WP-Safety

TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder Security & Risk Analysis

wordpress.org/plugins/templatespare

Imagine this... You’re planning your new website. You’re excited at first—but then reality hits. The design takes months. You wait for the developer t …

10K active installs v4.0.1 PHP + WP 4.0+ Updated Feb 24, 2026
drag-and-dropeditorelementorlanding-pagepage-builder
99
A · Safe
CVEs total1
Unpatched0
Last CVEAug 2, 2024
Plugin page Download
Safety Verdict

Is TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder Safe to Use in 2026?

Generally Safe

Score 99/100

TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Aug 2, 2024Updated 1mo ago
Risk Assessment

The "templatespare" plugin v4.0.1 presents a mixed security posture. While it demonstrates some good practices, such as a high percentage of SQL queries using prepared statements and properly escaped output, there are significant concerns that warrant attention. The presence of two unprotected entry points—an AJAX handler and a REST API route—creates immediate attack vectors that could be exploited without proper authentication or authorization checks. Furthermore, the use of the `unserialize` function is a known risk, as it can lead to Remote Code Execution if not handled with extreme care, especially when processing untrusted input. The vulnerability history, although currently showing no unpatched CVEs, has a past medium-severity vulnerability categorized as Missing Authorization, which aligns with the identified unprotected entry points. This suggests a recurring pattern of authorization weaknesses. The taint analysis, while reporting no critical or high severity flows, did identify flows with unsanitized paths, which, when combined with the other identified weaknesses, increases the overall risk profile. The overall security is moderately concerning due to the presence of unprotected endpoints and a dangerous function, despite some positive coding practices.

Key Concerns

  • AJAX handler without auth checks
  • REST API route without permission callbacks
  • Use of dangerous function: unserialize
  • Flows with unsanitized paths
  • Bundled Freemius v1.0 library
Vulnerabilities
1

TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2024-6872medium · 4.3Missing Authorization

Build Your Dream Website Fast with 400+ Starter Templates and Landing Pages, No Coding Needed, One-Click Import for Elementor & Gutenberg Blocks! – TemplateSpare <= 2.4.2 - Missing Authorization to Authenticated (Subscriber+) Theme Update

Aug 2, 2024 Patched in 2.4.3 (1d)
Code Analysis
Analyzed Mar 16, 2026

TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder Code Analysis

Dangerous Functions
1
Raw SQL Queries
2
7 prepared
Unescaped Output
11
94 escaped
Nonce Checks
13
Capability Checks
17
File Operations
32
External Requests
5
Bundled Libraries
1

Dangerous Functions Found

unserialize$data = unserialize($raw);includes\companion\class-aftc-customizer-importer.php:55

Bundled Libraries

Freemius1.0

SQL Query Safety

78% prepared9 total queries

Output Escaping

90% escaped105 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

7 flows4 with unsanitized paths
templatespare_import_zip_Files (includes\site-backup\class-import-zip.php:31)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder Attack Surface

Entry Points17
Unprotected2

AJAX Handlers 11

authwp_ajax_AFTMLS_import_demo_dataincludes\companion\class-aftc-main.php:69
authwp_ajax_templatespare_plugin_installer_activationincludes\dashboard\activate_install_plugins.php:6
authwp_ajax_templatespare_notice_dismissincludes\layouts\class-plugin-notice.php:13
authwp_ajax_templatespare_exportFilesincludes\site-backup\class-backup-site.php:16
authwp_ajax_get_folder_detailsincludes\site-backup\class-backup-site.php:17
authwp_ajax_templatespare_import_zip_Filesincludes\site-backup\class-import-zip.php:22
authwp_ajax_templatespare_after_importincludes\site-backup\class-import-zip.php:23
authwp_ajax_templatespare_get_theme_statusincludes\templatespare-kit.php:10
authwp_ajax_templatespare_activate_required_themeincludes\templatespare-kit.php:11
noprivwp_ajax_templatespare_install_require_pluginsincludes\templatespare-kit.php:167
authwp_ajax_templatespare_install_require_pluginsincludes\templatespare-kit.php:168

