Does Materialis Companion have any unpatched vulnerabilities?

No. All known vulnerabilities in Materialis Companion have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Materialis Companion compatible with WordPress 6.9.4?

According to WordPress.org data, Materialis Companion 1.3.53 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Materialis Companion updated?

Materialis Companion was last updated on Feb 24, 2026. Frequent updates are generally a positive security signal.

What is Materialis Companion's security score?

Materialis Companion has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Materialis Companion Security & Risk Analysis

wordpress.org/plugins/materialis-companion

The Materialis Companion plugin adds drag and drop page builder functionality to the Materialis theme.

6K active installs v1.3.53 PHP + WP 5.6+ Updated Feb 24, 2026

builderdragdropmaterialis-companion

A · Safe

CVEs total3

Unpatched0

Last CVEJan 24, 2026

Download

Safety Verdict

Is Materialis Companion Safe to Use in 2026?

Generally Safe

Score 96/100

Materialis Companion has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jan 24, 2026Updated 1mo ago

Risk Assessment

The materialis-companion plugin v1.3.53 exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query sanitization and output escaping, the presence of an unprotected AJAX handler represents a significant concern, opening the door for unauthorized actions. The plugin also has a history of medium-severity vulnerabilities, specifically Cross-site Scripting (XSS) and Missing Authorization, which indicates recurring issues that require careful attention. Although there are no currently unpatched CVEs, the historical pattern suggests a propensity for vulnerabilities in these areas.

The static analysis reveals a relatively contained attack surface with one unprotected entry point (AJAX handler). The taint analysis shows no critical or high-severity flows, which is a positive sign. However, the unprotected AJAX handler needs to be addressed immediately. The history of past vulnerabilities, particularly XSS and authorization flaws, suggests that input validation and access control mechanisms might not always be robust. Despite the current lack of unpatched critical issues, the plugin's vulnerability history warrants a cautious approach.

In conclusion, materialis-companion has strengths in its proper handling of SQL and output escaping. However, the unprotected AJAX endpoint is a direct, exploitable risk. The historical vulnerability patterns for XSS and Missing Authorization indicate a need for ongoing vigilance and potentially a deeper review of its security implementation. Addressing the unprotected AJAX handler should be the immediate priority, followed by a review of past vulnerability types to prevent recurrence.

Key Concerns

AJAX handler without authentication
History of medium severity CVEs (3 total)
Vulnerability history shows Missing Authorization
Vulnerability history shows Cross-site Scripting

Vulnerabilities

Materialis Companion Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2026-24543medium · 4.3Missing Authorization

Materialis Companion <= 1.3.52 - Missing Authorization

Jan 24, 2026 Patched in 1.3.53 (32d)

CVE-2024-4707medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Materialis Companion <= 1.3.41 - Authenticated (Contributor+) Store Cross-Site Scripting via materialis_contact_form Shortcode

Jun 5, 2024 Patched in 1.3.42 (1d)

CVE-2022-4762medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Materialis Companion <= 1.3.39 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 13, 2023 Patched in 1.3.40 (375d)

Code Analysis

Analyzed Mar 16, 2026

Materialis Companion Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

214 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

SQL Query Safety

67% prepared3 total queries

Output Escaping

86% escaped250 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

openPageInCustomizer (src\Companion.php:1121)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Materialis Companion Attack Surface

Entry Points7

Unprotected1

AJAX Handlers 5

authwp_ajax_create_home_pagesrc\Companion.php:191

authwp_ajax_cp_open_in_customizersrc\Companion.php:193

authwp_ajax_cp_shortcode_refreshsrc\Companion.php:194

authwp_ajax_extendthemes_get_remote_data_notificationssrc\Notify\NotificationsManager.php:99

