Does UX Flat have any unpatched vulnerabilities?

Yes — UX Flat currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is UX Flat compatible with WordPress 6.7.5?

According to WordPress.org data, UX Flat 5.4.0 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is UX Flat compatible with PHP 7.4+?

UX Flat requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is UX Flat updated?

UX Flat was last updated on Jun 29, 2025. Frequent updates are generally a positive security signal.

What is UX Flat's security score?

UX Flat has a WP-Safety security score of 73/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

UX Flat Security & Risk Analysis

wordpress.org/plugins/ux-flat

Enhance user experience with the sleek and modern design provided by the UX Flat plugin for WordPress websites.

1K active installs v5.4.0 PHP 7.4+ WP 6.2+ Updated Jun 29, 2025

element-flatsomeflatsomeflatuxux-flatsomeuxflat

B · Generally Safe

CVEs total2

Unpatched1

Last CVEJan 20, 2026

Download

Safety Verdict

Is UX Flat Safe to Use in 2026?

Mostly Safe

Score 73/100

UX Flat is generally safe to use. 2 past CVEs were resolved. Keep it updated.

2 known CVEs 1 unpatched Last CVE: Jan 20, 2026Updated 9mo ago

Risk Assessment

The 'ux-flat' plugin v5.4.0 presents a mixed security picture. On the positive side, the static analysis shows no critical vulnerabilities in terms of dangerous functions, SQL queries are consistently prepared, and a high percentage of output is properly escaped. The absence of file operations and external HTTP requests is also a strength. However, the plugin's attack surface is entirely composed of shortcodes, with a total of 21 entry points, and while no unprotected entry points were found, this reliance solely on shortcodes for user interaction warrants careful consideration.

The vulnerability history is a significant concern, with two known CVEs, one of which remains unpatched and is rated as high severity. The common vulnerability type being Cross-site Scripting (XSS) suggests potential issues with how user input is handled within the shortcodes, despite the generally good output escaping rates. The fact that the last vulnerability was in the future (2026-01-20) is an anomaly in the data, but assuming it refers to a past event, it indicates a recurring pattern of security weaknesses that require attention.

Overall, while the code itself exhibits some good security practices like prepared statements and a decent escaping rate, the unpatched high-severity vulnerability and the reliance on shortcodes as the sole entry point are critical risks. The plugin's past security incidents, particularly XSS, suggest that its input sanitization and handling mechanisms may not be consistently robust, even with the reported output escaping percentages. Users should exercise caution and prioritize patching or migrating away from this plugin.

Key Concerns

Unpatched high severity CVE
Known medium severity CVE
All entry points are shortcodes
High percentage of outputs not escaped

Vulnerabilities

UX Flat Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2026 · unpatched

2026

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2026-24576medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

UX Flat <= 5.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 20, 2026Unpatched

CVE-2024-2459high · 7.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

UX Flat <= 4.4 - Authenticated(Contributor+) Stored Cross-Site Scripting via Shortcode

Mar 19, 2024 Patched in 4.5 (115d)

