WP-Safety

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor Security & Risk Analysis

wordpress.org/plugins/ultimate-blocks

Create Better Content With The Block Editor. Custom Blocks for Bloggers and Content Marketers.

50K active installs v3.5.4 PHP 7.2+ WP 5.8+ Updated Mar 12, 2026
block-editorblocksfreegutenberggutenberg-blocks
96
A · Safe
CVEs total14
Unpatched0
Last CVEJun 16, 2025
Plugin page Download
Safety Verdict

Is Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor Safe to Use in 2026?

Generally Safe

Score 96/100

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

14 known CVEsLast CVE: Jun 16, 2025Updated 2mo ago
Risk Assessment

The 'ultimate-blocks' plugin, version 3.5.4, exhibits a mixed security posture. On the positive side, it demonstrates strong practices regarding SQL queries, output escaping, and the absence of external HTTP requests. The plugin also utilizes nonce and capability checks in several instances, suggesting an awareness of WordPress security best practices. However, a significant concern arises from the identified attack surface, with 3 AJAX handlers, all of which lack authentication checks. This represents a direct entry point for potential malicious activity. The complete absence of taint analysis results is noted, making it difficult to assess risks related to data sanitization and flow.

The plugin's vulnerability history is a significant red flag. With a total of 14 known CVEs, all categorized as medium severity and predominantly related to Cross-Site Scripting (XSS), this indicates a recurring pattern of input validation or output escaping issues. While there are currently no unpatched vulnerabilities, the sheer volume of past medium-severity XSS flaws suggests a persistent underlying weakness that has required numerous fixes over time. The most recent vulnerability being dated in 2025 is also unusual and warrants further investigation or clarification.

In conclusion, while 'ultimate-blocks' has strengths in areas like SQL sanitization and output escaping, the presence of unprotected AJAX handlers and a substantial history of medium-severity XSS vulnerabilities present a notable risk. The lack of taint analysis further obscures potential vulnerabilities. Users should exercise caution, ensure the plugin is always updated to the latest available version, and monitor for any new security advisories.

Key Concerns

  • 3 AJAX handlers without auth checks
  • 14 total known CVEs (medium severity XSS)
Vulnerabilities
14 published

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor Security Vulnerabilities

CVEs by Year

7 CVEs in 2024
2024
7 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
14

14 total CVEs

CVE-2025-49929medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks <= 3.3.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 16, 2025 Patched in 3.3.7 (136d)
CVE-2025-2918medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks – WordPress Blocks Plugin <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

Jun 9, 2025 Patched in 3.3.4 (1d)
CVE-2025-48234medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks <= 3.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 19, 2025 Patched in 3.3.1 (11d)
CVE-2025-47493medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks <= 3.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 7, 2025 Patched in 3.3.0 (7d)
CVE-2025-31077medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 28, 2025 Patched in 3.2.8 (6d)
CVE-2025-1703medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via content Parameter

Mar 25, 2025 Patched in 3.2.8 (1d)
CVE-2025-1312medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks – WordPress Blocks Plugin <= 3.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 25, 2025 Patched in 3.2.8 (1d)
CVE-2024-10678medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks <= 3.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 22, 2024 Patched in 3.2.4 (32d)
CVE-2024-8536medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks <= 3.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 9, 2024 Patched in 3.2.2 (25d)
CVE-2024-4268medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks – WordPress Blocks Plugin <= 3.1.9 - Authenticated(Contributor+) Stored Cross-Site Scripting via Multiple Blocks

Jul 1, 2024 Patched in 3.2.0 (8d)
CVE-2024-3513medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks – WordPress Blocks Plugin <= 3.1.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via title tag attribute

Jul 1, 2024 Patched in 3.2.0 (35d)
CVE-2024-4655medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks – WordPress Blocks Plugin <= 3.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 20, 2024 Patched in 3.1.9 (12d)
CVE-2023-6692medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks – WordPress Blocks Plugin <= 3.0.8 - Authenticated(Contributor+) Stored Cross-Site Scripting via metabox

Jun 18, 2024 Patched in 3.1.1 (42d)
CVE-2024-3241medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Blocks <= 3.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Heading

Apr 23, 2024 Patched in 3.1.7 (14d)
Version History

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor Release Timeline

v3.5.4Current
v3.5.3
v3.5.2
v3.5.1
v3.5.0
v3.4.9
v3.4.8
v3.4.7
v3.4.6
v3.4.5
v3.4.4
v3.4.3
v3.4.2
v3.4.1
v3.4.0
v3.3.9
v3.3.8
v3.3.7
v3.3.61 CVE
CVE-2025-49929
v3.3.51 CVE
CVE-2025-49929
Code Analysis
Analyzed Mar 16, 2026

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
3 prepared
Unescaped Output
7
533 escaped
Nonce Checks
4
Capability Checks
5
File Operations
26
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared3 total queries

