Does Plugin Builder have any unpatched vulnerabilities?

No. All known vulnerabilities in Plugin Builder have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Plugin Builder compatible with WordPress 4.7.32?

According to WordPress.org data, Plugin Builder 1.0.0 has been tested up to WordPress 4.7.32. Check the plugin's changelog for the latest compatibility information.

How often is Plugin Builder updated?

Plugin Builder was last updated on Apr 20, 2015. Frequent updates are generally a positive security signal.

What is Plugin Builder's security score?

Plugin Builder has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Plugin Builder Security & Risk Analysis

wordpress.org/plugins/plugin-builder

Gets started building a plugin using the WordPress Plugin Boilerplate in seconds, not hours. Speed up your development.

20 active installs v1.0.0 PHP + WP 3.0.1+ Updated Apr 20, 2015

boilerplatedevelopment

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Plugin Builder Safe to Use in 2026?

Generally Safe

Score 85/100

Plugin Builder has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago

Risk Assessment

The plugin "plugin-builder" v1.0.0 presents a mixed security posture. On the positive side, it demonstrates excellent security hygiene in several areas. The absence of known CVEs and a clean vulnerability history, coupled with 100% of SQL queries using prepared statements, suggests a development process that prioritizes robust security practices. Furthermore, the complete lack of external HTTP requests and no recorded taint flows with unsanitized paths are significant strengths.

However, there are critical areas for concern. The static analysis reveals a potentially dangerous function, 'unserialize', which can be a major vector for PHP Object Injection if not handled with extreme caution and input validation. Compounding this, a mere 16% of output escaping is alarming, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The complete lack of capability checks is another significant weakness, meaning actions within the plugin may not be properly authorized. While the attack surface is currently reported as zero entry points, this could change if functionality is added without adhering to security best practices.

In conclusion, while the plugin avoids common pitfalls like unpatched vulnerabilities and direct SQL injection, the presence of 'unserialize' and the overwhelmingly poor output escaping create a substantial risk profile. The lack of capability checks further exacerbates these issues. Addressing the output escaping and carefully scrutinizing the usage of 'unserialize' are paramount for improving the security of this plugin.

Key Concerns

Dangerous function 'unserialize' used
Low output escaping percentage (16%)
No capability checks

Vulnerabilities

None known

Plugin Builder Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Plugin Builder Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

15 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializereturn @unserialize( $data );cache\util-php\util.php:439

Output Escaping

16% escaped96 total outputs

Attack Surface

Plugin Builder Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 17

actionplugins_loadedcache\wordpress-plugin-boilerplate\plugin-name\trunk\includes\class-plugin-name.php:140

actionadmin_enqueue_scriptscache\wordpress-plugin-boilerplate\plugin-name\trunk\includes\class-plugin-name.php:155

actionadmin_enqueue_scriptscache\wordpress-plugin-boilerplate\plugin-name\trunk\includes\class-plugin-name.php:156

actionwp_enqueue_scriptscache\wordpress-plugin-boilerplate\plugin-name\trunk\includes\class-plugin-name.php:171

actionwp_enqueue_scriptscache\wordpress-plugin-boilerplate\plugin-name\trunk\includes\class-plugin-name.php:172

actionadmin_initcache\wp-settings-framework\wp-settings-framework.php:64

actionadmin_noticescache\wp-settings-framework\wp-settings-framework.php:65

actionadmin_enqueue_scriptscache\wp-settings-framework\wp-settings-framework.php:66

actionplugins_loadedincludes\class-plugin-builder.php:175

actionadmin_enqueue_scriptsincludes\class-plugin-builder.php:190

actionadmin_enqueue_scriptsincludes\class-plugin-builder.php:191

actionadmin_menuincludes\class-plugin-builder.php:192

actionadmin_initincludes\class-plugin-builder.php:193

actionwp_enqueue_scriptsincludes\class-plugin-builder.php:208

actionwp_enqueue_scriptsincludes\class-plugin-builder.php:209

filterplugin_builder_includesincludes\include-classes\class-util-php.php:115

filterplugin_builder_includesincludes\include-classes\class-wordpress-settings-framework.php:129

Maintenance & Trust

Plugin Builder Maintenance & Trust

Maintenance Signals

WordPress version tested4.7.32

Last updatedApr 20, 2015

PHP min version

Downloads4K

Community Trust

Rating0/100

Number of ratings0

Active installs20

Alternatives

Plugin Builder Alternatives

Query Monitor – The developer tools panel for WordPress

query-monitor

Query Monitor is the developer tools panel for WordPress and WooCommerce.

200K 1 CVE

Yoast Test Helper

yoast-test-helper

100

This plugin makes testing Yoast SEO, Yoast SEO add-ons and integrations and resetting the different features a lot easier.

60K No CVEs

What The File

what-the-file

100

What The File is the best tool to find out what template parts are used to display the page you're currently viewing!

40K No CVEs

Prevent Browser Caching

prevent-browser-caching

Updates the assets version of all CSS and JS files. Shows the latest changes on the site without asking the client to clear browser cache.

10K No CVEs

Stop Emails

stop-emails

100

Stop all outgoing emails sent from WordPress.

5K No CVEs

Developer Profile

Plugin Builder Developer Profile

Chris Taylor

11 plugins · 460 total installs

trust score

Avg Security Score

81/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Plugin Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/plugin-builder/admin/css/plugin-builder-admin.css/wp-content/plugins/plugin-builder/admin/js/plugin-builder-admin.js

Script Paths

/wp-content/plugins/plugin-builder/admin/js/plugin-builder-admin.js

Version Parameters

plugin-builder/admin/css/plugin-builder-admin.css?ver=plugin-builder/admin/js/plugin-builder-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

plugin-builder-admin-css

HTML Comments

<!-- The core plugin class that is used to define internationalization, dashboard-specific hooks, and public-facing site hooks. -->

+8 more

Data Attributes

data-plugin-builder-settings

FAQ