WP-Safety

Mesmerize Companion Security & Risk Analysis

wordpress.org/plugins/mesmerize-companion

The Mesmerize Companion plugin adds drag and drop page builder functionality to the Mesmerize theme.

60K active installs v1.6.168 PHP 5.6+ WP 5.5+ Updated Nov 24, 2025
builderdragdropmesmerize-companion
96
A · Safe
CVEs total3
Unpatched0
Last CVEFeb 18, 2026
Download
Safety Verdict

Is Mesmerize Companion Safe to Use in 2026?

Generally Safe

Score 96/100

Mesmerize Companion has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Feb 18, 2026Updated 5mo ago
Risk Assessment

The mesmerizing-companion plugin v1.6.168 presents a mixed security posture. While the majority of SQL queries are properly prepared and most output is escaped, several areas raise concern. Specifically, three AJAX handlers lack authentication checks, creating a significant entry point for potential abuse. The presence of the `unserialize` function, though only one instance, is a known risk that could be exploited if user-supplied data is unserialized without proper sanitization.

The plugin's vulnerability history, with three past medium-severity CVEs, including Missing Authorization and Cross-site Scripting, is a notable concern. Although there are no currently unpatched vulnerabilities, the types of past issues align with some of the risks identified in the static analysis, particularly the missing authorization. The last vulnerability being in 2026 suggests an outdated security practice or a historical issue that, while patched, highlights previous weaknesses.

Overall, the plugin demonstrates some good security practices, but the unprotected AJAX endpoints and the history of critical vulnerability types warrant careful attention. The lack of critical or high-severity taint flows is a positive sign, but the static analysis findings and past CVEs suggest a need for continued vigilance and potential remediation.

Key Concerns

  • Unprotected AJAX handlers
  • Presence of unserialize function
  • Past medium severity CVEs
  • High percentage of SQL using prepared statements
  • High percentage of properly escaped output
Vulnerabilities
3 published

Mesmerize Companion Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-12027medium · 4.3Missing Authorization

Mesmerize Companion <= 1.6.158 - Missing Authorization Authenticated (Subscriber+) Settings Update

Feb 18, 2026 Patched in 1.6.162 (1d)
CVE-2024-3494medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Mesmerize Companion <= 1.6.148 - Authenticated (Contributor+) Stored Cross-Site Scripting via mesmerize_contact_form Shortcode

May 7, 2024 Patched in 1.6.149 (632d)
CVE-2022-4481medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Mesmerize Companion <= 1.6.133 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Dec 20, 2022 Patched in 1.6.135 (399d)
Version History

Mesmerize Companion Release Timeline

No version history available.
Code Analysis
Analyzed Mar 16, 2026

Mesmerize Companion Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
6 prepared
Unescaped Output
42
304 escaped
Nonce Checks
3
Capability Checks
5
File Operations
3
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$data = unserialize( $raw );theme-data\mesmerize\integrations\demo-imports\inc\CustomizerImporter.php:71

Bundled Libraries

TinyMCE

SQL Query Safety

86% prepared7 total queries

Output Escaping

88% escaped346 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
openPageInCustomizer (src\Companion.php:1420)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Mesmerize Companion Attack Surface

Entry Points11
Unprotected3

AJAX Handlers 9

authwp_ajax_create_home_pagesrc\Companion.php:525
authwp_ajax_cp_load_datasrc\Companion.php:526
authwp_ajax_cp_open_in_customizersrc\Companion.php:528
authwp_ajax_cp_open_in_default_editorsrc\Companion.php:529
authwp_ajax_cp_shortcode_refreshsrc\Companion.php:530
authwp_ajax_extendthemes_get_remote_data_notificationssrc\Notify\NotificationsManager.php:111
authwp_ajax_cp_dismiss_notificationsrc\Notify\NotificationsManager.php:159
authwp_ajax_extendthemes_plugin_activation_urltheme-data\mesmerize\integrations\demo-imports\inc\DemoImportIntegration.php:85
authwp_ajax_ocdi_import_customizer_datatheme-data\mesmerize\integrations\demo-imports\inc\hooks\customizer.php:7

