WP-Safety

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Security & Risk Analysis

wordpress.org/plugins/the-plus-addons-for-block-editor

90+ Gutenberg Blocks & AI Website Builder with 1000+ Templates. Complete Page Builder, Popup Builder, Mega Menu, Form Builder & More. No Code.

10K active installs v4.7.2 PHP 5.6+ WP 4.0+ Updated Mar 13, 2026
block-editorgutenberg-blockspage-buildersite-builderwordpress-blocks
95
A · Safe
CVEs total8
Unpatched0
Last CVEJan 26, 2026
Plugin page Download
Safety Verdict

Is Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Safe to Use in 2026?

Generally Safe

Score 95/100

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder has a strong security track record. Known vulnerabilities have been patched promptly.

8 known CVEsLast CVE: Jan 26, 2026Updated 21d ago
Risk Assessment

The plugin "the-plus-addons-for-block-editor" v4.7.2 exhibits a mixed security posture. While it demonstrates strong adherence to secure coding practices, such as 100% use of prepared statements for SQL queries and a high percentage of output escaping, there are significant areas of concern related to its attack surface and historical vulnerability patterns. The plugin exposes a substantial number of entry points, with 7 out of 37 (approximately 19%) lacking proper authorization checks. This includes 2 AJAX handlers and 5 REST API routes without permission callbacks, presenting a notable risk of unauthorized access and manipulation.

The static analysis reveals the presence of the `unserialize` function, which can be a vector for deserialization vulnerabilities if not handled with extreme care and sanitization. Although the taint analysis found no critical or high severity unsanitized flows, the mere presence of `unserialize` warrants careful consideration. The plugin's history of 8 medium-severity CVEs, primarily related to information exposure, XSS, and missing authorization, reinforces the existing concerns about unprotected entry points and suggests a recurring pattern of vulnerabilities in these areas. The fact that all previously discovered CVEs are patched is a positive sign, but the volume and types of past issues are still indicators of potential weaknesses.

In conclusion, while the plugin utilizes good practices for data handling (SQL, output escaping), the numerous unprotected entry points and the historical trend of authorization and XSS vulnerabilities create a tangible risk. The presence of `unserialize` further adds to this, despite current taint analysis results. Users should be particularly cautious due to the large attack surface that is not adequately protected by authorization checks. The plugin's recent vulnerability was in 2026, which is in the future, suggesting a potential data entry error. If this date is accurate, it indicates no recent vulnerabilities.

Key Concerns

  • AJAX handlers without auth checks
  • REST API routes without permission callbacks
  • Dangerous function: unserialize
  • Multiple medium severity CVEs in history
  • History of Missing Authorization vulnerabilities
  • History of XSS vulnerabilities
  • History of Information Exposure vulnerabilities
Vulnerabilities
8

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Security Vulnerabilities

CVEs by Year

4 CVEs in 2024
2024
3 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
8

8 total CVEs

CVE-2026-24377medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Nexter Blocks <= 4.6.3 - Authenticated (Subscriber+) Information Exposure

Jan 26, 2026 Patched in 4.6.4 (8d)
CVE-2025-8567medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nexter Blocks <= 4.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

Aug 18, 2025 Patched in 4.5.5 (1d)
CVE-2025-54739medium · 5.3Missing Authorization

Nexter Blocks <= 4.5.4 - Missing Authorization

Aug 14, 2025 Patched in 4.5.5 (5d)
CVE-2024-56294medium · 4.3Missing Authorization

Nexter Blocks <= 4.0.7 - Missing Authorization

Jan 3, 2025 Patched in 4.0.8 (6d)
CVE-2024-56246medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nexter Blocks <= 4.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 30, 2024 Patched in 4.0.5 (10d)
CVE-2024-50452medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Nexter Blocks <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 24, 2024 Patched in 4.0.0 (7d)
CVE-2024-33572medium · 4.3Missing Authorization

The Plus Blocks for Block Editor | Gutenberg <= 3.2.5 - Missing Authorization

Apr 25, 2024 Patched in 3.2.6 (7d)
CVE-2024-30435medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The Plus Blocks for Block Editor | Gutenberg <= 3.2.5 - Reflected Cross-Site Scripting

Mar 28, 2024 Patched in 3.2.6 (7d)
Code Analysis
Analyzed Mar 16, 2026

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Code Analysis

Dangerous Functions
2
Raw SQL Queries
0
28 prepared
Unescaped Output
97
2232 escaped
Nonce Checks
26
Capability Checks
30
File Operations
31
External Requests
28
Bundled Libraries
1

