceincludes\scripts.php:125
filterposts_joinincludes\search-filter.php:37
filterposts_whereincludes\search-filter.php:86
filterposts_distinctincludes\search-filter.php:107
actiontemplate_redirectincludes\single-templates-framework\inc\filters.php:98
filtermanage_dslc_templates_posts_columnsincludes\single-templates-framework\inc\filters.php:170
actionmanage_dslc_templates_posts_custom_columnincludes\single-templates-framework\inc\filters.php:171
actionsave_postincludes\single-templates-framework\inc\filters.php:255
actionadded_post_metaincludes\single-templates-framework\inc\filters.php:372
actionupdated_postmetaincludes\single-templates-framework\inc\filters.php:373
actiondeleted_post_metaincludes\single-templates-framework\inc\filters.php:374
actionwp_trash_postincludes\single-templates-framework\inc\filters.php:418
filtermanage_dslc_template_parts_posts_columnsincludes\single-templates-framework\inc\filters.php:498
actionmanage_dslc_template_parts_posts_custom_columnincludes\single-templates-framework\inc\filters.php:514
filtermanage_edit-dslc_template_parts_sortable_columnsincludes\single-templates-framework\inc\filters.php:520
actioninitincludes\single-templates-framework\inc\functions.php:167
actioninitincludes\single-templates-framework\inc\functions.php:373
filterdslc_filter_settingsincludes\styling-presets.php:84
actioninitmodules\downloads\functions.php:187
actioninitmodules\galleries\functions.php:137
actiondslc_hook_register_optionsmodules\navigation\functions.php:32
actioninitmodules\navigation\functions.php:56
actioninitmodules\partners\functions.php:129
actioninitmodules\projects\functions.php:206
actioninitmodules\staff\functions.php:165
actioninitmodules\testimonials\functions.php:142
filtercomment_form_fieldsmodules\tp-comments-form\module.php:3422
actionwidgets_initmodules\widgets\functions.php:9
Maintenance & Trust

Live Composer – Free WordPress Website Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 6, 2026
PHP min version7.4
Downloads1.6M

Community Trust

Rating88/100
Number of ratings212
Active installs10K
Alternatives

Live Composer – Free WordPress Website Builder Alternatives

Visual Composer Website Builder

Visual Composer Website Builder

visualcomposer

A
96

Drag and drop page builder that gives the freedom to design WordPress websites, landing pages, custom themes, maintenance mode & coming soon pages.

40K 9 CVEs
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

coming-soon

C
67

Easy Drag & Drop Page Builder. A complete solution to create a WordPress Website, Custom Themes, Landing Pages, Coming Soon & Maintenance Mode Pages.

700K 1 unpatched
Page Builder by SiteOrigin

Page Builder by SiteOrigin

siteorigin-panels

A
88

Build responsive page layouts using the widgets you know and love using this simple drag and drop page builder.

500K 8 CVEs
Kubio AI Page Builder

Kubio AI Page Builder

kubio

A
92

Using the power of AI, Kubio gives you a head start by generating a first draft of your website, which you can further customize to your liking.

100K 4 CVEs
Brizy – Page Builder

Brizy – Page Builder

brizy

B
81

A page builder that is fast & easy, Brizy is a next-gen website builder that anyone can use. No designer or developer skills required.

70K 29 CVEs
Developer Profile

Live Composer – Free WordPress Website Builder Developer Profile

LiveComposer

2 plugins · 10K total installs

69
trust score
Avg Security Score
73/100
Avg Patch Time
55 days
View full developer profile
Detection Fingerprints

How We Detect Live Composer – Free WordPress Website Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/live-composer-page-builder/assets/css/admin.css/wp-content/plugins/live-composer-page-builder/assets/css/frontend.css/wp-content/plugins/live-composer-page-builder/assets/css/frontend-responsive.css/wp-content/plugins/live-composer-page-builder/assets/css/frontend-editor.css/wp-content/plugins/live-composer-page-builder/assets/js/frontend.js/wp-content/plugins/live-composer-page-builder/assets/js/frontend-editor.js/wp-content/plugins/live-composer-page-builder/assets/js/admin.js/wp-content/plugins/live-composer-page-builder/assets/js/plugins/wp-media-uploader.js+37 more
Script Paths
/wp-content/plugins/live-composer-page-builder/assets/js/frontend.js/wp-content/plugins/live-composer-page-builder/assets/js/frontend-editor.js/wp-content/plugins/live-composer-page-builder/assets/js/admin.js
Version Parameters
/wp-content/plugins/live-composer-page-builder/assets/css/admin.css?ver=/wp-content/plugins/live-composer-page-builder/assets/css/frontend.css?ver=/wp-content/plugins/live-composer-page-builder/assets/css/frontend-responsive.css?ver=/wp-content/plugins/live-composer-page-builder/assets/css/frontend-editor.css?ver=/wp-content/plugins/live-composer-page-builder/assets/js/frontend.js?ver=/wp-content/plugins/live-composer-page-builder/assets/js/frontend-editor.js?ver=/wp-content/plugins/live-composer-page-builder/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
dslc-moduledslc-sectiondslc-rowdslc-column
HTML Comments
<!-- Live Composer Content --><!-- Live Composer Editor --><!-- Live Composer Settings --><!-- Live Composer Templates -->+1 more
Data Attributes
data-dslc-moduledata-dslc-iddata-dslc-rowdata-dslc-columndata-dslc-section
JS Globals
dslc_live_composer_datadslc_live_composer_settingsdslc_live_composer_modulesdslc_live_composer_templatesdslc_live_composer_optionsdslc_live_composer_editor+2 more
FAQ

Frequently Asked Questions about Live Composer – Free WordPress Website Builder