Shortcodes 2

[mesmerize_latest_news] theme-data\mesmerize\functions.php:152
[mesmerize_contact_form] theme-data\mesmerize\functions.php:198
WordPress Hooks 109
actionadmin_noticesmesmerize-companion.php:41
filtermesmerize_is_companion_installedmesmerize-companion.php:55
actioninitmesmerize-companion.php:57
actioninitsrc\Companion.php:54
filtercloudpress\companion\cp_datasrc\Companion.php:59
filterhttp_request_argssrc\Companion.php:143
filterpage_row_actionssrc\Companion.php:532
actionadmin_footersrc\Companion.php:534
actionadmin_footersrc\Companion.php:535
actionmedia_buttonssrc\Companion.php:537
filteris_protected_metasrc\Companion.php:539
filtercustomize_changeset_save_datasrc\Companion.php:541
actioncustomize_registersrc\Companion.php:552
filterkirki/control_typessrc\Companion.php:558
filteruser_can_richeditsrc\Companion.php:575
filtergutenberg_can_edit_post_typesrc\Companion.php:576
filteruse_block_editor_for_postsrc\Companion.php:577
filterwp_editor_settingssrc\Companion.php:578
filterthe_editorsrc\Companion.php:579
actionenqueue_block_editor_assetssrc\Companion.php:580
filtercloudpress\customizer\supportssrc\Companion.php:669
filterwp_resource_hintssrc\Companion.php:717
actionsave_postsrc\Companion.php:741
actionwp_restore_post_revisionsrc\Companion.php:742
actionpre_post_updatesrc\Companion.php:1469
filtermesmerize_is_shortcode_refreshsrc\Companion.php:1566
filtercustomize_dynamic_setting_argssrc\Customizer\Customizer.php:43
filtercustomize_dynamic_setting_classsrc\Customizer\Customizer.php:44
actioncustomize_registersrc\Customizer\Customizer.php:61
actioncustomize_controls_enqueue_scriptssrc\Customizer\Customizer.php:65
actioncustomize_preview_initsrc\Customizer\Customizer.php:69
filtercloudpress\customizer\global_datasrc\Customizer\Customizer.php:374
actioncustomize_controls_print_scriptssrc\Customizer\Customizer.php:395
actioncustomize_controls_print_footer_scriptssrc\Customizer\Customizer.php:430
actionwp_footersrc\Customizer\Customizer.php:628
actioncloudpress\customizer\global_scriptssrc\Customizer\Panels\ContentPanel.php:13
actioncloudpress\customizer\preview_scriptssrc\Customizer\Panels\ContentPanel.php:14
filtercloudpress\customizer\temp_mod_existssrc\Customizer\Settings\ObjectSetting.php:43
filtercloudpress\customizer\temp_mod_contentsrc\Customizer\Settings\ObjectSetting.php:44
filterthe_contentsrc\Customizer\Template.php:20
filtertemplate_includesrc\Customizer\Template.php:22
actionwidgets_initsrc\Customizer\Template.php:266
actionadmin_noticessrc\Notify\Notification.php:61
filterhttp_request_timeoutsrc\Notify\NotificationsManager.php:73
actionadmin_headsrc\Notify\NotificationsManager.php:129
actionadmin_footersrc\Notify\NotificationsManager.php:162
actioncloudpress\companion\activatedsupport\wp-5.8.php:3
actiondelete_optionsupport\wp-5.8.php:34
actionwp_headtheme-data\mesmerize\custom-style.php:77
filtercloudpress\customizer\preview_datatheme-data\mesmerize\custom-style.php:102
filtermesmerize_show_inactive_plugin_infostheme-data\mesmerize\functions.php:23
filtermesmerize_full_width_pagetheme-data\mesmerize\functions.php:26
filtermesmerize_page_content_wrapper_classtheme-data\mesmerize\functions.php:38
filtermesmerize_page_content_classtheme-data\mesmerize\functions.php:50
filterexcerpt_lengththeme-data\mesmerize\functions.php:108
filterexcerpt_moretheme-data\mesmerize\functions.php:109
filtercloudpress\template\page_contenttheme-data\mesmerize\functions.php:201
filtercloudpress\companion\ajax_cp_datatheme-data\mesmerize\functions.php:212
filtercloudpress\companion\ajax_cp_datatheme-data\mesmerize\functions.php:257
actioncloudpress\template\load_assetstheme-data\mesmerize\functions.php:295
filtercloudpress\companion\front_page_contenttheme-data\mesmerize\functions.php:386
filtermesmerize_supports-header-slidertheme-data\mesmerize\functions.php:398
filtercloudpress\customizer\control\content_sections\datatheme-data\mesmerize\functions.php:400
filtercloudpress\customizer\control\content_sections\category_labeltheme-data\mesmerize\functions.php:438