Dangerous Functions Found

unserialize$plugin_info = unserialize( wp_remote_retrieve_body( $response ) );includes\plus-settings-options.php:734
unserialize$theme_info = unserialize( $response['body'] );includes\plus-settings-options.php:828

Bundled Libraries

DataTables

SQL Query Safety

100% prepared28 total queries

Output Escaping

96% escaped2329 total outputs
Data Flows
All sanitized

Data Flow Analysis

11 flows
tpgb_get_form_rendered (classes\blocks\tp-external-form-styler\index.php:57)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Attack Surface

Entry Points37
Unprotected7

AJAX Handlers 31

authwp_ajax_tpgb_external_form_ajaxclasses\blocks\tp-external-form-styler\index.php:77
authwp_ajax_get_html_structureclasses\blocks\tp-hovercard\index.php:164
authwp_ajax_tpgb_searchclasses\blocks\tp-search-bar\index.php:1029
noprivwp_ajax_tpgb_searchclasses\blocks\tp-search-bar\index.php:1030
authwp_ajax_nxtext_fetch_whats_newclasses\extras\nexter-block-whats-new.php:44
authwp_ajax_tpgb_deactive_pluginclasses\extras\tpag-deactive.php:45
authwp_ajax_tpgb_skip_deactivateclasses\extras\tpag-deactive.php:46
authwp_ajax_nxt_dismiss_plugin_rebrandingclasses\tp-admin.php:58
authwp_ajax_nexter_dismiss_noticeclasses\tp-admin.php:60
authwp_ajax_tpgb_cross_cp_importclasses\tp-admin.php:62
authwp_ajax_Tp_f_delete_transientclasses\tp-admin.php:67
noprivwp_ajax_Tp_f_delete_transientclasses\tp-admin.php:68
authwp_ajax_tpgb_get_template_contentclasses\tp-block-helper.php:48
noprivwp_ajax_tpgb_get_template_contentclasses\tp-block-helper.php:49
authwp_ajax_nxt_form_actionclasses\tp-block-helper.php:52
noprivwp_ajax_nxt_form_actionclasses\tp-block-helper.php:53
authwp_ajax_tpda_purge_current_clearclasses\tp-registered-blocks.php:3160
authwp_ajax_tpgb_all_perf_clear_cacheclasses\tp-registered-blocks.php:3165
authwp_ajax_tpgb_all_dynamic_clear_styleclasses\tp-registered-blocks.php:3166
authwp_ajax_tpgb_backend_clear_cacheclasses\tp-registered-blocks.php:3167
authwp_ajax_tpgb_blocks_opts_saveincludes\plus-settings-options.php:36
authwp_ajax_tpgb_connection_data_saveincludes\plus-settings-options.php:37
authwp_ajax_tpgb_custom_css_js_saveincludes\plus-settings-options.php:38
authwp_ajax_tpgb_is_block_used_notincludes\plus-settings-options.php:39
authwp_ajax_tpgb_unused_disable_blockincludes\plus-settings-options.php:40
authwp_ajax_tpgb_performance_opt_cacheincludes\plus-settings-options.php:41
authwp_ajax_nexter_ext_plugin_installincludes\plus-settings-options.php:47
authwp_ajax_nexter_ext_theme_installincludes\plus-settings-options.php:54
authwp_ajax_nxt_wdk_widget_ajax_callincludes\plus-settings-options.php:63
authwp_ajax_nxt_boarding_storeincludes\plus-settings-options.php:69
authwp_ajax_nexter_temp_api_callincludes\plus-settings-options.php:80

