Does Spice Blocks have any unpatched vulnerabilities?

Yes — Spice Blocks currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Spice Blocks compatible with WordPress 6.9.4?

According to WordPress.org data, Spice Blocks 2.0.7.7 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Spice Blocks compatible with PHP 5.2+?

Spice Blocks requires PHP 5.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Spice Blocks updated?

Spice Blocks was last updated on Feb 9, 2026. Frequent updates are generally a positive security signal.

What is Spice Blocks's security score?

Spice Blocks has a WP-Safety security score of 74/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Spice Blocks Security & Risk Analysis

wordpress.org/plugins/spice-blocks

It is a block plugin that is compatible with all WordPress themes.

1K active installs v2.0.7.7 PHP 5.2+ WP 5.3+ Updated Feb 9, 2026

blockblock-editorfse-blockgutenberggutenberg-block

B · Generally Safe

CVEs total2

Unpatched1

Last CVEJun 4, 2025

Plugin page Download

Safety Verdict

Is Spice Blocks Safe to Use in 2026?

Mostly Safe

Score 74/100

Spice Blocks is generally safe to use. 2 past CVEs were resolved. Keep it updated.

2 known CVEs 1 unpatched Last CVE: Jun 4, 2025Updated 1mo ago

Risk Assessment

The plugin "spice-blocks" v2.0.7.7 exhibits a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and a high percentage of properly escaped output, significant concerns remain. The static analysis reveals a notable attack surface with one AJAX handler lacking authentication checks. This is a critical oversight that could allow unauthorized users to trigger plugin functionality. Furthermore, the plugin's vulnerability history is concerning, with two known CVEs, one of which is currently unpatched and rated as high severity. The common vulnerability types, "Missing Authorization" and "Improper Limitation of a Pathname to a Restricted Directory," directly align with the identified unsecured AJAX handler, suggesting a recurring pattern of authorization and path-related issues. While the taint analysis shows no critical or high severity flows, the presence of an unprotected AJAX endpoint and the history of past vulnerabilities necessitate caution. The plugin has strengths in its data handling but weaknesses in access control and a history of exploitable flaws.

Key Concerns

Unprotected AJAX handler found
Unpatched High severity CVE
Vulnerability history includes Missing Authorization
Vulnerability history includes Path Traversal

Vulnerabilities

Spice Blocks Security Vulnerabilities

CVEs by Year

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2025-48130high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spice Blocks <= 2.0.7.4 - Unauthenticated Arbitrary File Download

Jun 4, 2025 Patched in 2.0.7.5 (174d)

CVE-2025-39532medium · 5.3Missing Authorization

Spice Blocks <= 2.0.7.4 - Missing Authorization

Apr 17, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Spice Blocks Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

195 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

jQueryFreemius1.0

Output Escaping

78% escaped251 total outputs

Data Flows

All sanitized

Data Flow Analysis

6 flows

ajax_import_widget_data (admin\widget-settings-import.php:223)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Spice Blocks Attack Surface

Entry Points4

Unprotected1

AJAX Handlers 4

authwp_ajax_import_widget_dataadmin\widget-settings-import.php:15

authwp_ajax_spice_save_block_togglefree-plugin.php:2

noprivwp_ajax_pva_create01inc\block-import.php:313

authwp_ajax_pva_create01inc\block-import.php:314

WordPress Hooks 22

actionadmin_menuadmin\widget-settings-import.php:14

filterupload_mimesadmin\widget-settings-import.php:309

actioninitadmin\widget-settings-import.php:393

actionadmin_menufree-plugin.php:19

actionadmin_enqueue_scriptsfree-plugin.php:44

actionplugins_loadedfree-plugin.php:62

actionenqueue_block_editor_assetsfree-plugin.php:90

actionenqueue_block_assetsfree-plugin.php:91

actionadmin_enqueue_scriptsfree-plugin.php:92

actioninitfree-plugin.php:93

actioninitfree-plugin.php:94

filterblock_categories_allfree-plugin.php:565

filterblock_categoriesfree-plugin.php:567

filterbody_classfree-plugin.php:571

actionadmin_initfree-plugin.php:630

actionadmin_noticesfree-plugin.php:646

actionadmin_noticesfree-plugin.php:660

actionafter_setup_themefree-plugin.php:671

filterwp_theme_json_data_themefree-plugin.php:688

actionenqueue_block_editor_assetsinc\block-import.php:5

actionadmin_footerinc\block-import.php:309

actionadmin_initinc\block-import.php:399

Maintenance & Trust

Spice Blocks Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 9, 2026

PHP min version5.2

Downloads17K

Community Trust

Rating0/100

Number of ratings0

Active installs1K

Alternatives

Spice Blocks Alternatives

GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

gutenkit-blocks-addon

GutenKit – Ultimate no-code Gutenberg blocks to design stunning web pages and visually stunning posts in WordPress block editor.

70K 3 CVEs

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor

ultimate-blocks

Create Better Content With The Block Editor. Custom Blocks for Bloggers and Content Marketers.

50K 14 CVEs

PublishPress Blocks – Block Controls, Block Visibility, Block Permissions

advanced-gutenberg

PublishPress Blocks is your complete solution for the WordPress block editor. You can control block permissions, styles, visibility, usage and more.

20K 3 CVEs

BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library

blockart-blocks

Enhance the power of your WordPress editor with the dynamic Gutenberg blocks by BlockArt Blocks. Build any layout imaginable.

10K 3 CVEs

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder

the-plus-addons-for-block-editor

90+ Gutenberg Blocks & AI Website Builder with 1000+ Templates. Complete Page Builder, Popup Builder, Mega Menu, Form Builder & More. No Code.

10K 8 CVEs

Developer Profile

Spice Blocks Developer Profile

spicethemes

34 plugins · 63K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

369 days

View full developer profile

Detection Fingerprints

How We Detect Spice Blocks

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/spice-blocks/admin/assets/css/about.css/wp-content/plugins/spice-blocks/assets/all.min.css/wp-content/plugins/spice-blocks/build/free-blocks.bundle.js/wp-content/plugins/spice-blocks/assets/js/jquery.min.js/wp-content/plugins/spice-blocks/assets/css/editor.css/wp-content/plugins/spice-blocks/assets/css/animation.css

Script Paths

/wp-content/plugins/spice-blocks/build/free-blocks.bundle.js

Version Parameters

spice-blocks/style.css?ver=spice-blocks-freespice-blocks-editor-cssspice-blocks-animation

HTML / DOM Fingerprints

CSS Classes

spice-blocks-admin-wrapsb-adv-buttonspice-blocks-editor-wrapperwp-block-spiceblocks

HTML Comments

Data Attributes

data-blockdata-block-headingdata-block-dividerdata-block-spacerdata-block-buttondata-block-icon+15 more

JS Globals

SpiceBlocksData

REST Endpoints

/wp-json/spice-blocks/v1/get-blocks

FAQ