Code Analysis

Analyzed Mar 16, 2026

UX Flat Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

371 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

82% escaped451 total outputs

Attack Surface

UX Flat Attack Surface

Entry Points21

Unprotected0

Shortcodes 21

[social] inc\helpers\class.author.php:26

[post-reads] inc\init.php:409

[blog_categories] inc\shortcodes\blog_categories.php:259

[blog_categories_grid] inc\shortcodes\blog_categories.php:260

[blog_posts] inc\shortcodes\blog_posts.php:530

[button] inc\shortcodes\button.php:214

[divider] inc\shortcodes\divider.php:105

[follow] inc\shortcodes\follow.php:449

[map] inc\shortcodes\google_maps.php:106

[lightbox] inc\shortcodes\lightbox.php:78

[menu] inc\shortcodes\menu.php:71

[module] inc\shortcodes\module.php:118

[background] inc\shortcodes\sections.php:294

[section] inc\shortcodes\sections.php:295

[section_inner] inc\shortcodes\sections.php:296

[title] inc\shortcodes\title.php:183

[ux_gallery] inc\shortcodes\ux_gallery.php:248

[gallery] inc\shortcodes\ux_gallery.php:267

[ux_menu_link] inc\shortcodes\ux_menu_link.php:116

[ux_slider] inc\shortcodes\ux_slider.php:293

[ux_typed] inc\shortcodes\ux_typed.php:83

WordPress Hooks 63

actionadmin_noticesinc\core.php:30

actionplugins_loadedinc\core.php:38

actionactivated_plugininc\core.php:49

filterplugin_row_metainc\core.php:83

actionshow_user_profileinc\helpers\class.author.php:22

actionedit_user_profileinc\helpers\class.author.php:23

actionpersonal_options_updateinc\helpers\class.author.php:24

actionedit_user_profile_updateinc\helpers\class.author.php:25

actionshow_user_profileinc\helpers\class.avatar.php:5

actionedit_user_profileinc\helpers\class.avatar.php:6

actionpersonal_options_updateinc\helpers\class.avatar.php:7

actionedit_user_profile_updateinc\helpers\class.avatar.php:8

actiondelete_userinc\helpers\class.avatar.php:9

filterget_avatarinc\helpers\class.avatar.php:10

actioncategory_add_form_fieldsinc\helpers\class.categories-layout.php:7

actioncategory_edit_form_fieldsinc\helpers\class.categories-layout.php:8

actioncreated_categoryinc\helpers\class.categories-layout.php:9

actionedited_categoryinc\helpers\class.categories-layout.php:10

filtercategory_templateinc\helpers\class.categories-layout.php:11

actionadmin_enqueue_scriptsinc\helpers\class.categories.php:7

actioncategory_add_form_fieldsinc\helpers\class.categories.php:8

actioncreated_categoryinc\helpers\class.categories.php:9

actioncategory_edit_form_fieldsinc\helpers\class.categories.php:10

actionedited_categoryinc\helpers\class.categories.php:11

actionadmin_footerinc\helpers\class.categories.php:12

actioninitinc\helpers\helpers-icons.php:5

actionafter_setup_themeinc\helpers\helpers-icons.php:17

actionwp_enqueue_scriptsinc\helpers\helpers-icons.php:45

filterflatsome_follow_linksinc\helpers\helpers-icons.php:79

filterflatsome_share_linksinc\helpers\helpers-icons.php:80

actionafter_setup_themeinc\init.php:63

actionux_builder_setupinc\init.php:96

actionflatsome_footerinc\init.php:101

actionflatsome_before_bloginc\init.php:110

actionwp_enqueue_scriptsinc\init.php:258

actionwp_footerinc\init.php:271

actionflatsome_before_headerinc\init.php:275

filterflatsome_follow_linksinc\init.php:299

filterflatsome_share_linksinc\init.php:300

actionwoocommerce_shop_loop_item_titleinc\init.php:305

filtergettextinc\init.php:320

filterwpseo_breadcrumb_linksinc\init.php:348

filterthe_titleinc\init.php:413

filterrank_math/frontend/titleinc\init.php:417

filterrank_math/frontend/descriptioninc\init.php:421

filtertemplate_includeinc\init.php:447

actionflatsome_before_commentsinc\init.php:451

actionflatsome_before_bloginc\init.php:479

actionflatsome_after_bloginc\init.php:487

actionflatsome_before_bloginc\init.php:507

actioninitinc\init.php:523

actionwp_headinc\init.php:530

actionflatsome_after_bloginc\init.php:631

actionflatsome_before_commentsinc\init.php:633

filterflatsome_lightbox_close_btn_insideinc\init.php:638

filterflatsome_lightbox_close_buttoninc\init.php:639

filtertiny_mce_before_initinc\init.php:657

filterposts_searchinc\init.php:683

actioninitinc\of_options.php:6

filterfound_postsinc\shortcodes\blog_posts.php:239

actionwp_enqueue_scriptsinc\shortcodes\button.php:11

actionwp_enqueue_scriptsinc\shortcodes\sections.php:6

actionwp_enqueue_scriptsinc\shortcodes\ux_typed.php:7

Maintenance & Trust

UX Flat Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedJun 29, 2025

PHP min version7.4

Downloads25K

Community Trust

Rating94/100

Number of ratings13

Active installs1K

Alternatives

UX Flat Alternatives

UX Ultimate

ux-ultimate

UX Ultimate is a plug-in for WordPress that website using Flatsome theme.

70 No CVEs

OT Flatsome Vertical Menu

ot-flatsome-vertical-menu

Vertical Menu for Flatsome Woocommerce theme.

10K No CVEs

Mino Flatsome Title With Category

mino-flatsome-title-with-category

Add title with product category element for flatsome theme.

300 No CVEs

Flatsome pop-up element

pop-up-element-for-flatsome-theme

Add custom pop-up element for Flatsome theme for advertisment

100 No CVEs

Developer Profile

UX Flat Developer Profile

COP

2 plugins · 8K total installs

trust score

Avg Security Score

86/100

Avg Patch Time

92 days

View full developer profile

Detection Fingerprints

How We Detect UX Flat

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ux-flat/assets/css/icons.min.css/wp-content/plugins/ux-flat/assets/css/fas.min.css

HTML / DOM Fingerprints

CSS Classes

icon-zalo

Data Attributes

data-uxf-typed-strings

JS Globals

UXF_VERSIONUXF_FILEUXF_DIRUXF_URL

Shortcode Output

[ux_menu_link[follow[ux_gallery[ux_slider

FAQ