REST API Routes 6

GET/wp-json/tpgb/v1/theplus_global_settings/classes\tp-core-init-blocks.php:371
GET/wp-json/tpgb/v1/tpgb_get_content/classes\tp-core-init-blocks.php:395
GET/wp-json/the-plus-addons-for-block-editor/v1/plus_save_block_css/classes\tp-core-init-blocks.php:411
GET/wp-json/tpgb/v1/tpgb_get_taxolist/classes\tp-core-init-blocks.php:486
GET/wp-json/tpgb/v1/tpgb_get_Acf_Field/classes\tp-core-init-blocks.php:503
POST/wp-json/tpgb/v1/nxt_sprout_apiclasses\tp-core-init-blocks.php:521
WordPress Hooks 144
actioninitclasses\blocks\tp-accordion\index.php:117
actioninitclasses\blocks\tp-accordion-inner\index.php:86
actioninitclasses\blocks\tp-blockquote\index.php:52
actioninitclasses\blocks\tp-breadcrumbs\index.php:114
actioninitclasses\blocks\tp-button\index.php:353
actioninitclasses\blocks\tp-button-core\index.php:26
actioninitclasses\blocks\tp-code-highlighter\index.php:112
actioninitclasses\blocks\tp-column\index.php:491
actioninitclasses\blocks\tp-container\index.php:95
actioninitclasses\blocks\tp-container-inner\index.php:51
actioninitclasses\blocks\tp-countdown\index.php:130
actioninitclasses\blocks\tp-creative-image\index.php:112
actioninitclasses\blocks\tp-dark-mode\index.php:65
actioninitclasses\blocks\tp-data-table\index.php:198
actioninitclasses\blocks\tp-draw-svg\index.php:74
actioninitclasses\blocks\tp-empty-space\index.php:26
actioninitclasses\blocks\tp-external-form-styler\index.php:88
actioninitclasses\blocks\tp-flipbox\index.php:260
actioninitclasses\blocks\tp-form-block\child-blocks\nxt-checkbox-button\index.php:21
actioninitclasses\blocks\tp-form-block\child-blocks\nxt-email-field\index.php:21
actioninitclasses\blocks\tp-form-block\child-blocks\nxt-hidden-field\index.php:21
actioninitclasses\blocks\tp-form-block\child-blocks\nxt-message-field\index.php:21
actioninitclasses\blocks\tp-form-block\child-blocks\nxt-name-field\index.php:21
actioninitclasses\blocks\tp-form-block\child-blocks\nxt-number-field\index.php:21
actioninitclasses\blocks\tp-form-block\child-blocks\nxt-option-field\index.php:21
actioninitclasses\blocks\tp-form-block\child-blocks\nxt-radio-button\index.php:21
actioninitclasses\blocks\tp-form-block\child-blocks\nxt-submit-button\index.php:29
actioninitclasses\blocks\tp-form-block\index.php:99
actioninitclasses\blocks\tp-google-map\index.php:119
actioninitclasses\blocks\tp-heading\index.php:25
actioninitclasses\blocks\tp-heading-title\index.php:323
actioninitclasses\blocks\tp-hovercard\index.php:36
actioninitclasses\blocks\tp-icon-box\index.php:25
actioninitclasses\blocks\tp-image\index.php:25
actioninitclasses\blocks\tp-infobox\index.php:662
actioninitclasses\blocks\tp-interactive-circle-info\index.php:183
actioninitclasses\blocks\tp-messagebox\index.php:102
actioninitclasses\blocks\tp-navigation-builder\index.php:310
actioninitclasses\blocks\tp-number-counter\index.php:209
actioninitclasses\blocks\tp-post-author\index.php:109
actioninitclasses\blocks\tp-post-comment\index.php:50
filtercomment_form_fieldsclasses\blocks\tp-post-comment\index.php:106
filtercomment_form_default_fieldsclasses\blocks\tp-post-comment\index.php:123
actioncomment_form_before_fieldsclasses\blocks\tp-post-comment\index.php:128
actioncomment_form_after_fieldsclasses\blocks\tp-post-comment\index.php:133
actioninitclasses\blocks\tp-post-content\index.php:115
actioninitclasses\blocks\tp-post-image\index.php:92
actioninitclasses\blocks\tp-post-listing\index.php:234
actioninitclasses\blocks\tp-post-meta\index.php:178
filterget_the_archive_titleclasses\blocks\tp-post-title\index.php:33
actioninitclasses\blocks\tp-post-title\index.php:103
actioninitclasses\blocks\tp-pricing-list\index.php:163
actioninitclasses\blocks\tp-pricing-table\index.php:256
actioninitclasses\blocks\tp-pro-paragraph\index.php:62
actioninitclasses\blocks\tp-progress-bar\index.php:224
actioninitclasses\blocks\tp-progress-tracker\index.php:98
actioninitclasses\blocks\tp-row\index.php:421
actioninitclasses\blocks\tp-search-bar\index.php:454
actionpre_get_postsclasses\blocks\tp-search-bar\index.php:1145
actioninitclasses\blocks\tp-site-logo\index.php:160
actioninitclasses\blocks\tp-smooth-scroll\index.php:58
actioninitclasses\blocks\tp-social-embed\index.php:340
actioninitclasses\blocks\tp-social-feed\index.php:15
actioninitclasses\blocks\tp-social-icons\index.php:140
actioninitclasses\blocks\tp-social-reviews\index.php:349
actioninitclasses\blocks\tp-stylist-list\index.php:197
actioninitclasses\blocks\tp-switch-inner\index.php:36
actioninitclasses\blocks\tp-switcher\index.php:80
actioninitclasses\blocks\tp-tab-item\index.php:41
