WP-Safety

Xolo Addon Security & Risk Analysis

wordpress.org/plugins/xolo-addon

Xolo Addon gives you attractive Elementor widget to your websites. Its perfect test for Xolo Theme, But You can use for another theme also Astra, Sina …

40 active installs v1.5 PHP 5.6+ WP 5.0+ Updated Jan 2, 2024
demoelementorimportsettingsxolo-addon
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Xolo Addon Safe to Use in 2026?

Generally Safe

Score 85/100

Xolo Addon has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2yr ago
Risk Assessment

The xolo-addon plugin v1.5 presents a generally good security posture based on the static analysis. The absence of AJAX handlers, REST API routes, shortcodes, and cron events, particularly those without authentication, indicates a very limited attack surface. Furthermore, the code signals show no dangerous functions, all SQL queries using prepared statements, and a notable absence of file operations and external HTTP requests. The presence of nonce and capability checks, along with proper output escaping for the majority of outputs, are positive indicators of secure coding practices.

However, there are areas for improvement. The taint analysis identified two flows with unsanitized paths, although they were not classified as critical or high severity. This warrants further investigation to ensure no potential for privilege escalation or cross-site scripting exists, even if the immediate risk appears low. Additionally, while 76% of output is properly escaped, the remaining 24% could potentially be a vector for cross-site scripting vulnerabilities if user-supplied data is involved. The vulnerability history is clean, with no recorded CVEs, which is a strong positive sign. This suggests a consistent track record of security.

In conclusion, xolo-addon v1.5 demonstrates a strong foundation of secure coding principles, particularly in its limited attack surface and SQL handling. The primary areas of concern lie in the two identified taint flows and the proportion of unescaped output. Addressing these would further solidify its security. The lack of historical vulnerabilities is a significant strength.

Key Concerns

  • Taint flows with unsanitized paths
  • Output escaping not 100% proper
Vulnerabilities
None known

Xolo Addon Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Xolo Addon Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
160
499 escaped
Nonce Checks
2
Capability Checks
2
File Operations
0
External Requests
2
Bundled Libraries
0

Output Escaping

76% escaped659 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
widget (inc\erapress\erapress-feature-widget.php:497)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Xolo Addon Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 31
filterpt-ocdi/import_filesinc\erapress\demo-import\index.php:124
actionpt-ocdi/after_importinc\erapress\demo-import\index.php:151
filterpt-ocdi/plugin_intro_textinc\erapress\demo-import\index.php:159
filterpt-ocdi/plugin_page_setupinc\erapress\demo-import\index.php:171
actionelementor/elements/categories_registeredinc\erapress\elementor\elementor.php:26
actionelementor/widgets/widgets_registeredinc\erapress\elementor\elementor.php:41
actioninitinc\erapress\erapress-cpt-pricing.php:32
actionsave_postinc\erapress\erapress-cpt-pricing.php:42
actionadmin_initinc\erapress\erapress-cpt-pricing.php:47
actioninitinc\erapress\erapress-cpt-pricing.php:188
actionwidgets_initinc\erapress\erapress-feature-widget.php:8
actionwidgets_initinc\erapress\erapress-feature-widget.php:227
actionwidgets_initinc\erapress\erapress-feature-widget.php:485
actionadmin_initinc\erapress\updater\theme-updater-admin.php:60
actionadmin_initinc\erapress\updater\theme-updater-admin.php:61
actionadmin_initinc\erapress\updater\theme-updater-admin.php:62
actionadmin_menuinc\erapress\updater\theme-updater-admin.php:63
filterhttp_request_argsinc\erapress\updater\theme-updater-admin.php:65
filtersite_transient_update_themesinc\erapress\updater\theme-updater-class.php:41
filterdelete_site_transient_update_themesinc\erapress\updater\theme-updater-class.php:42
actionload-update-core.phpinc\erapress\updater\theme-updater-class.php:43
actionload-themes.phpinc\erapress\updater\theme-updater-class.php:44
actionload-themes.phpinc\erapress\updater\theme-updater-class.php:45
actionadmin_noticesinc\erapress\updater\theme-updater-class.php:50
actionwidgets_initinc\erapress\widget-download-filters.php:3
actionwidgets_initinc\erapress\widget-recent-posts.php:140
actionelementor/elements/categories_registeredinc\xolo\elementor\elementor.php:26
actionelementor/widgets/widgets_registeredinc\xolo\elementor\elementor.php:41
actionwidgets_initinc\xolo\widget-download-filters.php:3
actionwidgets_initinc\xolo\widget-recent-posts.php:140
filteruser_contactmethodsxolo-addon.php:46
Maintenance & Trust

Xolo Addon Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedJan 2, 2024
PHP min version5.6
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs40
Alternatives

Xolo Addon Alternatives

Xolo Websites

Xolo Websites

xolo-websites

A
85

FREE TEMPLATES FOR ELEMENTOR PAGE BUILDER

100 No CVEs
aThemes Starter Sites

aThemes Starter Sites

athemes-starter-sites

A
99

We've got a full and ever-growing library stocked with ready-made templates for any kind of business.

40K 1 CVE
Demo Importer Plus

Demo Importer Plus

demo-importer-plus

A
90

Import the demo content, widgets, customizer settings and theme settings with a single click without any hassle.

10K 5 CVEs
Popularis Extra

Popularis Extra

popularis-extra

B
74

Popularis Extra add extra features to Popularis theme like demo import, widgets, shortcodes or Elementor widgets.

8K 1 unpatched
Catch Themes Demo Import

Catch Themes Demo Import

catch-themes-demo-import

A
98

Catch Themes Demo Import is a simple and easy-to-use demo importer WordPress plugin that allows you to import the theme demo data Based on One Click D …

6K 2 CVEs
Developer Profile

Xolo Addon Developer Profile

Xolo Software

4 plugins · 210 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Xolo Addon

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/xolo-addon/assets/css/responsive.css/wp-content/plugins/xolo-addon/assets/css/rtl.css/wp-content/plugins/xolo-addon/assets/css/style.css/wp-content/plugins/xolo-addon/assets/js/custom.js/wp-content/plugins/xolo-addon/assets/js/frontend.js/wp-content/plugins/xolo-addon/assets/js/vendor/isotope.pkgd.min.js
Version Parameters
xolo-addon/assets/css/responsive.css?ver=xolo-addon/assets/css/rtl.css?ver=xolo-addon/assets/css/style.css?ver=xolo-addon/assets/js/custom.js?ver=xolo-addon/assets/js/frontend.js?ver=xolo-addon/assets/js/vendor/isotope.pkgd.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
xolo-addons-wrapperxolo-elements-tabs-contentxolo-elements-tabs-navxolo-elements-tabs-nav-itemxolo-elements-tabs-nav-item-activexolo-elements-tabs-content-itemxolo-elements-tabs-content-item-active
HTML Comments
<!-- xolo-addons-wrapper --><!-- End xolo-addons-wrapper --><!-- xolo-elements-tabs-wrapper --><!-- End xolo-elements-tabs-wrapper -->+4 more
Data Attributes
data-tabid
JS Globals
xolo_data
Shortcode Output
[xolo_tabs][/xolo_tabs]
FAQ

Frequently Asked Questions about Xolo Addon