WP-Safety

STAX Header Builder Security & Risk Analysis

wordpress.org/plugins/stax

A header builder that works with any theme. Front-end drag&drop interface to create pixel perfect headers with ease.

300 active installs v1.3.6 PHP 7.0+ WP 5.0+ Updated Feb 23, 2022
drag-and-dropfrontend-editorheader-builderheader-editpage-builder
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is STAX Header Builder Safe to Use in 2026?

Generally Safe

Score 85/100

STAX Header Builder has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4yr ago
Risk Assessment

The 'stax' v1.3.6 plugin exhibits a generally positive security posture with a small attack surface and a decent number of capability checks. The high percentage of properly escaped output and prepared SQL statements are good indicators of secure coding practices. However, the presence of the 'unserialize' function is a significant concern. While no taint flows were flagged as critical or high severity, 'unserialize' can be a vector for object injection vulnerabilities if it processes untrusted data without proper sanitization or validation, especially when coupled with stored user input. The lack of nonce checks is also a notable weakness, potentially leaving certain functionalities vulnerable to CSRF attacks if they were to become entry points.

Key Concerns

  • Use of unserialize without context
  • Missing nonce checks
  • Bundled library (Freemius) could be outdated
Vulnerabilities
None known

STAX Header Builder Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

STAX Header Builder Code Analysis

Dangerous Functions
1
Raw SQL Queries
19
24 prepared
Unescaped Output
6
17 escaped
Nonce Checks
0
Capability Checks
25
File Operations
1
External Requests
2
Bundled Libraries
1

Dangerous Functions Found

unserialize$tags = unserialize( $tag );core\db\upgrade_db.php:81

Bundled Libraries

Freemius1.0

SQL Query Safety

56% prepared43 total queries

Output Escaping

74% escaped23 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
get_preview_template (core\plugin.php:1129)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

STAX Header Builder Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[stax-menu] core\plugin.php:148
WordPress Hooks 46
actiontemplate_redirectcore\editor.php:38
actioninitcore\editor.php:39
actionwp_headcore\editor.php:65
actionwp_headcore\editor.php:66
actionwp_headcore\editor.php:67
actionwp_footercore\editor.php:69
actionwp_footercore\editor.php:70
filterajax_query_attachments_argscore\editor.php:74
actionwp_enqueue_scriptscore\editor.php:82
actionwp_enqueue_scriptscore\editor.php:83
actionwp_enqueue_scriptscore\editor.php:91
actionwp_enqueue_scriptscore\editor.php:95
actionwp_enqueue_scriptscore\editor.php:96
actionwp_headcore\editor.php:100
actionwp_enqueue_scriptscore\editor.php:101
actionwp_enqueue_scriptscore\editor.php:117
actionwp_enqueue_scriptscore\editor.php:118
filtershow_admin_barcore\editor.php:132
actionkleo_headercore\helpers\Compatibility.php:41
actionkleo_headercore\helpers\Compatibility.php:55
actionsweetdate_headercore\helpers\Compatibility.php:69
filterget_header_stylecore\helpers\Compatibility.php:96
actionwp_headcore\helpers\Compatibility.php:102
actionhb_grid_markupcore\helpers\Compatibility.php:104
actionus_before_headercore\helpers\Compatibility.php:117
actionus_after_headercore\helpers\Compatibility.php:123
filteravf_header_setting_filtercore\helpers\Compatibility.php:135
actionget_template_part_includes/helpercore\helpers\Compatibility.php:144
actionavada_headercore\helpers\Compatibility.php:163
filterhttp_request_host_is_externalcore\helpers\Import.php:372
actionwpcore\plugin.php:83
actioninitcore\plugin.php:84
filterpage_row_actionscore\plugin.php:85
filterpost_row_actionscore\plugin.php:91
filterthe_contentcore\plugin.php:125
actionwp_footercore\plugin.php:129
actionbody_classcore\plugin.php:135
actionadmin_menucore\plugin.php:146
actionwp_enqueue_scriptscore\plugin.php:150
actionwp_headcore\plugin.php:154
actionwp_headcore\plugin.php:155
actionwp_headcore\plugin.php:157
actionwp_before_admin_bar_rendercore\plugin.php:161
actionin_plugin_update_message-stax/index.phpcore\plugin.php:162
actionrest_api_initcore\routes.php:26
actionafter_uninstallindex.php:114
Maintenance & Trust

STAX Header Builder Maintenance & Trust

Maintenance Signals

WordPress version tested5.9.13
Last updatedFeb 23, 2022
PHP min version7.0
Downloads39K

Community Trust

Rating94/100
Number of ratings9
Active installs300
Alternatives

STAX Header Builder Alternatives

Elementor Website Builder – More Than Just a Page Builder

Elementor Website Builder – More Than Just a Page Builder

elementor

A
88

The Elementor Website Builder has it all: drag and drop page builder, pixel perfect design, mobile responsive editing, and more. Get started now!

10.0M 45 CVEs
Page Builder by SiteOrigin

Page Builder by SiteOrigin

siteorigin-panels

A
88

Build responsive page layouts using the widgets you know and love using this simple drag and drop page builder.

500K 8 CVEs
Page Builder: Pagelayer – Drag and Drop website builder

Page Builder: Pagelayer – Drag and Drop website builder

pagelayer

A
88

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K 25 CVEs
Beaver Builder Page Builder – Drag and Drop Website Builder

Beaver Builder Page Builder – Drag and Drop Website Builder

beaver-builder-lite-version

A
89

The Professional's Choice for Drag & Drop WordPress Page Building. Fast, Reliable, and Trusted since 2014.

100K 31 CVEs
Colibri Page Builder

Colibri Page Builder

colibri-page-builder

A
92

Colibri Page Builder adds drag and drop page builder functionality to the ColibriWP theme.

90K 18 CVEs
Developer Profile

STAX Header Builder Developer Profile

StaxWP

5 plugins · 32K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
351 days
View full developer profile
Detection Fingerprints

How We Detect STAX Header Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/stax/assets/js/chunk-vendors.js/wp-content/plugins/stax/assets/js/app.js/wp-content/plugins/stax/assets/css/app.css
Script Paths
/wp-content/plugins/stax/assets/js/chunk-vendors.js/wp-content/plugins/stax/assets/js/app.js
Version Parameters
stax/style.css?ver=stax/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
stax-header-builderstax-editor-wrapperstax-element-wrapperstax-column-wrapperstax-container-wrapperstax-header-zonestax-element-type-header
HTML Comments
<!-- STAX: Begin Header Zone --><!-- STAX: End Header Zone --><!-- STAX: Begin Element --><!-- STAX: End Element -->+4 more
Data Attributes
data-stax-element-iddata-stax-column-iddata-stax-container-iddata-stax-zone-iddata-stax-settings
JS Globals
window.StaxBuildervar StaxBuilder
REST Endpoints
/wp-json/stax/v1/elements/wp-json/stax/v1/headers/wp-json/stax/v1/columns/wp-json/stax/v1/containers/wp-json/stax/v1/zones/wp-json/stax/v1/settings
Shortcode Output
[stax_header id="[stax_element id="[stax_container id="[stax_column id="
FAQ

Frequently Asked Questions about STAX Header Builder