WP-Safety

Vayu Blocks – Website Builder for the Block Editor Security & Risk Analysis

wordpress.org/plugins/vayu-blocks

Vayu Blocks - Page Builder For Gutenberg Editor, Block Addons & FSE Templates

1K active installs v1.4.7 PHP 7.4+ WP 6.2+ Updated Mar 28, 2026
addonsblockblocks-editorgutenberg-templatespage-builder
66
C · Use Caution
CVEs total5
Unpatched1
Last CVESep 2, 2025
Plugin page Download
Safety Verdict

Is Vayu Blocks – Website Builder for the Block Editor Safe to Use in 2026?

Use With Caution

Score 66/100

Vayu Blocks – Website Builder for the Block Editor has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

5 known CVEs 1 unpatched Last CVE: Sep 2, 2025Updated 1mo ago
Risk Assessment

The 'vayu-blocks' plugin v1.4.4 exhibits a mixed security posture. While it demonstrates good practices like a high percentage of prepared SQL statements and properly escaped output, significant concerns arise from its attack surface and vulnerability history. The presence of 3 unprotected entry points, including AJAX handlers and REST API routes lacking proper authentication or permission checks, presents an immediate risk. Furthermore, the plugin has a history of 5 known CVEs, with one critical unpatched vulnerability, pointing to recurring security weaknesses. The common vulnerability types (Missing Authorization, XSS, Improper Access Control) and the recent critical vulnerability indicate a pattern of insecure handling of user input and access controls. This plugin requires immediate attention to address the unpatched critical vulnerability and the unprotected entry points to mitigate the risk of exploitation.

Key Concerns

  • Unprotected AJAX handlers (2)
  • Unprotected REST API routes (1)
  • Unpatched critical CVE
  • Dangerous function: preg_replace(/e)
  • Flows with unsanitized paths (2)
Vulnerabilities
5 published

Vayu Blocks – Website Builder for the Block Editor Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
4 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
4

5 total CVEs

CVE-2025-9378medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vayu Blocks <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes

Sep 2, 2025 Patched in 1.3.10 (1d)
CVE-2025-4420medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vayu Blocks <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via containerWidth Parameter

Jun 2, 2025 Patched in 1.3.2 (1d)
CVE-2025-2568medium · 5.3Missing Authorization

Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce 1.0.4 - 1.2.1 - Missing Authorization to Unauthenticated Limited Arbitrary Options Update

Apr 7, 2025 Patched in 1.2.2 (1d)
CVE-2025-22644medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce <= 1.3.7 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 3, 2025Unpatched
CVE-2024-10124critical · 9.8Improper Access Control

Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce <= 1.1.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation

Dec 11, 2024 Patched in 1.2.0 (1d)
Version History

Vayu Blocks – Website Builder for the Block Editor Release Timeline

v1.4.7Current1 CVE
CVE-2025-22644
v1.4.61 CVE
CVE-2025-22644
v1.4.41 CVE
CVE-2025-22644
v1.4.31 CVE
CVE-2025-22644
v1.4.21 CVE
CVE-2025-22644
v1.4.11 CVE
CVE-2025-22644
v1.4.01 CVE
CVE-2025-22644
v1.3.111 CVE
CVE-2025-22644
v1.3.101 CVE
CVE-2025-22644
v1.3.92 CVEs
CVE-2025-22644 CVE-2025-9378
v1.3.52 CVEs
CVE-2025-22644 CVE-2025-9378
v1.3.42 CVEs
CVE-2025-22644 CVE-2025-9378
v1.3.32 CVEs
CVE-2025-22644 CVE-2025-9378
v1.3.22 CVEs
CVE-2025-22644 CVE-2025-9378
v1.3.03 CVEs
CVE-2025-22644 CVE-2025-9378 CVE-2025-4420
v1.2.33 CVEs
CVE-2025-22644 CVE-2025-9378 CVE-2025-4420
v1.2.23 CVEs
CVE-2025-22644 CVE-2025-9378 CVE-2025-4420
v1.2.14 CVEs
CVE-2025-2568 CVE-2025-22644 CVE-2025-9378 +1 more
v1.2.04 CVEs
CVE-2025-2568 CVE-2025-22644 CVE-2025-9378 +1 more
v1.1.15 CVEs
CVE-2025-2568 CVE-2025-22644 CVE-2024-10124 +2 more
Code Analysis
Analyzed Mar 16, 2026

Vayu Blocks – Website Builder for the Block Editor Code Analysis

Dangerous Functions
1
Raw SQL Queries
2
7 prepared
Unescaped Output
34
785 escaped
Nonce Checks
10
Capability Checks
14
File Operations
12
External Requests
5
Bundled Libraries
0