authwp_ajax_cp_dismiss_notificationsrc\Notify\NotificationsManager.php:148

Shortcodes 2

[materialis_contact_form] theme-data\materialis\functions.php:112

[materialis_latest_news] theme-data\materialis\shortcodes\latest-news.php:211

WordPress Hooks 72

filtermaterialis_is_companion_installedmaterialis-companion.php:21

actioninitsrc\Companion.php:63

filtercloudpress\companion\cp_datasrc\Companion.php:68

filterpage_row_actionssrc\Companion.php:196

actionadmin_footersrc\Companion.php:198

actionmedia_buttonssrc\Companion.php:200

filteris_protected_metasrc\Companion.php:202

filtercustomize_changeset_save_datasrc\Companion.php:204

actioncustomize_registersrc\Companion.php:214

filterkirki/control_typessrc\Companion.php:220

actionenqueue_block_editor_assetssrc\Companion.php:237

actionsave_postsrc\Companion.php:337

actionwp_restore_post_revisionsrc\Companion.php:338

filterhttp_request_argssrc\Companion.php:475

filtercloudpress\customizer\supportssrc\Companion.php:570

actionpre_post_updatesrc\Companion.php:1109

filtermaterialis_is_shortcode_refreshsrc\Companion.php:1239

filterwp_resource_hintssrc\Companion.php:1273

filtercustomize_dynamic_setting_argssrc\Customizer\Customizer.php:45

filtercustomize_dynamic_setting_classsrc\Customizer\Customizer.php:46

actioncustomize_controls_print_scriptssrc\Customizer\Customizer.php:181

actioncustomize_controls_print_footer_scriptssrc\Customizer\Customizer.php:215

actionwp_footersrc\Customizer\Customizer.php:412

actioncustomize_registersrc\Customizer\Customizer.php:658

actioncustomize_controls_enqueue_scriptssrc\Customizer\Customizer.php:662

actioncustomize_preview_initsrc\Customizer\Customizer.php:666

actioncloudpress\customizer\global_scriptssrc\Customizer\Panels\ContentPanel.php:13

actioncloudpress\customizer\preview_scriptssrc\Customizer\Panels\ContentPanel.php:14

filtercloudpress\customizer\temp_mod_existssrc\Customizer\Settings\ObjectSetting.php:43

filtercloudpress\customizer\temp_mod_contentsrc\Customizer\Settings\ObjectSetting.php:44

filtercloudpress\customizer\global_datasrc\Customizer\Template.php:19

filterthe_contentsrc\Customizer\Template.php:21

filtertemplate_includesrc\Customizer\Template.php:23

actionwidgets_initsrc\Customizer\Template.php:265

actionadmin_noticessrc\Notify\Notification.php:53

filterhttp_request_timeoutsrc\Notify\NotificationsManager.php:63

actionadmin_headsrc\Notify\NotificationsManager.php:117

actionadmin_footersrc\Notify\NotificationsManager.php:151

actioncloudpress\companion\activated\materialissupport\wp-5.8.php:3

actionwp_headtheme-data\materialis\custom-style.php:77

filtercloudpress\customizer\preview_datatheme-data\materialis\custom-style.php:101

filtermaterialis_can_show_demo_contenttheme-data\materialis\functions.php:10

filtermaterialis_show_inactive_plugin_infostheme-data\materialis\functions.php:11

filtermaterialis_full_width_pagetheme-data\materialis\functions.php:14

filtermaterialis_page_content_wrapper_classtheme-data\materialis\functions.php:26

filtermaterialis_page_content_classtheme-data\materialis\functions.php:38

filtercloudpress\template\page_contenttheme-data\materialis\functions.php:115

filtercloudpress\companion\cp_datatheme-data\materialis\functions.php:126

actioncloudpress\template\load_assetstheme-data\materialis\functions.php:168

filtercloudpress\companion\front_page_contenttheme-data\materialis\functions.php:287

filtercloudpress\customizer\control\content_sections\datatheme-data\materialis\functions.php:299

filtercloudpress\customizer\control\content_sections\category_labeltheme-data\materialis\functions.php:337

actionedit_form_after_titletheme-data\materialis\functions.php:362

filtertiny_mce_before_inittheme-data\materialis\functions.php:377

filterbody_classtheme-data\materialis\functions.php:381

filtermaterialis_header_presetstheme-data\materialis\functions.php:436

actioncloudpress\customizer\add_assetstheme-data\materialis\functions.php:456

filtercloudpress\customizer\global_datatheme-data\materialis\functions.php:502

actioncloudpress\companion\activated\materialistheme-data\materialis\functions.php:510

actioncloudpress\companion\deactivated\materialistheme-data\materialis\functions.php:519

filtercloudpress\customizer\control\content_sections\category_datatheme-data\materialis\functions.php:536