Output Escaping

99% escaped540 total outputs
Attack Surface
3 unprotected

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor Attack Surface

Entry Points3
Unprotected3

AJAX Handlers 3

authwp_ajax_toggle_block_statusincludes\class-ultimate-blocks.php:186
authwp_ajax_toggle_extension_statusincludes\class-ultimate-blocks.php:187
authwp_ajax_UltimateBlocksReviewNoticeHideincludes\class-ultimate-blocks.php:194
WordPress Hooks 94
filterub/filter/admin_settings_menu_dataadmin\class-ultimate-blocks-admin.php:90
actionadmin_noticesincludes\Admin_Notices_Manager.php:36
filterblock_categoriesincludes\class-ultimate-blocks-category.php:43
filterblock_categories_allincludes\class-ultimate-blocks-category.php:45
actionplugins_loadedincludes\class-ultimate-blocks.php:158
actionadmin_enqueue_scriptsincludes\class-ultimate-blocks.php:174
actionadmin_enqueue_scriptsincludes\class-ultimate-blocks.php:175
actionadmin_initincludes\class-ultimate-blocks.php:176
actionadmin_enqueue_scriptsincludes\class-ultimate-blocks.php:179
actionadmin_enqueue_scriptsincludes\class-ultimate-blocks.php:180
actionadmin_menuincludes\class-ultimate-blocks.php:182
actionadmin_menuincludes\class-ultimate-blocks.php:183
actionadmin_headincludes\class-ultimate-blocks.php:190
actionadmin_noticesincludes\class-ultimate-blocks.php:193
actioninitincludes\class-ultimate-blocks.php:207
actionwp_enqueue_scriptsincludes\class-ultimate-blocks.php:227
actionwp_enqueue_scriptsincludes\class-ultimate-blocks.php:228
filterupgrader_package_optionsincludes\common\base\Version_Sync_Base.php:162
filterregister_block_type_argsincludes\Editor_Data_Manager.php:52
filterrender_block_dataincludes\managers\Render_Assistant.php:31
filterfilesystem_methodincludes\managers\Ub_Fs_Handler.php:21
actionadmin_enqueue_scriptsincludes\pro_manager\Pro_Manager.php:71
filterub/filter/admin_settings_menu_dataincludes\pro_manager\Pro_Manager.php:74
actionrest_api_initincludes\Saved_Styles_Manager.php:49
actionadmin_initincludes\Saved_Styles_Manager.php:53
actioninitincludes\Saved_Styles_Manager.php:54
filterultimate-blocks/filter/savedStylesFrontendDataincludes\Static_Styles_Manager.php:55
actionrest_api_initincludes\Static_Styles_Manager.php:56
filterultimate-blocks/filter/savedStylesFrontendDataincludes\Static_Styles_Manager.php:59
filterub/filter/admin_settings_menu_dataincludes\Ultimate_Blocks_Version_Control.php:36
filterupgrader_package_optionsincludes\Ultimate_Blocks_Version_Control.php:82
filterupgrader_pre_downloadincludes\Version_Sync_Manager.php:53
actioninitsrc\blocks\advanced-heading\block.php:68
actionwp_enqueue_scriptssrc\blocks\advanced-video\block.php:128
actioninitsrc\blocks\advanced-video\block.php:130
actioninitsrc\blocks\button\block.php:470
actionwp_enqueue_scriptssrc\blocks\button\block.php:472
actioninitsrc\blocks\call-to-action\block.php:104
actioninitsrc\blocks\click-to-tweet\block.php:78
actionwp_enqueue_scriptssrc\blocks\content-filter\block.php:174
actioninitsrc\blocks\content-filter\block.php:175
actioninitsrc\blocks\content-filter\block.php:176
actionwp_footersrc\blocks\content-toggle\block.php:31
actioninitsrc\blocks\content-toggle\block.php:180
actioninitsrc\blocks\content-toggle\block.php:182
actionwp_enqueue_scriptssrc\blocks\content-toggle\block.php:184
filterrender_blocksrc\blocks\content-toggle\block.php:186
filterrender_block_contextsrc\blocks\content-toggle\block.php:443
actioninitsrc\blocks\countdown\block.php:203
actionwp_enqueue_scriptssrc\blocks\countdown\block.php:215
actioninitsrc\blocks\counter\block.php:12
actioninitsrc\blocks\divider\block.php:93
actioninitsrc\blocks\expand\block.php:158
actioninitsrc\blocks\expand\block.php:159
actionwp_enqueue_scriptssrc\blocks\expand\block.php:160
actioninitsrc\blocks\feature-box\block.php:72
actioninitsrc\blocks\how-to\block.php:358
actioninitsrc\blocks\icon\block.php:35
actioninitsrc\blocks\icon-inner\block.php:22
actioninitsrc\blocks\image\block.php:14
actioninitsrc\blocks\image-slider\block.php:175
actionwp_enqueue_scriptssrc\blocks\image-slider\block.php:176
actioninitsrc\blocks\notification-box\block.php:22
actioninitsrc\blocks\number-box\block.php:52
actioninitsrc\blocks\post-grid\block.php:409
actionrest_api_initsrc\blocks\post-grid\block.php:438
actioninitsrc\blocks\progress-bar\block.php:284
actionwp_enqueue_scriptssrc\blocks\progress-bar\block.php:285
actioninitsrc\blocks\review\block.php:339
actioninitsrc\blocks\social-share\block.php:381
actioninitsrc\blocks\star-rating\block.php:90
actioninitsrc\blocks\styled-box\block.php:16
actioninitsrc\blocks\styled-box\block.php:89
actioninitsrc\blocks\styled-box\block.php:226
actioninitsrc\blocks\styled-list\block.php:476
actioninitsrc\blocks\styled-list\block.php:477
actionwp_enqueue_scriptssrc\blocks\tabbed-content\block.php:203
actioninitsrc\blocks\tabbed-content\block.php:204
actioninitsrc\blocks\tabbed-content\block.php:205
actioninitsrc\blocks\table-of-contents\block.php:304
actionwp_enqueue_scriptssrc\blocks\table-of-contents\block.php:305
actioninitsrc\blocks\testimonial\block.php:79
filterrender_blocksrc\extensions\custom-css\class-custom-css.php:9
actionwp_headsrc\extensions\custom-css\class-custom-css.php:12
actionwp_footersrc\extensions\custom-css\class-custom-css.php:20
actionwp_enqueue_scriptssrc\extensions\extension-manager.php:7
filterrender_blocksrc\extensions\responsive-control\class-responsive-control.php:8
actioninitsrc\init.php:100
actionenqueue_block_assetssrc\init.php:194
actionenqueue_block_editor_assetssrc\init.php:249
actionenqueue_block_editor_assetssrc\init.php:252
actioninitsrc\init.php:263
filterrank_math/researches/toc_pluginssrc\init.php:269
actionplugins_loadedultimate-blocks.php:106
Maintenance & Trust

