WP-Safety

Themesflat Addons For Elementor Security & Risk Analysis

wordpress.org/plugins/themesflat-addons-for-elementor

Themesflat Addons For Elementor plugin you install after Elementor!. Themesflat addon focuses on support for the author build Template Kits

50K active installs v2.3.3 PHP 5.2+ WP 4.9+ Updated Mar 13, 2026
addonselementorelementor-addonthemesflatwidget
91
A · Safe
CVEs total12
Unpatched0
Last CVEApr 18, 2025
Download
Safety Verdict

Is Themesflat Addons For Elementor Safe to Use in 2026?

Generally Safe

Score 91/100

Themesflat Addons For Elementor has a strong security track record. Known vulnerabilities have been patched promptly.

12 known CVEsLast CVE: Apr 18, 2025Updated 21d ago
Risk Assessment

The "themesflat-addons-for-elementor" v2.3.3 plugin exhibits a mixed security posture. While it demonstrates some good practices like using prepared statements for all SQL queries and implementing nonce and capability checks on its AJAX handlers, significant concerns remain. The presence of two AJAX handlers without authentication checks presents a direct attack surface, potentially allowing unauthorized users to trigger plugin functionality. Furthermore, the taint analysis reveals two high-severity flows with unsanitized paths, indicating potential vulnerabilities that could be exploited if these paths are accessible to attackers. The plugin's history of 12 known CVEs, including a past critical deserialization vulnerability, is a major red flag. This pattern suggests a history of security weaknesses, and while there are currently no unpatched CVEs for this specific version, the historical context indicates a predisposition to vulnerabilities. In conclusion, while the use of prepared statements and some auth checks are positive, the unprotected AJAX endpoints, high-severity taint flows, and a history of critical vulnerabilities necessitate caution. The potential for deserialization and cross-site scripting vulnerabilities, as indicated by past CVEs, remains a concern.

Key Concerns

  • 2 AJAX handlers without auth checks
  • 2 high severity taint flows with unsanitized paths
  • Past critical CVEs in vulnerability history
  • 12 total known CVEs in history
  • Use of dangerous function: unserialize
  • Bundled library: Select2 (potential for outdated versions)
Vulnerabilities
12

Themesflat Addons For Elementor Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
8 CVEs in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
11

12 total CVEs

CVE-2025-3275medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themesflat Addons For Elementor <= 2.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 18, 2025 Patched in 2.2.6 (1d)
CVE-2025-31567medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themesflat Addons For Elementor <= 2.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 31, 2025 Patched in 2.3.2 (264d)
CVE-2024-12205medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themesflat Addons For Elementor <= 2.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 7, 2025 Patched in 2.2.5 (1d)
CVE-2024-53796medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themesflat Addons For Elementor <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 2, 2024 Patched in 2.2.3 (10d)
CVE-2024-49310medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themesflat Addons For Elementor <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Oct 15, 2024 Patched in 2.2.2 (7d)
CVE-2024-8515medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themesflat Addons For Elementor <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 24, 2024 Patched in 2.2.2 (28d)
CVE-2024-8516medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Themesflat Addons For Elementor <= 2.2.1 - Authenticated (Contributor+) Information Exposure

Sep 24, 2024 Patched in 2.2.2 (28d)
CVE-2024-2922medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Tags

Jun 5, 2024 Patched in 2.1.3 (26d)
CVE-2024-4458medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via URLs

Jun 5, 2024 Patched in 2.1.3 (26d)
CVE-2024-4212medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting in Multiple Widgets

Jun 5, 2024 Patched in 2.1.3 (253d)
CVE-2024-4459medium · 6.4Improper Neutralization of Alternate XSS Syntax

Themesflat Addons For Elementor <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Widget Titles

Jun 5, 2024 Patched in 2.1.3 (26d)
CVE-2023-37390critical · 9.8Deserialization of Untrusted Data

Themesflat Addons For Elementor <= 2.0.0 - Unauthenticated PHP Object Injection

Aug 7, 2023 Patched in 2.0.1 (169d)
Code Analysis
Analyzed Mar 16, 2026

Themesflat Addons For Elementor Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
4 prepared
Unescaped Output
319
993 escaped
Nonce Checks
3
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$settings = unserialize(base64_decode($_POST['settings']), ['allowed_classes' => false]);tf-function.php:362

Bundled Libraries

Select2

SQL Query Safety

100% prepared4 total queries

Output Escaping

76% escaped1312 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
tf_product_render (tf-function.php:361)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Themesflat Addons For Elementor Attack Surface