actioninitclasses\blocks\tp-tabs-tours\index.php:187
actioninitclasses\blocks\tp-team-listing\index.php:218
actioninitclasses\blocks\tp-testimonials\index.php:226
actioninitclasses\blocks\tp-video\index.php:301
actioninitclasses\blocks\tpgb-settings\index.php:46
actionwp_enqueue_scriptsclasses\extras\compatibility\class-kadence-theme.php:28
actionwp_enqueue_scriptsclasses\extras\compatibility\class-tpag-cartify.php:28
filtermpcs_classroom_style_handlesclasses\extras\compatibility\class-tpgb-memberpress.php:28
filterwpclasses\extras\compatibility\class-tpgb-toolset.php:28
actionwpclasses\extras\compatibility\class-tpgb-toolset.php:29
actionadmin_initclasses\extras\nexter-block-whats-new.php:42
actionadmin_initclasses\extras\nexter-block-whats-new.php:43
actioncurrent_screenclasses\extras\tpag-deactive.php:37
actionadmin_footerclasses\extras\tpag-deactive.php:42
actioncurrent_screenclasses\extras\tpag-reusable-shortcode.php:37
actionadmin_footerclasses\extras\tpag-reusable-shortcode.php:47
filtermanage_wp_block_posts_columnsclasses\extras\tpag-reusable-shortcode.php:53
actionmanage_wp_block_posts_custom_columnclasses\extras\tpag-reusable-shortcode.php:54
filtertpgb_display_optionclasses\extras\tpgb-conditions-rules.php:43
filternxt_wdk_widget_ajax_callclasses\extras\tpgb-wdk-widgets-api.php:56
actionadmin_noticesclasses\tp-admin.php:44
actionadmin_noticesclasses\tp-admin.php:48
filterplugin_row_metaclasses\tp-admin.php:56
actionadmin_enqueue_scriptsclasses\tp-admin.php:64
filterrank_math/researches/toc_pluginsclasses\tp-admin.php:72
actionplugins_loadedclasses\tp-block-helper.php:43
actionwp_headclasses\tp-block-helper.php:44
filterupload_mimesclasses\tp-block-helper.php:45
filterblock_categories_allclasses\tp-core-init-blocks.php:55
actionenqueue_block_assetsclasses\tp-core-init-blocks.php:60
actionenqueue_block_editor_assetsclasses\tp-core-init-blocks.php:61
actionrest_api_initclasses\tp-core-init-blocks.php:65
actionafter_setup_themeclasses\tp-core-init-blocks.php:66
filterimage_resize_dimensionsclasses\tp-core-init-blocks.php:67
actionwp_enqueue_scriptsclasses\tp-core-init-blocks.php:70
actionwp_enqueue_scriptsclasses\tp-core-init-blocks.php:71
actionblocksy:pro:content-blocks:pre-outputclasses\tp-core-init-blocks.php:75
filterblocksy:pro:content-blocks:output-contentclasses\tp-core-init-blocks.php:76
actionwp_footerclasses\tp-core-init-blocks.php:80
actionwpclasses\tp-core-init-blocks.php:84
filtertpgb_google_font_loadclasses\tp-core-init-blocks.php:87
filtertpgb_global_css_loadclasses\tp-core-init-blocks.php:88
filtertpgb_dashicons_icon_disableclasses\tp-core-init-blocks.php:94
filtertpgb_preset_import_disableclasses\tp-core-init-blocks.php:95
filternxt_qab_enableclasses\tp-core-init-blocks.php:96
filterrender_blockclasses\tp-registered-blocks.php:3149
filterplus_template_parse_blocksclasses\tp-registered-blocks.php:3151
actionwp_footerclasses\tp-registered-blocks.php:3152
actionsave_postclasses\tp-registered-blocks.php:3154
actionwpclasses\tp-registered-blocks.php:3156
actionadmin_bar_menuclasses\tp-registered-blocks.php:3159
actionadmin_initclasses\tp-registered-blocks.php:3164
actionwpclasses\tp-registered-blocks.php:3170
filterstyle_loader_tagclasses\tp-registered-blocks.php:3173
filterscript_loader_tagclasses\tp-registered-blocks.php:3174
filterscript_loader_tagclasses\tp-registered-blocks.php:3180
actionrest_api_initincludes\nxt_ai_apis\nxt-ai-register-api.php:17
actioninitincludes\plus-settings-options.php:34
actionadmin_enqueue_scriptsincludes\plus-settings-options.php:44
actionadmin_headincludes\plus-settings-options.php:50
filtertpgb_blocks_enable_allincludes\plus-settings-options.php:57
filtertpgb_disable_unsed_block_filterincludes\plus-settings-options.php:60
filternexter_block_list_mergeincludes\plus-settings-options.php:66
filternxt_dashboard_localize_dataincludes\plus-settings-options.php:71
filteradmin_body_classincludes\plus-settings-options.php:73
actionnxt_new_update_noticeincludes\plus-settings-options.php:109
actionadmin_menuincludes\plus-settings-options.php:111
actionadmin_footerincludes\plus-settings-options.php:343
actionadmin_post_tpgb_rollbackincludes\rollback.php:39
actionplugins_loadedplus-block-loader.php:44
actionadmin_noticesthe-plus-addons-for-block-editor.php:33
actionadmin_noticesthe-plus-addons-for-block-editor.php:35
actionadmin_noticesthe-plus-addons-for-block-editor.php:38
actionin_plugin_update_message-the-plus-addons-for-block-editor/the-plus-addons-for-block-editor.phpthe-plus-addons-for-block-editor.php:97
filterwpml_config_filesthe-plus-addons-for-block-editor.php:105
Maintenance & Trust

