WP-Safety

Gutenberg Blocks – Unlimited blocks For Gutenberg Security & Risk Analysis

wordpress.org/plugins/unlimited-blocks

Unlimited Blocks: WordPress Gutenberg Blocks is the editor blocks that are used to create content layouts that you can insert onto anywhere on your Wo …

1K active installs v1.2.8 PHP 5.6+ WP + Updated Jan 2, 2025
blocksgutenberggutenberg-blocks
48
D · High Risk
CVEs total2
Unpatched2
Last CVEMar 18, 2026
Plugin page Download
Safety Verdict

Is Gutenberg Blocks – Unlimited blocks For Gutenberg Safe to Use in 2026?

High Risk

Score 48/100

Gutenberg Blocks – Unlimited blocks For Gutenberg carries significant security risk with 2 known CVEs, 2 still unpatched. Consider switching to a maintained alternative.

2 known CVEs 2 unpatched Last CVE: Mar 18, 2026Updated 1yr ago
Risk Assessment

The unlimited-blocks plugin v1.2.8 exhibits a concerning security posture primarily due to a significant number of unprotected entry points. All 28 AJAX handlers and 4 REST API routes lack authentication checks, exposing a large attack surface to potential unauthorized access and manipulation. While the static analysis highlights excellent practices in preventing SQL injection and ensuring proper output escaping, the complete absence of nonce and capability checks on these numerous entry points creates a critical vulnerability. The vulnerability history, with one unpatched medium severity Cross-Site Scripting (XSS) vulnerability from September 16, 2024, further underscores the risk of input sanitization issues and the potential for attackers to leverage the unprotected entry points to execute malicious scripts. This pattern suggests a recurring weakness in securing user-submitted data. Despite the strong foundation in secure coding for SQL and output, the lack of fundamental access control on its entry points is a major concern, indicating a high risk of exploitation.

Key Concerns

  • All AJAX handlers lack auth checks
  • All REST API routes lack permission callbacks
  • No nonce checks on AJAX handlers
  • No capability checks on AJAX handlers
  • Unpatched medium severity CVE
Vulnerabilities
2 published

Gutenberg Blocks – Unlimited blocks For Gutenberg Security Vulnerabilities

CVEs by Year

1 CVE in 2024 · unpatched
2024
1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-25438medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gutenberg Blocks – Unlimited blocks For Gutenberg <= 1.2.8 - Reflected Cross-Site Scripting

Mar 18, 2026Unpatched
CVE-2024-44049medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Gutenberg Blocks – Unlimited blocks For Gutenberg <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 16, 2024Unpatched
Version History

Gutenberg Blocks – Unlimited blocks For Gutenberg Release Timeline

v1.2.8Current2 CVEs
CVE-2024-44049 CVE-2026-25438
v1.2.42 CVEs
CVE-2024-44049 CVE-2026-25438
v1.2.32 CVEs
CVE-2024-44049 CVE-2026-25438
v1.2.22 CVEs
CVE-2024-44049 CVE-2026-25438
v1.22 CVEs
CVE-2024-44049 CVE-2026-25438
v1.0.12 CVEs
CVE-2024-44049 CVE-2026-25438
Code Analysis
Analyzed Mar 16, 2026

Gutenberg Blocks – Unlimited blocks For Gutenberg Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
330 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