Entry Points3
Unprotected2

AJAX Handlers 3

authwp_ajax_yith_wcwl_update_wishlist_counttf-function.php:296
noprivwp_ajax_yith_wcwl_update_wishlist_counttf-function.php:297
authwp_ajax_tfhf_get_posts_by_querythemesflat-addons-for-elementor.php:58
WordPress Hooks 38
actionsave_postpost-format\options.php:45
filterwoocommerce_add_to_cart_fragmentstf-function.php:39
filterwoocommerce_product_data_tabstf-function.php:73
actionwoocommerce_product_data_panelstf-function.php:90
actionwoocommerce_process_product_metatf-function.php:112
actionwp_enqueue_scriptstf-function.php:315
actionadmin_menutf-plugin-option.php:246
actionadmin_inittf-plugin-option.php:247
actionadmin_enqueue_scriptstf-plugin-option.php:248
actionadmin_menutf-plugin-setup.php:247
actionafter_setup_themetf-post-format.php:13
actionadmin_inittf-post-format.php:14
actionadmin_enqueue_scriptstf-post-format.php:15
actionwp_enqueue_scriptstf-post-format.php:16
actionelementor/frontend/after_register_scriptstf-post-format.php:17
actioninitthemesflat-addons-for-elementor.php:46
actionplugins_loadedthemesflat-addons-for-elementor.php:47
actionelementor/frontend/after_register_stylesthemesflat-addons-for-elementor.php:53
actionelementor/frontend/after_register_scriptsthemesflat-addons-for-elementor.php:54
actionadmin_enqueue_scriptsthemesflat-addons-for-elementor.php:56
actionadmin_action_editthemesflat-addons-for-elementor.php:57
actionadmin_noticesthemesflat-addons-for-elementor.php:70
actionadmin_noticesthemesflat-addons-for-elementor.php:76
actionadmin_noticesthemesflat-addons-for-elementor.php:82
actionbefore_woocommerce_initthemesflat-addons-for-elementor.php:95
actionelementor/widgets/registerthemesflat-addons-for-elementor.php:115
actionelementor/controls/controls_registeredthemesflat-addons-for-elementor.php:116
actionelementor/elements/categories_registeredthemesflat-addons-for-elementor.php:118
actioninitthemesflat-addons-for-elementor.php:144
actionadd_meta_boxesthemesflat-addons-for-elementor.php:145
actionsave_postthemesflat-addons-for-elementor.php:146
filtersingle_templatethemesflat-addons-for-elementor.php:147
actionwpthemesflat-addons-for-elementor.php:148
actionget_headerthemesflat-addons-for-elementor.php:960
actiontf_headerthemesflat-addons-for-elementor.php:961
actionget_footerthemesflat-addons-for-elementor.php:965
actiontf_footerthemesflat-addons-for-elementor.php:966
filterposts_searchthemesflat-addons-for-elementor.php:1485
Maintenance & Trust

Themesflat Addons For Elementor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 13, 2026
PHP min version5.2
Downloads683K

Community Trust

Rating40/100
Number of ratings9
Active installs50K
Alternatives

Themesflat Addons For Elementor Alternatives

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor

elementskit-lite

A
89

Join millions who empower their websites with ElementsKit Elementor Addons. Get templates, & 100+ widgets like header-footer, mega menu, custom widget

2.0M 21 CVEs
Essential Addons for Elementor – Popular Elementor Templates & Widgets

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

B
76

Elementor addon offering 110+ widgets and templates — Elementor Gallery, Slider, Form, Post Grid, Menu, Accordion, WooCommerce & more.

2.0M 56 CVEs
Ultimate Addons for Elementor

Ultimate Addons for Elementor

header-footer-elementor

A
96

Powerful Elementor addon with advanced Elementor widgets, templates, WooCommerce widgets & Header-Footer builder to build professional websites fa &hellip;

2.0M 12 CVEs
Premium Addons for Elementor – Powerful Elementor Templates & Widgets

Premium Addons for Elementor – Powerful Elementor Templates & Widgets

premium-addons-for-elementor

A
95

Elementor Carousel, Mega Menu, Posts List/Slider, Media Gallery, WooCommerce Widgets, Display Conditions, Premade Templates & more.

700K 35 CVEs
Royal Addons for Elementor – Addons and Templates Kit for Elementor

Royal Addons for Elementor – Addons and Templates Kit for Elementor

royal-elementor-addons

C
50

Elementor templates, Header footer builder, Elementor Post Grid, Woocommerce Grid builder, Slider, Forms, Gallery, Nav menu addons, Elementor widgets.

600K 1 unpatched
Developer Profile

Themesflat Addons For Elementor Developer Profile

Themesflat

2 plugins · 50K total installs

80
trust score
Avg Security Score
88/100
Avg Patch Time
70 days
View full developer profile
Detection Fingerprints

How We Detect Themesflat Addons For Elementor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/themesflat-addons-for-elementor/assets/css/style.css/wp-content/plugins/themesflat-addons-for-elementor/assets/js/main.js
Script Paths
/wp-content/plugins/themesflat-addons-for-elementor/assets/js/main.js
Version Parameters
themesflat-addons-for-elementor/assets/css/style.css?ver=themesflat-addons-for-elementor/assets/js/main.js?ver=

HTML / DOM Fingerprints

CSS Classes
tf-single-post-gridtf-testimonial-sliderthemesflat-addons-for-elementor
HTML Comments
<!DOCTYPE html><!-- Elementor Library --><!-- Elementor Scripts --><!-- Elementor Styles -->
Data Attributes
data-tf-plugin-versiondata-tf-nonce
JS Globals
themesflat_addon_ajax_obj
REST Endpoints
/wp-json/themesflat-addons-for-elementor/v1/get-posts
Shortcode Output
[themesflat_addons_image_box][themesflat_addons_testimonial][themesflat_addons_post_grid]
FAQ

Frequently Asked Questions about Themesflat Addons For Elementor