actionedit_form_after_titletheme-data\mesmerize\functions.php:463
filtertiny_mce_before_inittheme-data\mesmerize\functions.php:478
filterbody_classtheme-data\mesmerize\functions.php:482
filtermesmerize_header_presetstheme-data\mesmerize\functions.php:522
actioncloudpress\customizer\add_assetstheme-data\mesmerize\functions.php:541
filtercloudpress\customizer\global_datatheme-data\mesmerize\functions.php:587
actioncloudpress\companion\activated\mesmerizetheme-data\mesmerize\functions.php:595
actioncloudpress\companion\deactivated\mesmerizetheme-data\mesmerize\functions.php:606
filtercloudpress\customizer\get_data_filtertheme-data\mesmerize\functions.php:615
filterwpforms_shareasale_idtheme-data\mesmerize\functions.php:629
filterpt-ocdi/import_filestheme-data\mesmerize\integrations\demo-imports\inc\DemoImportIntegration.php:35
filterpt-ocdi/plugin_page_setuptheme-data\mesmerize\integrations\demo-imports\inc\DemoImportIntegration.php:62
filterpt-ocdi/disable_pt_brandingtheme-data\mesmerize\integrations\demo-imports\inc\DemoImportIntegration.php:63
filterpt-ocdi/upload_file_paththeme-data\mesmerize\integrations\demo-imports\inc\DemoImportIntegration.php:65
filterhttp_request_timeouttheme-data\mesmerize\integrations\demo-imports\inc\DemoImportIntegration.php:153
actionafter_setup_themetheme-data\mesmerize\integrations\demo-imports\inc\DemoImportIntegration.php:279
actionafter_setup_themetheme-data\mesmerize\integrations\demo-imports\inc\DemoImportIntegration.php:291
actionpt-ocdi/customizer_import_executiontheme-data\mesmerize\integrations\demo-imports\inc\hooks\customizer.php:12
actionpt-ocdi/customizer_import_executiontheme-data\mesmerize\integrations\demo-imports\inc\hooks\customizer.php:160
actionpt-ocdi/after_importtheme-data\mesmerize\integrations\demo-imports\inc\hooks\customizer.php:162
actionpt-ocdi/before_content_importtheme-data\mesmerize\integrations\demo-imports\inc\hooks\menu.php:34
actionpt-ocdi/after_importtheme-data\mesmerize\integrations\demo-imports\inc\hooks\menu.php:102
actionwxr_importer.processed.posttheme-data\mesmerize\integrations\demo-imports\inc\hooks\menu.php:105
actionpt-ocdi/after_importtheme-data\mesmerize\integrations\demo-imports\inc\hooks\menu.php:134
actionpt-ocdi/before_content_importtheme-data\mesmerize\integrations\demo-imports\inc\hooks\pages.php:10
actionpt-ocdi/after_importtheme-data\mesmerize\integrations\demo-imports\inc\hooks\pages.php:89
filterwxr_importer.pre_process.posttheme-data\mesmerize\integrations\demo-imports\inc\hooks\pages.php:92
actionpt-ocdi/before_content_importtheme-data\mesmerize\integrations\demo-imports\inc\hooks\woocommerce.php:9
filterwxr_importer.pre_process.termtheme-data\mesmerize\integrations\demo-imports\inc\hooks\woocommerce.php:12
actionpt-ocdi/after_importtheme-data\mesmerize\integrations\demo-imports\inc\hooks\woocommerce.php:125
actionpt-ocdi/after_importtheme-data\mesmerize\integrations\demo-imports\inc\hooks\woocommerce.php:143
filtermesmerize_tgmpa_pluginstheme-data\mesmerize\integrations\demo-imports\integration.php:31
filtermesmerize_skip_tgma_plugin_from_noticestheme-data\mesmerize\integrations\demo-imports\integration.php:44
filtercloudpress\customizer\feature_popupstheme-data\mesmerize\integrations\demo-imports\integration.php:67
actioncustomize_registertheme-data\mesmerize\integrations\demo-imports\integration.php:98
actionadmin_menutheme-data\mesmerize\integrations\demo-imports\integration.php:126
actionadmin_headtheme-data\mesmerize\integrations\demo-imports\integration.php:142
filtermesmerize_integration_modulestheme-data\mesmerize\integrations\index.php:8
actionadmin_headtheme-data\mesmerize\notifications.php:63
actionmesmerize_header_background_overlay_settingstheme-data\mesmerize\options\overlap.php:4
filterbody_classtheme-data\mesmerize\options\overlap.php:55
actionwp_headtheme-data\mesmerize\options\overlap.php:83
actionadmin_inittheme-data\mesmerize\updates.php:126
actioncustomize_controls_print_footer_scriptstheme-data\mesmerize\updates.php:165
filterhttp_request_argstheme-data\mesmerize\updates.php:194
Maintenance & Trust