filtercloudpress\customizer\page_settingstheme-data\materialis\functions.php:561

actionadmin_inittheme-data\materialis\integrations\gutenberg\integration.php:56

filtermaterialis_integration_modulestheme-data\materialis\integrations\index.php:8

actionadmin_headtheme-data\materialis\notifications.php:52

actionmaterialis_header_background_overlay_settingstheme-data\materialis\options\overlap.php:4

filterbody_classtheme-data\materialis\options\overlap.php:77

filterexcerpt_lengththeme-data\materialis\shortcodes\latest-news.php:152

filterexcerpt_moretheme-data\materialis\shortcodes\latest-news.php:153

actionadmin_inittheme-data\materialis\updates.php:104

actioncustomize_controls_print_footer_scriptstheme-data\materialis\updates.php:140

filterhttp_request_argstheme-data\materialis\updates.php:168

Maintenance & Trust

Materialis Companion Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 24, 2026

PHP min version

Downloads233K

Community Trust

Rating94/100

Number of ratings10

Active installs6K

Alternatives

Materialis Companion Alternatives

Elementor Website Builder – More Than Just a Page Builder

elementor

The Elementor Website Builder has it all: drag and drop page builder, pixel perfect design, mobile responsive editing, and more. Get started now!

10.0M 46 CVEs

Page Builder by SiteOrigin

siteorigin-panels

Build responsive page layouts using the widgets you know and love using this simple drag and drop page builder.

500K 8 CVEs

Page Builder: Pagelayer – Drag and Drop website builder

pagelayer

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K 26 CVEs

Beaver Builder Page Builder – Drag and Drop Website Builder

beaver-builder-lite-version

The Professional's Choice for Drag & Drop WordPress Page Building. Fast, Reliable, and Trusted since 2014.

100K 31 CVEs

Colibri Page Builder

colibri-page-builder

Colibri Page Builder adds drag and drop page builder functionality to the ColibriWP theme.

90K 18 CVEs

Developer Profile

Materialis Companion Developer Profile

Horea Radu

3 plugins · 76K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

181 days

View full developer profile

Detection Fingerprints

How We Detect Materialis Companion

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/materialis-companion/assets/css/customizer.css/wp-content/plugins/materialis-companion/assets/css/frontend.css/wp-content/plugins/materialis-companion/assets/js/customizer/base.js/wp-content/plugins/materialis-companion/assets/js/customizer/row-list-control.js/wp-content/plugins/materialis-companion/assets/js/customizer/multi-image-control.js/wp-content/plugins/materialis-companion/assets/js/frontend/frontend.js/wp-content/plugins/materialis-companion/assets/js/frontend/responsive-menu.js/wp-content/plugins/materialis-companion/assets/js/materialis-companion-admin.js

Script Paths

/wp-content/plugins/materialis-companion/assets/js/customizer/base.js/wp-content/plugins/materialis-companion/assets/js/customizer/row-list-control.js/wp-content/plugins/materialis-companion/assets/js/customizer/multi-image-control.js/wp-content/plugins/materialis-companion/assets/js/frontend/frontend.js/wp-content/plugins/materialis-companion/assets/js/frontend/responsive-menu.js/wp-content/plugins/materialis-companion/assets/js/materialis-companion-admin.js

Version Parameters

/wp-content/plugins/materialis-companion/assets/css/customizer.css?ver=/wp-content/plugins/materialis-companion/assets/css/frontend.css?ver=/wp-content/plugins/materialis-companion/assets/js/customizer/base.js?ver=/wp-content/plugins/materialis-companion/assets/js/customizer/row-list-control.js?ver=/wp-content/plugins/materialis-companion/assets/js/customizer/multi-image-control.js?ver=/wp-content/plugins/materialis-companion/assets/js/frontend/frontend.js?ver=/wp-content/plugins/materialis-companion/assets/js/frontend/responsive-menu.js?ver=/wp-content/plugins/materialis-companion/assets/js/materialis-companion-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

cp-multi-image-itemcp-multi-image-managersection-iconattachment-media-view-image

Data Attributes

data-type="cp-multi-image-manager"data-mindata-maxdata-setting-linkdata-namedata-selection

JS Globals

CP_Customizer.openMediaBrowsercpMultiImageTexts

FAQ