100% escaped330 total outputs
Attack Surface
32 unprotected

Gutenberg Blocks – Unlimited blocks For Gutenberg Attack Surface

Entry Points32
Unprotected32

AJAX Handlers 28

authwp_ajax_unlimited_section_post_category_layout_blockinc\ajax-fn\ubl-post-category-layout\ubl-post-category-layout.php:25
noprivwp_ajax_unlimited_section_post_category_layout_blockinc\ajax-fn\ubl-post-category-layout\ubl-post-category-layout.php:26
authwp_ajax_unlimited_section_post_category_layout_choose_categoryinc\ajax-fn\ubl-post-category-layout\ubl-post-category-layout.php:47
noprivwp_ajax_unlimited_section_post_category_layout_choose_categoryinc\ajax-fn\ubl-post-category-layout\ubl-post-category-layout.php:48
authwp_ajax_unlimited_section_post_image_five_postinc\ajax-fn\ubl-post-image-layout-five\ubl-post-image-layout-five.php:26
noprivwp_ajax_unlimited_section_post_image_five_postinc\ajax-fn\ubl-post-image-layout-five\ubl-post-image-layout-five.php:27
authwp_ajax_unlimited_section_post_image_four_postinc\ajax-fn\ubl-post-image-layout-four\ubl-post-image-layout-four.php:26
noprivwp_ajax_unlimited_section_post_image_four_postinc\ajax-fn\ubl-post-image-layout-four\ubl-post-image-layout-four.php:27
authwp_ajax_unlimited_section_post_image_three_postinc\ajax-fn\ubl-post-image-layout-three\ubl-post-image-layout-three.php:26
noprivwp_ajax_unlimited_section_post_image_three_postinc\ajax-fn\ubl-post-image-layout-three\ubl-post-image-layout-three.php:27
authwp_ajax_unlimited_section_post_layout_gridinc\ajax-fn\ubl-post-layout-grid\ubl-post-layout-grid.php:29
noprivwp_ajax_unlimited_section_post_layout_gridinc\ajax-fn\ubl-post-layout-grid\ubl-post-layout-grid.php:30
authwp_ajax_unlimited_section_post_layout_listinc\ajax-fn\ubl-post-layout-list\ubl-post-layout-list.php:29
noprivwp_ajax_unlimited_section_post_layout_listinc\ajax-fn\ubl-post-layout-list\ubl-post-layout-list.php:30
authwp_ajax_unlimited_section_post_category_layout_blocktrunk\inc\ajax-fn\ubl-post-category-layout\ubl-post-category-layout.php:25
noprivwp_ajax_unlimited_section_post_category_layout_blocktrunk\inc\ajax-fn\ubl-post-category-layout\ubl-post-category-layout.php:26
authwp_ajax_unlimited_section_post_category_layout_choose_categorytrunk\inc\ajax-fn\ubl-post-category-layout\ubl-post-category-layout.php:47
noprivwp_ajax_unlimited_section_post_category_layout_choose_categorytrunk\inc\ajax-fn\ubl-post-category-layout\ubl-post-category-layout.php:48
authwp_ajax_unlimited_section_post_image_five_posttrunk\inc\ajax-fn\ubl-post-image-layout-five\ubl-post-image-layout-five.php:26
noprivwp_ajax_unlimited_section_post_image_five_posttrunk\inc\ajax-fn\ubl-post-image-layout-five\ubl-post-image-layout-five.php:27
authwp_ajax_unlimited_section_post_image_four_posttrunk\inc\ajax-fn\ubl-post-image-layout-four\ubl-post-image-layout-four.php:26
noprivwp_ajax_unlimited_section_post_image_four_posttrunk\inc\ajax-fn\ubl-post-image-layout-four\ubl-post-image-layout-four.php:27
authwp_ajax_unlimited_section_post_image_three_posttrunk\inc\ajax-fn\ubl-post-image-layout-three\ubl-post-image-layout-three.php:26
noprivwp_ajax_unlimited_section_post_image_three_posttrunk\inc\ajax-fn\ubl-post-image-layout-three\ubl-post-image-layout-three.php:27
authwp_ajax_unlimited_section_post_layout_gridtrunk\inc\ajax-fn\ubl-post-layout-grid\ubl-post-layout-grid.php:29
noprivwp_ajax_unlimited_section_post_layout_gridtrunk\inc\ajax-fn\ubl-post-layout-grid\ubl-post-layout-grid.php:30
authwp_ajax_unlimited_section_post_layout_listtrunk\inc\ajax-fn\ubl-post-layout-list\ubl-post-layout-list.php:29
noprivwp_ajax_unlimited_section_post_layout_listtrunk\inc\ajax-fn\ubl-post-layout-list\ubl-post-layout-list.php:30