REST API Routes 6

GET/wp-json/templatespare/v1single-demo-contentincludes\layouts\layout-endpoints.php:19
GET/wp-json/templatespare/v1/stepsincludes\layouts\layout-endpoints.php:34
POST/wp-json/templatespare/v1/stepsincludes\layouts\layout-endpoints.php:40
POST/wp-json/templatespare/v1/stepsincludes\layouts\layout-endpoints.php:45
POST/wp-json/templatespare/v1/temp-uploadincludes\layouts\layout-endpoints.php:52
POST/wp-json/templatespare/v1/temp-deleteincludes\layouts\layout-endpoints.php:57
WordPress Hooks 28
actionafter_setup_themeincludes\companion\class-aftc-main.php:70
actionplugins_loadedincludes\companion\class-aftc-main.php:72
actiontemplatespare/widget_settings_arrayincludes\companion\class-aftc-main.php:304
filterwxr_importer.pre_process.userincludes\companion\class-aftc-main.php:475
filterwxr_importer.pre_process.postincludes\companion\class-aftc-main.php:478
filterintermediate_image_sizes_advancedincludes\companion\class-aftc-main.php:482
actiontemplatespare/after_importincludes\companion\demo-importer.php:71
filtertemplatespare_post_content_before_insertincludes\companion\demo-importer.php:73
actiontemplatespare/after_import_is_not_contentincludes\companion\demo-importer.php:93
filterimport_post_meta_keyincludes\companion\importer\class-wxr-importer.php:323
filterhttp_request_timeoutincludes\companion\importer\class-wxr-importer.php:324
filterwxr_importer.pre_process.postincludes\companion\importer\demo-custom-image.php:23
actionwxr_importer.processed.postincludes\companion\importer\demo-custom-image.php:56
filterwp_import_post_data_processedincludes\companion\importer\demo-custom-image.php:103
actionadmin_menuincludes\init.php:34
actionadmin_enqueue_scriptsincludes\init.php:35
actioninitincludes\init.php:36
actionrest_api_initincludes\init.php:37
actionadmin_initincludes\init.php:38
filterplugin_row_metaincludes\init.php:39
actionadmin_noticesincludes\layouts\class-plugin-notice.php:12
actionadmin_initincludes\site-backup\class-backup-site.php:14
actionadmin_enqueue_scriptsincludes\site-backup\class-backup-site.php:15
actiontemplatespare_ajax_before_demo_importincludes\templatespare-kit.php:133
actiontemplatespare_ajax_before_demo_importincludes\templatespare-kit.php:134
actiontemplatespare_ajax_before_demo_importincludes\templatespare-kit.php:135
actioninittemplatespare.php:64
actionactivated_plugintemplatespare.php:75
Maintenance & Trust

TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 24, 2026
PHP min version
Downloads452K

Community Trust

Rating84/100
Number of ratings5
Active installs10K
Alternatives

TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder Alternatives

Elementor Website Builder – More Than Just a Page Builder

Elementor Website Builder – More Than Just a Page Builder

elementor

A
88

The Elementor Website Builder has it all: drag and drop page builder, pixel perfect design, mobile responsive editing, and more. Get started now!

10.0M 45 CVEs
DragDropr – Visual Drag & Drop Page Builder

DragDropr – Visual Drag & Drop Page Builder

dragdropr

A
85

DragDropr is a What-You-See-Is-What-You-REALLY-Get visual editor.

20 No CVEs
Multi-step Forms FREE (for Elementor)

Multi-step Forms FREE (for Elementor)

multi-step-forms-free-for-elementor

A
85

A simple plugin that streamlines the creation of multistep (or multiple page) forms to an easy drag-and-drop through the power of Elementor Pro.

20 No CVEs
Page builder for Posts – Mong9 Editor

Page builder for Posts – Mong9 Editor

mong9-editor

A
85

The most advanced frontend drag & drop content editor. Mong9 Editor is a responsive page builder which can be used to extend the Classic Editor.

10 No CVEs
Widgets Testimonial DT

Widgets Testimonial DT

widgets-testimonial-dt

A
85

add a block of testimonials to the web page, this plugin needs the previous installation of Elementor

0 No CVEs
Developer Profile

TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder Developer Profile

Templatespare

1 plugin · 10K total installs

99
trust score
Avg Security Score
99/100
Avg Patch Time
1 days
View full developer profile
Detection Fingerprints

How We Detect TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/templatespare/assets/css/templatespare-frontend.css/wp-content/plugins/templatespare/assets/css/templatespare-admin.css/wp-content/plugins/templatespare/assets/js/templatespare-frontend.js/wp-content/plugins/templatespare/assets/js/templatespare-admin.js/wp-content/plugins/templatespare/includes/admin/assets/js/wizard.js/wp-content/plugins/templatespare/includes/admin/assets/css/wizard.css
Script Paths
/wp-content/plugins/templatespare/assets/js/templatespare-frontend.js/wp-content/plugins/templatespare/assets/js/templatespare-admin.js/wp-content/plugins/templatespare/includes/admin/assets/js/wizard.js
Version Parameters
templatespare/assets/css/templatespare-frontend.css?ver=templatespare/assets/css/templatespare-admin.css?ver=templatespare/assets/js/templatespare-frontend.js?ver=templatespare/assets/js/templatespare-admin.js?ver=templatespare/includes/admin/assets/js/wizard.js?ver=templatespare/includes/admin/assets/css/wizard.css?ver=

HTML / DOM Fingerprints

CSS Classes
templatespare-pro-link
Data Attributes
data-templatespare-wizard-category
JS Globals
templatespare_admin_object
REST Endpoints
/wp-json/templatespare/v1/get-all-demos/wp-json/templatespare/v1/get-demo-data
FAQ

Frequently Asked Questions about TemplateSpare – 1000+ WordPress Starter Templates & Full Site Migration Tool | 1-Click Import/Export & No-Code Builder