Dangerous Functions Found

preg_replace(/e)preg_replace('/einc\render\style\responsive-style.php:896

SQL Query Safety

78% prepared9 total queries

Output Escaping

96% escaped819 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
import_data (inc\vayu-sites\app.php:39)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Vayu Blocks – Website Builder for the Block Editor Attack Surface

Entry Points16
Unprotected3

AJAX Handlers 13

authwp_ajax_vayu_blocks_option_panelinc\admin\admin-api.php:4
authwp_ajax_vayu_blocks_save_input_valuesinc\admin\function.php:77
authwp_ajax_load_category_productsinc\render\advance-product-tab\advance-product-tab.php:34
noprivwp_ajax_load_category_productsinc\render\advance-product-tab\advance-product-tab.php:35
authwp_ajax_load_more_postsinc\render\post-pagination\post-pagination.php:118
noprivwp_ajax_load_more_postsinc\render\post-pagination\post-pagination.php:119
authwp_ajax_vayu_blocks_sites_ajax_process_startinc\vayu-sites\app.php:15
authwp_ajax_vayu_blocks_sites_ajax_handler_datainc\vayu-sites\app.php:16
authwp_ajax_vayu_blocks_sites_ajax_import_xmlinc\vayu-sites\app.php:17
authwp_ajax_vayu_blocks_sites_ajax_cutomizerinc\vayu-sites\app.php:18
authwp_ajax_vayu_blocks_sites_aimport_optionsinc\vayu-sites\app.php:19
authwp_ajax_vayu_blocks_sites_coreinc\vayu-sites\app.php:20
authwp_ajax_vayu-blocks-sites-wxr-importinc\vayu-sites\core\importer\wxr-importer.php:64

REST API Routes 3

GET/wp-json/vayu-blocks/v1/google-fontsinc\admin\function.php:163
GET/wp-json/vayu-blocks/v1/manifestinc\design-library\design-library.php:4
GET/wp-json/vayu-blocks/v1/upload-mediainc\design-library\design-library.php:32
WordPress Hooks 54
filterblock_categories_allinc\admin\function.php:17
filterscript_loader_taginc\admin\function.php:20
actionadmin_enqueue_scriptsinc\admin\function.php:75
actionrest_api_initinc\admin\function.php:146
filterrest_post_queryinc\admin\function.php:147
actionrest_api_initinc\admin\function.php:162
actioninitinc\admin\register-blocks.php:166
actionrest_api_initinc\design-library\design-library.php:3
actioninitinc\patterns\single.php:63
actionrest_api_initinc\render\advance-heading\advance-heading.php:6
filterwoocommerce_product_data_store_cpt_get_products_queryinc\render\advance-product-tab\advance-product-tab.php:158
filterwoocommerce_product_data_store_cpt_get_products_queryinc\render\advance-product-tab\advance-product-tab.php:661
filterrest_post_queryinc\render\advance-query-loop\advance-query-loop.php:7
filterrest_post_collection_paramsinc\render\advance-query-loop\advance-query-loop.php:20
filterrender_blockinc\render\post-pagination\post-pagination.php:61
filterquery_loop_block_query_varsinc\render\post-pagination\post-pagination.php:77
filterrender_blockinc\render\table-of-contents\table-of-contents.php:19
filterrender_block_contextinc\render\wrapper\wrapper.php:87
actioninitinc\vayu-sites\admin\init.php:22
actionadmin_enqueue_scriptsinc\vayu-sites\admin\init.php:23
actioninitinc\vayu-sites\admin\init.php:25
actionadmin_headinc\vayu-sites\admin\init.php:26
actionadmin_menuinc\vayu-sites\admin\init.php:62
actionadmin_body_classinc\vayu-sites\admin\init.php:109
filterupload_mimesinc\vayu-sites\core\class-helper.php:31
filterimport_post_meta_keyinc\vayu-sites\core\importer\class-wxr-importer.php:319
filterhttp_request_timeoutinc\vayu-sites\core\importer\class-wxr-importer.php:320
actionadmin_initinc\vayu-sites\core\importer\import-log.php:57
actionthemehunk_import_startinc\vayu-sites\core\importer\import-log.php:80
filterupload_mimesinc\vayu-sites\core\importer\wxr-importer.php:63
filterwxr_importer.pre_process.userinc\vayu-sites\core\importer\wxr-importer.php:65
filterwxr_importer.pre_process.userinc\vayu-sites\core\importer\wxr-importer.php:119
filterwp_image_editorsinc\vayu-sites\core\importer\wxr-importer.php:122
filterwxr_importer.pre_process.postinc\vayu-sites\core\importer\wxr-importer.php:125
actionwxr_importer.processed.postinc\vayu-sites\core\importer\wxr-importer.php:128
actionwxr_importer.process_failed.postinc\vayu-sites\core\importer\wxr-importer.php:129
actionwxr_importer.process_already_imported.postinc\vayu-sites\core\importer\wxr-importer.php:130
actionwxr_importer.process_skipped.postinc\vayu-sites\core\importer\wxr-importer.php:131
actionwxr_importer.processed.commentinc\vayu-sites\core\importer\wxr-importer.php:132
actionwxr_importer.process_already_imported.commentinc\vayu-sites\core\importer\wxr-importer.php:133
actionwxr_importer.processed.terminc\vayu-sites\core\importer\wxr-importer.php:134
actionwxr_importer.process_failed.terminc\vayu-sites\core\importer\wxr-importer.php:135
actionwxr_importer.process_already_imported.terminc\vayu-sites\core\importer\wxr-importer.php:136
actionwxr_importer.processed.userinc\vayu-sites\core\importer\wxr-importer.php:137
actionwxr_importer.process_failed.userinc\vayu-sites\core\importer\wxr-importer.php:138
filterwp_import_post_metainc\vayu-sites\core\importer\wxr-importer.php:400
filterwxr_importer.pre_process.post_metainc\vayu-sites\core\importer\wxr-importer.php:401
actioninitinc\vayu-sites\core\inc.php:25
actioninitpublic\init.php:41
actionenqueue_block_assetspublic\init.php:51
actionenqueue_block_editor_assetspublic\init.php:82
actionwp_enqueue_scriptspublic\init.php:95
actionadmin_menuvayu-blocks.php:47
actioninitvayu-blocks.php:119
Maintenance & Trust