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version7.2
Downloads2.4M

Community Trust

Rating98/100
Number of ratings723
Active installs50K
Alternatives

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor Alternatives

GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

gutenkit-blocks-addon

A
93

GutenKit – Ultimate no-code Gutenberg blocks to design stunning web pages and visually stunning posts in WordPress block editor.

70K 3 CVEs
PublishPress Blocks – Block Controls, Block Visibility, Block Permissions

PublishPress Blocks – Block Controls, Block Visibility, Block Permissions

advanced-gutenberg

A
93

PublishPress Blocks is your complete solution for the WordPress block editor. You can control block permissions, styles, visibility, usage and more.

20K 3 CVEs
BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library

BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library

blockart-blocks

A
95

Enhance the power of your WordPress editor with the dynamic Gutenberg blocks by BlockArt Blocks. Build any layout imaginable.

10K 4 CVEs
Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder

Nexter Blocks – Gutenberg Blocks, Page Builder & AI Website Builder

the-plus-addons-for-block-editor

A
95

90+ Gutenberg Blocks & AI Website Builder with 1000+ Templates. Complete Page Builder, Popup Builder, Mega Menu, Form Builder & More. No Code.

10K 9 CVEs
Grids: Layout builder for WordPress

Grids: Layout builder for WordPress

grids

A
100

The most advanced page and layout builder for Gutenberg and the new Block Editor, with columns, rows and responsive controls.

2K No CVEs
Developer Profile

Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor Developer Profile

Ultimate Blocks

1 plugin · 50K total installs

91
trust score
Avg Security Score
96/100
Avg Patch Time
24 days
View full developer profile
Detection Fingerprints

How We Detect Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ultimate-blocks/bundle-dist/ub-admin-settings.css/wp-content/plugins/ultimate-blocks/dist/blocks.build.js/wp-content/plugins/ultimate-blocks/dist/css/blocks.style.build.css/wp-content/plugins/ultimate-blocks/dist/css/blocks.editor.build.css
Version Parameters
ultimate-blocks/bundle-dist/ub-admin-settings.css?ver=ultimate-blocks/dist/blocks.build.js?ver=ultimate-blocks/dist/css/blocks.style.build.css?ver=ultimate-blocks/dist/css/blocks.editor.build.css?ver=

HTML / DOM Fingerprints

CSS Classes
ub-block-containerub-main-block-wrapperub_columnub-accordion-wrapperub-content-toggle-wrapperub_tabs_item_headerub_tabs_content_wrapub_tabs_main_wrap
HTML Comments
<!-- wp:ultimate-blocks/accordions --><!-- wp:ultimate-blocks/content-toggle --><!-- wp:ultimate-blocks/tabs -->
Data Attributes
data-block-type="ultimate-blocks/accordions"data-block-type="ultimate-blocks/content-toggle"data-block-type="ultimate-blocks/tabs"
JS Globals
ultimate_blocks_blocks_configultimate_blocks_editor_configub_admin_assets
Shortcode Output
[ultimate-blocks-ultimate-blocks-accordionsultimate-blocks-content-toggleultimate-blocks-tabs
FAQ

Frequently Asked Questions about Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor