Does One Page Express Companion have any unpatched vulnerabilities?

No. All known vulnerabilities in One Page Express Companion have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is One Page Express Companion compatible with WordPress 6.9.4?

According to WordPress.org data, One Page Express Companion 1.6.46 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is One Page Express Companion updated?

One Page Express Companion was last updated on Nov 24, 2025. Frequent updates are generally a positive security signal.

What is One Page Express Companion's security score?

One Page Express Companion has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

One Page Express Companion Security & Risk Analysis

wordpress.org/plugins/one-page-express-companion

The One Page Express Companion plugin adds drag and drop page builder functionality to the One Page Express theme.

10K active installs v1.6.46 PHP + WP 5.6+ Updated Nov 24, 2025

onepage-companion-drag-drop-builder

A · Safe

CVEs total2

Unpatched0

Last CVEOct 16, 2025

Download

Safety Verdict

Is One Page Express Companion Safe to Use in 2026?

Generally Safe

Score 98/100

One Page Express Companion has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Oct 16, 2025Updated 4mo ago

Risk Assessment

The one-page-express-companion plugin v1.6.46 exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query preparation and output escaping, certain aspects raise concerns. The presence of one unprotected AJAX handler presents a direct attack vector that could be exploited without proper authentication. Despite a relatively low number of entry points, this unprotected handler is a significant weakness.

The vulnerability history shows a past of medium severity issues, specifically related to missing authorization and cross-site scripting. Although there are currently no unpatched vulnerabilities, the recurring nature of these vulnerability types suggests potential underlying coding patterns that might lead to similar issues in the future if not addressed comprehensively. The plugin's static analysis reveals no critical or high-severity taint flows, which is a positive sign, but the unprotected AJAX handler remains a notable risk.

In conclusion, the plugin has strengths in its secure handling of SQL and output, but the unprotected AJAX endpoint is a critical flaw that demands immediate attention. The history of medium vulnerabilities, though patched, warrants vigilance. Addressing the unprotected AJAX handler is paramount to improving the plugin's overall security.

Key Concerns

Unprotected AJAX handler
Past medium severity vulnerabilities (Missing Auth, XSS)

Vulnerabilities

One Page Express Companion Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-62052medium · 4.3Missing Authorization

One Page Express Companion <= 1.6.43 - Missing Authorization

Oct 16, 2025 Patched in 1.6.44 (8d)

CVE-2024-4703medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

One Page Express Companion <= 1.6.37 - Authenticated (Contributor+) Stored Cross-Site Scripting via one_page_express_contact_form Shortcode

Jun 6, 2024 Patched in 1.6.38 (1d)

Code Analysis

Analyzed Mar 16, 2026

One Page Express Companion Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

242 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

67% prepared3 total queries

Output Escaping

82% escaped296 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

openPageInCustomizer (src\Companion.php:751)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

One Page Express Companion Attack Surface

Entry Points9

Unprotected1

AJAX Handlers 6

authwp_ajax_create_home_pagesrc\Companion.php:84

authwp_ajax_cp_open_in_customizersrc\Companion.php:86

authwp_ajax_cp_shortcode_refreshsrc\Companion.php:87

authwp_ajax_extendthemes_get_remote_data_notificationssrc\Notify\NotificationsManager.php:104

authwp_ajax_cp_dismiss_notificationsrc\Notify\NotificationsManager.php:153

authwp_ajax_one_page_express_discount_notice_dismisstheme-data\one-page-express\functions.php:707

Shortcodes 3

[one_page_express_latest_news] theme-data\one-page-express\functions.php:82

[one_page_express_blog_link] theme-data\one-page-express\functions.php:96

[one_page_express_contact_form] theme-data\one-page-express\functions.php:131

WordPress Hooks 61

filterone_page_exress_companion_installedsrc\Companion.php:26

actioninitsrc\Companion.php:49

filtercloudpress\companion\cp_datasrc\Companion.php:52

filterpage_row_actionssrc\Companion.php:89

actionadmin_footersrc\Companion.php:91

actionmedia_buttonssrc\Companion.php:93

filteris_protected_metasrc\Companion.php:95

actionenqueue_block_editor_assetssrc\Companion.php:105

filtercloudpress\customizer\supportssrc\Companion.php:196

filterhttp_request_argssrc\Companion.php:261

filteris_shortcode_refreshsrc\Companion.php:867

filterwp_resource_hintssrc\Companion.php:891

filtercustomize_dynamic_setting_argssrc\Customizer\Customizer.php:41

filtercustomize_dynamic_setting_classsrc\Customizer\Customizer.php:42

actionadmin_enqueue_scriptssrc\Customizer\Customizer.php:77

actioncustomize_controls_print_scriptssrc\Customizer\Customizer.php:111

actioncustomize_controls_print_footer_scriptssrc\Customizer\Customizer.php:145

actionwp_footersrc\Customizer\Customizer.php:311

actioncustomize_registersrc\Customizer\Customizer.php:555

actioncustomize_controls_enqueue_scriptssrc\Customizer\Customizer.php:559

actioncustomize_preview_initsrc\Customizer\Customizer.php:563

actioncloudpress\customizer\global_scriptssrc\Customizer\Panels\ContentPanel.php:13