Mesmerize Companion Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedNov 24, 2025
PHP min version5.6
Downloads2.2M

Community Trust

Rating88/100
Number of ratings51
Active installs60K
Alternatives

Mesmerize Companion Alternatives

Elementor Website Builder – more than just a page builder

Elementor Website Builder – more than just a page builder

elementor

A
88

The Elementor Website Builder has it all: drag and drop page builder, Atomic Editor, pixel perfect design, global and reusable style systems, mobile r &hellip;

10.0M 50 CVEs
Page Builder by SiteOrigin

Page Builder by SiteOrigin

siteorigin-panels

A
88

Build responsive page layouts using the widgets you know and love using this simple drag and drop page builder.

500K 8 CVEs
Page Builder: Pagelayer – Drag and Drop website builder

Page Builder: Pagelayer – Drag and Drop website builder

pagelayer

A
88

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K 28 CVEs
Beaver Builder Page Builder – Drag and Drop Website Builder

Beaver Builder Page Builder – Drag and Drop Website Builder

beaver-builder-lite-version

A
89

The Professional's Choice for Drag & Drop WordPress Page Building. Fast, Reliable, and Trusted since 2014.

100K 34 CVEs
Colibri Page Builder

Colibri Page Builder

colibri-page-builder

A
92

Colibri Page Builder adds drag and drop page builder functionality to the ColibriWP theme.

90K 18 CVEs
Developer Profile

Mesmerize Companion Developer Profile

Horea Radu

3 plugins · 76K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
181 days
View full developer profile
Detection Fingerprints

How We Detect Mesmerize Companion

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mesmerize-companion/support/wp-5.8.php/wp-content/plugins/mesmerize-companion/vendor/autoload.php
Version Parameters
mesmerize-companion/version=

HTML / DOM Fingerprints

CSS Classes
mesmerize-companion-noticemesmerize-row-list-controlavailable-item-hover-buttonchecked-icon
Data Attributes
data-ajax-datadata-varnamedata-iddata-pro-onlydata-setting-link
JS Globals
mesmerize_content_list_control_l10n
FAQ

Frequently Asked Questions about Mesmerize Companion