REST API Routes 4

GET/wp-json/unlimited-blocks-post-api/v3postsinc\ajax-fn\post-api\post-api.php:8
GET/wp-json/unlimited-blocks-product-api/v3productinc\ajax-fn\post-api\post-api.php:14
GET/wp-json/unlimited-blocks-post-api/v3poststrunk\inc\ajax-fn\post-api\post-api.php:8
GET/wp-json/unlimited-blocks-product-api/v3producttrunk\inc\ajax-fn\post-api\post-api.php:14
WordPress Hooks 14
actionrest_api_initinc\ajax-fn\post-api\post-api.php:5
filterblock_categories_allinc\fn.php:18
actionrest_api_inittrunk\inc\ajax-fn\post-api\post-api.php:5
filterblock_categories_alltrunk\inc\fn.php:18
actioninittrunk\unlimited-blocks.php:88
actionadmin_enqueue_scriptstrunk\unlimited-blocks.php:121
actionwp_enqueue_scriptstrunk\unlimited-blocks.php:123
actionwp_enqueue_scriptstrunk\unlimited-blocks.php:124
actionplugins_loadedtrunk\unlimited-blocks.php:132
actioninitunlimited-blocks.php:88
actionadmin_enqueue_scriptsunlimited-blocks.php:121
actionwp_enqueue_scriptsunlimited-blocks.php:123
actionwp_enqueue_scriptsunlimited-blocks.php:124
actionplugins_loadedunlimited-blocks.php:132
Maintenance & Trust

Gutenberg Blocks – Unlimited blocks For Gutenberg Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJan 2, 2025
PHP min version5.6
Downloads52K

Community Trust

Rating74/100
Number of ratings3
Active installs1K
Alternatives

Gutenberg Blocks – Unlimited blocks For Gutenberg Alternatives

Spectra Gutenberg Blocks – Website Builder for the Block Editor

Spectra Gutenberg Blocks – Website Builder for the Block Editor

ultimate-addons-for-gutenberg

A
92

Power-up Gutenberg with advanced blocks for faster website creation. Build your WordPress website effortlessly using powerful building blocks!

1.0M 27 CVEs
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

kadence-blocks

A
86

20+ AI-powered Gutenberg Blocks with endless options, enabling top-notch efficiency for high-performance dynamic website creation.

600K 32 CVEs
Page Builder: Pagelayer – Drag and Drop website builder

Page Builder: Pagelayer – Drag and Drop website builder

pagelayer

A
88

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K 28 CVEs
Page Builder Gutenberg Blocks – CoBlocks

Page Builder Gutenberg Blocks – CoBlocks

coblocks

A
95

CoBlocks is a suite of page builder WordPress blocks for Gutenberg, with 10+ new blocks and a true page builder experience with rows and columns.

300K 8 CVEs
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE

otter-blocks

A
89

Quickly create WordPress pages with 20+ blocks, 100+ ready-to-import designs, and advanced editor extensions. It’s website building, Lego-style!

300K 12 CVEs
Developer Profile

Gutenberg Blocks – Unlimited blocks For Gutenberg Developer Profile

ThemeHunk

49 plugins · 64K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
188 days
View full developer profile
Detection Fingerprints

How We Detect Gutenberg Blocks – Unlimited blocks For Gutenberg

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/unlimited-blocks/dist/editor.js/wp-content/plugins/unlimited-blocks/dist/script.js/wp-content/plugins/unlimited-blocks/dist/editor.css/wp-content/plugins/unlimited-blocks/dist/script.css/wp-content/plugins/unlimited-blocks/assets/css/owl-slider-min.css/wp-content/plugins/unlimited-blocks/assets/css/ow.slided.default.css/wp-content/plugins/unlimited-blocks/assets/fontawesome/css/all.min.css/wp-content/plugins/unlimited-blocks/assets/js/ubl-custom.js+1 more
Script Paths
https://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.6.0/slick.min.csshttps://cdnjs.cloudflare.com/ajax/libs/slick-carousel/1.6.0/slick-theme.min.csshttps://cdnjs.cloudflare.com/ajax/libs/animate.css/4.1.1/animate.min.csshttps://cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.csshttps://cdn.jsdelivr.net/npm/slick-carousel@1.8.1/slick/slick.min.js

HTML / DOM Fingerprints

HTML Comments
<!-- unlimited_blocks --><!-- * * --><!-- load file important all file called here --><!-- slick -->+1 more
JS Globals
plugin_urlunlimited_blocks_ajax_url
FAQ

Frequently Asked Questions about Gutenberg Blocks – Unlimited blocks For Gutenberg