actioncloudpress\customizer\preview_scriptssrc\Customizer\Panels\ContentPanel.php:14

filtercloudpress\customizer\temp_mod_existssrc\Customizer\Settings\ObjectSetting.php:43

filtercloudpress\customizer\temp_mod_contentsrc\Customizer\Settings\ObjectSetting.php:44

filtercloudpress\customizer\global_datasrc\Customizer\Template.php:18

filterthe_contentsrc\Customizer\Template.php:20

filtertemplate_includesrc\Customizer\Template.php:22

actionwidgets_initsrc\Customizer\Template.php:261

actionadmin_noticessrc\Notify\Notification.php:112

filterhttp_request_timeoutsrc\Notify\NotificationsManager.php:68

actionadmin_headsrc\Notify\NotificationsManager.php:122

actionadmin_footersrc\Notify\NotificationsManager.php:156

actioncloudpress\companion\activated\one-page-expresssupport\wp-5.8.php:2

filtershow_inactive_plugin_infostheme-data\one-page-express\functions.php:4

filterexcerpt_lengththeme-data\one-page-express\functions.php:39

filterexcerpt_moretheme-data\one-page-express\functions.php:40

filtercloudpress\template\page_contenttheme-data\one-page-express\functions.php:133

filtercloudpress\companion\cp_datatheme-data\one-page-express\functions.php:146

actioncloudpress\template\load_assetstheme-data\one-page-express\functions.php:170

actioncloudpress\customizer\preview_scriptstheme-data\one-page-express\functions.php:189

actioncloudpress\customizer\global_scriptstheme-data\one-page-express\functions.php:203

actioncloudpress\companion\activated\one-page-expresstheme-data\one-page-express\functions.php:399

actioncloudpress\companion\deactivated\one-page-expresstheme-data\one-page-express\functions.php:406

actionadmin_headtheme-data\one-page-express\functions.php:412

filtercloudpress\companion\front_page_contenttheme-data\one-page-express\functions.php:460

filtercloudpress\companion\templatetheme-data\one-page-express\functions.php:471

filterbody_classtheme-data\one-page-express\functions.php:485

filterbody_classtheme-data\one-page-express\functions.php:489

filtercloudpress\customizer\control\content_sections\datatheme-data\one-page-express\functions.php:522

filtercloudpress\customizer\control\content_sections\category_labeltheme-data\one-page-express\functions.php:555

actionwp_headtheme-data\one-page-express\functions.php:579

actionedit_form_after_titletheme-data\one-page-express\functions.php:609

filtertiny_mce_before_inittheme-data\one-page-express\functions.php:624

actionedit_form_after_editortheme-data\one-page-express\functions.php:655

filterone_page_express_header_presetstheme-data\one-page-express\functions.php:658

actionadmin_inittheme-data\one-page-express\functions.php:736

actionadmin_noticestheme-data\one-page-express\functions.php:741

actionadmin_footertheme-data\one-page-express\functions.php:742

actioncloudpress\customizer\global_scriptstheme-data\one-page-express\functions.php:744

actionadmin_headtheme-data\one-page-express\notifications.php:54

Maintenance & Trust

One Page Express Companion Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedNov 24, 2025

PHP min version

Downloads682K

Community Trust

Rating94/100

Number of ratings11

Active installs10K

Alternatives

One Page Express Companion Alternatives

No alternatives data available yet.

Developer Profile

One Page Express Companion Developer Profile

Horea Radu

3 plugins · 76K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

181 days

View full developer profile

Detection Fingerprints

How We Detect One Page Express Companion

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/one-page-express-companion/assets/js/customizer/customizer-base.js/wp-content/plugins/one-page-express-companion/assets/js/customizer/multi-image-control.js/wp-content/plugins/one-page-express-companion/assets/js/customizer/row-list-control.js

Script Paths

/wp-content/plugins/one-page-express-companion/vendor/framework/assets/js/app.js/wp-content/plugins/one-page-express-companion/vendor/framework/assets/js/customizer/app.js

Version Parameters

one-page-express-companion/style.css?ver=one-page-express-companion/script.js?ver=

HTML / DOM Fingerprints

CSS Classes

cp-multi-image-managercp-multi-image-itemrows-listavailable-itemalready-in-pagelist-holderimage-holderavailable-item-hover-button+3 more

HTML Comments

Data Attributes

data-type="cp-multi-image-manager"data-mindata-maxdata-setting-linkdata-namedata-selection+5 more

JS Globals

cpMultiImageTextsCP_Customizer.openMediaBrowsercp_preset_changer_

FAQ