Vayu Blocks – Website Builder for the Block Editor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 28, 2026
PHP min version7.4
Downloads31K

Community Trust

Rating0/100
Number of ratings0
Active installs1K
Alternatives

Vayu Blocks – Website Builder for the Block Editor Alternatives

Responsive Blocks – Page Builder for Blocks & Patterns

Responsive Blocks – Page Builder for Blocks & Patterns

responsive-block-editor-addons

A
95

50+ blocks to create rich sections in the Gutenberg editor. Use professional starter block patterns & templates to create websites within minutes.

4K 10 CVEs
Move Addons for Elementor

Move Addons for Elementor

move-addons

A
97

Move Addons is a WordPress plugin for Elementor page builder, is a powerful tool that helps you to make almost every possible customization to your we &hellip;

3K 8 CVEs
Massive Addons for Gutenberg and WordPress

Massive Addons for Gutenberg and WordPress

massive-addons-for-wp-blocks

A
85

Massive Addons for gutenberg extension, Beautifully designed unique elements, Includes Premium quality addons For Gutenberg Page Builder.

10 No CVEs
Magnet Blocks – Block Collection for Modern Websites

Magnet Blocks – Block Collection for Modern Websites

magnet-blocks

A
100

Build stunning websites with premium Gutenberg blocks. Includes pricing cards, team members, animated statistics, taglines, and more.

0 No CVEs
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

kadence-blocks

A
86

20+ AI-powered Gutenberg Blocks with endless options, enabling top-notch efficiency for high-performance dynamic website creation.

600K 32 CVEs
Developer Profile

Vayu Blocks – Website Builder for the Block Editor Developer Profile

ThemeHunk

49 plugins · 64K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
188 days
View full developer profile
Detection Fingerprints

How We Detect Vayu Blocks – Website Builder for the Block Editor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/vayu-blocks/assets/css/frontend.css/wp-content/plugins/vayu-blocks/assets/js/frontend.js/wp-content/plugins/vayu-blocks/build/style-index.css/wp-content/plugins/vayu-blocks/build/index.js/wp-content/plugins/vayu-blocks/build/frontend.js
Script Paths
/wp-content/plugins/vayu-blocks/assets/js/frontend.js/wp-content/plugins/vayu-blocks/build/index.js/wp-content/plugins/vayu-blocks/build/frontend.js/wp-content/plugins/vayu-blocks/assets/js/vayu-blocks-global.js
Version Parameters
/wp-content/plugins/vayu-blocks/assets/css/frontend.css?ver=/wp-content/plugins/vayu-blocks/assets/js/frontend.js?ver=/wp-content/plugins/vayu-blocks/build/style-index.css?ver=/wp-content/plugins/vayu-blocks/build/index.js?ver=/wp-content/plugins/vayu-blocks/build/frontend.js?ver=/wp-content/plugins/vayu-blocks/assets/js/vayu-blocks-global.js?ver=

HTML / DOM Fingerprints

CSS Classes
vayu-blocks-wrapvayu-blocks-container
Data Attributes
data-vayu-blockdata-vayu-blocks-attribute
JS Globals
vayu_blocks_dataVayuBlocksFrontend
Shortcode Output
[vayu_blocks_element][vayu_pricing_table]
FAQ

Frequently Asked Questions about Vayu Blocks – Website Builder for the Block Editor