SKT Blocks – Gutenberg based Page Builder Security & Risk Analysis

The static analysis of skt-blocks v2.6 reveals a generally good security posture with strong adherence to best practices in several areas. The plugin demonstrates excellent SQL sanitation, with 100% of queries using prepared statements, and a high rate of output escaping, with 96% of outputs properly sanitized. Furthermore, the absence of dangerous functions, file operations, external HTTP requests, shortcodes, cron events, and REST API routes significantly limits the potential attack surface. The presence of nonce and capability checks, though limited in count, also suggests an awareness of security mechanisms.

However, a significant concern arises from the plugin's vulnerability history. With a total of 7 known CVEs and one currently unpatched, all of medium severity, and a recent vulnerability in September 2025, this indicates a recurring pattern of exploitable flaws. The common vulnerability type being Cross-site Scripting is particularly worrying as it often arises from improper input handling, which might be an area where the 4% of unsanitized outputs could contribute. While the code analysis itself shows no critical taint flows or unsanitized paths, the historical context suggests that vulnerabilities can and do emerge, even if not immediately apparent in a single static analysis snapshot.

In conclusion, skt-blocks v2.6 exhibits strengths in its code hygiene and secure function usage. Nevertheless, the substantial number of past and unpatched vulnerabilities, particularly the medium-severity XSS issues, presents a notable risk. This history strongly suggests that the plugin has had issues with input validation or output encoding in the past, and the existence of an unpatched vulnerability is a direct and immediate security threat that requires urgent attention.