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 13, 2026
PHP min version5.6
Downloads389K

Community Trust

Rating96/100
Number of ratings88
Active installs10K
Alternatives

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Alternatives

GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

gutenkit-blocks-addon

A
93

GutenKit – Ultimate no-code Gutenberg blocks to design stunning web pages and visually stunning posts in WordPress block editor.

70K 3 CVEs
Fusionberg Blocks

Fusionberg Blocks

fusionberg-blocks

A
100

Advance Gutenberg Blocks for WordPress.

0 No CVEs
Page Builder Gutenberg Blocks – CoBlocks

Page Builder Gutenberg Blocks – CoBlocks

coblocks

B
72

CoBlocks is a suite of page builder WordPress blocks for Gutenberg, with 10+ new blocks and a true page builder experience with rows and columns.

300K 1 unpatched
Stackable – Page Builder Gutenberg Blocks

Stackable – Page Builder Gutenberg Blocks

stackable-ultimate-gutenberg-blocks

A
95

Custom Blocks that transform your WordPress Block Editor into a page builder

100K 7 CVEs
Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor

Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor

gutentor

B
74

Advanced yet easy, Gutenberg editor page builder blocks. Create a masterpiece, pixel perfect website using modern WordPress Gutenberg blocks.

30K 1 unpatched
Developer Profile

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder Developer Profile

POSIMYTH

8 plugins · 460K total installs

85
trust score
Avg Security Score
96/100
Avg Patch Time
72 days
View full developer profile
Detection Fingerprints

How We Detect Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/the-plus-addons-for-block-editor/assets/css/tpgb-style.css/wp-content/plugins/the-plus-addons-for-block-editor/assets/css/tpgb-editor.css/wp-content/plugins/the-plus-addons-for-block-editor/assets/js/tpgb-blocks-editor.js/wp-content/plugins/the-plus-addons-for-block-editor/assets/js/tpgb-blocks.js
Script Paths
/wp-content/plugins/the-plus-addons-for-block-editor/assets/js/tpgb-blocks-editor.js/wp-content/plugins/the-plus-addons-for-block-editor/assets/js/tpgb-blocks.js
Version Parameters
the-plus-addons-for-block-editor/assets/css/tpgb-style.css?ver=the-plus-addons-for-block-editor/assets/css/tpgb-editor.css?ver=the-plus-addons-for-block-editor/assets/js/tpgb-blocks-editor.js?ver=the-plus-addons-for-block-editor/assets/js/tpgb-blocks.js?ver=

HTML / DOM Fingerprints

CSS Classes
tpgb-editor-rowtpgb-containertpgb-blocktpgb-block-wrappertpgb-advanced-heading
HTML Comments
<!-- Nexter Blocks Plugin Update Message --><!-- Nexter Blocks check minimum PHP version. --><!-- Nexter Blocks check minimum WordPress version. --><!-- Nexter Blocks Pro check minimum version 4.0.0. -->
Data Attributes
data-tpgb-settings
JS Globals
tp_global
FAQ

Frequently Asked Questions about Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder