WP-Safety

Zion Builder – Website Builder for Speed & Creativity Security & Risk Analysis

wordpress.org/plugins/zionbuilder

Building websites just got easier! Zion Builder is a visual website builder with powerful design features to help you build interactive websites.

1K active installs v3.6.17 PHP 7.0.0+ WP 6.0.0+ Updated Jan 22, 2026
drag-and-dropeditorpage-buildervisual-editorwebsite-builder
99
A · Safe
CVEs total2
Unpatched0
Last CVEDec 2, 2024
Plugin page Download
Safety Verdict

Is Zion Builder – Website Builder for Speed & Creativity Safe to Use in 2026?

Generally Safe

Score 99/100

Zion Builder – Website Builder for Speed & Creativity has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Dec 2, 2024Updated 2mo ago
Risk Assessment

The ZionBuilder plugin v3.6.17 exhibits a generally good security posture, with several positive indicators. The complete absence of SQL injection vulnerabilities due to 100% prepared statement usage is a significant strength. Furthermore, the presence of nonce and capability checks across its entry points, along with a lack of dangerous function usage, suggests a development team that is aware of common WordPress security practices.

However, there are areas for improvement. The static analysis reveals that 23% of output is not properly escaped, which could potentially lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is displayed without adequate sanitization. While the taint analysis shows no critical or high-severity flows, the presence of two unsanitized path flows warrants attention, as these can sometimes be exploited in conjunction with other vulnerabilities or misconfigurations.

The vulnerability history indicates two medium-severity CVEs, both related to XSS. While none are currently unpatched, this pattern suggests that XSS remains a recurring concern for this plugin. The most recent vulnerability was in December 2024, indicating that past security issues, though resolved, have been present. Overall, ZionBuilder has a solid foundation, but the unescaped output and historical XSS trends highlight areas where developers should focus their security efforts to further harden the plugin.

Key Concerns

  • Unescaped output found
  • Taint flows with unsanitized paths
  • Medium severity CVEs in history
Vulnerabilities
2

Zion Builder – Website Builder for Speed & Creativity Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-54213medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Page Builder – Zion Builder <= 3.6.16 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 2, 2024 Patched in 3.6.17 (418d)
CVE-2024-30444medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WordPress Page Builder – Zion Builder <= 3.6.9 - Authenticated (Editor+) Stored Cross-Site Scripting

Mar 28, 2024 Patched in 3.6.10 (7d)
Code Analysis
Analyzed Mar 16, 2026

Zion Builder – Website Builder for Speed & Creativity Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
40
137 escaped
Nonce Checks
2
Capability Checks
11
File Operations
7
External Requests
3
Bundled Libraries
0

SQL Query Safety

100% prepared4 total queries

Output Escaping

77% escaped177 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
__construct (includes\Screenshot.php:24)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Zion Builder – Website Builder for Speed & Creativity Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 1

authwp_ajax_get-attachmentincludes\WPMedia.php:22

Shortcodes 1

[zionbuilder] includes\Shortcodes.php:22
WordPress Hooks 118
filterpage_row_actionsincludes\Admin\Admin.php:38
filterpost_row_actionsincludes\Admin\Admin.php:39
filterdisplay_post_statesincludes\Admin\Admin.php:40
filteradmin_body_classincludes\Admin\Admin.php:43
actionedit_form_after_titleincludes\Admin\Admin.php:46
actionedit_form_after_titleincludes\Admin\Admin.php:47
actionadmin_enqueue_scriptsincludes\Admin\Admin.php:50
filterheartbeat_receivedincludes\Admin\Admin.php:53
actionadmin_menuincludes\Admin\Admin.php:56
filteradmin_body_classincludes\Admin\Admin.php:59
filterbody_classincludes\AdminBar.php:29
actionadmin_bar_menuincludes\AdminBar.php:32
actionrest_api_initincludes\Api\RestApi.php:29
actionwp_enqueue_scriptsincludes\Assets.php:66
actionwp_headincludes\Assets.php:69
filterzionbuilder/renderer/page_contentincludes\Assets.php:70
actionwp_footerincludes\Assets.php:71
actionwp_footerincludes\Assets.php:72
actionsave_postincludes\Assets.php:75
actiondelete_postincludes\Assets.php:76
actionzionbuilder/settings/after_saveincludes\Assets.php:77
filterzionbuilder/api/bulk_actions/get_input_select_options/get_all_postsincludes\BulkActionsData.php:17
actionzionbuilder/editor/before_scriptsincludes\CommonJS.php:29
actionzionbuilder/preview/before_load_scriptsincludes\CommonJS.php:30
actionzionbuilder/admin/before_admin_scriptsincludes\CommonJS.php:31
filterzionbuilder/cache/dynamic_cssincludes\CustomCode.php:20
actionwp_headincludes\CustomCode.php:23
actionwp_body_openincludes\CustomCode.php:26
actionwp_footerincludes\CustomCode.php:29
actionadmin_action_zion_builder_activeincludes\Editor\Editor.php:51
filterheartbeat_settingsincludes\Editor\Editor.php:103
filtershow_admin_barincludes\Editor\Editor.php:106
filterzionbuilder/editor/body_classincludes\Editor\Editor.php:107
actionwp_headincludes\Editor\Editor.php:116
actionwp_headincludes\Editor\Editor.php:117
actionwp_headincludes\Editor\Editor.php:119
actionwp_headincludes\Editor\Editor.php:121
actionwp_headincludes\Editor\Editor.php:122
actionwp_enqueue_scriptsincludes\Editor\Editor.php:125
actionwp_footerincludes\Editor\Editor.php:128
actionwpincludes\Editor\Preview.php:32
actionzionbuilder/frontend/initincludes\Editor\Preview.php:33
filtershow_admin_barincludes\Editor\Preview.php:46
filterstyle_loader_tagincludes\Editor\Preview.php:47
filterthe_contentincludes\Editor\Preview.php:86
filterbody_classincludes\Editor\Preview.php:89
actionwp_enqueue_scriptsincludes\Editor\Preview.php:93
actionwp_footerincludes\Editor\Preview.php:94
actionzionbuilder/frontend/before_load_stylesincludes\FontsManager\Fonts\GoogleFonts.php:35
actionzionbuilder/settings/saveincludes\FontsManager\Fonts\GoogleFonts.php:37
actiontemplate_redirectincludes\Frontend.php:43
actionwp_enqueue_scriptsincludes\Frontend.php:46
actionwp_enqueue_scriptsincludes\Frontend.php:47
filterbody_classincludes\Frontend.php:50
filterget_the_excerptincludes\Frontend.php:85
filterget_the_excerptincludes\Frontend.php:86
filterthe_contentincludes\Frontend.php:147
filterthe_contentincludes\Frontend.php:204
filterthe_contentincludes\Frontend.php:205
filterzionbuilder/cache/dynamic_cssincludes\Icons.php:24
actionenqueue_block_editor_assetsincludes\Integrations\Gutenberg.php:51
actionadmin_footerincludes\Integrations\Gutenberg.php:52
actionrest_api_initincludes\Integrations\Gutenberg.php:53
actionzionbuilder/editor/after_scriptsincludes\Integrations\HappyFiles.php:42
filterzionbuilderpro/theme/template_post_idincludes\Integrations\Polylang.php:40
filterzionbuilder/shortcode/post_idincludes\Integrations\Polylang.php:41
filterpll_get_post_typesincludes\Integrations\Polylang.php:42
actionzionbuilder/post/after_saveincludes\Integrations\Polylang.php:43
actionadmin_enqueue_scriptsincludes\Integrations\RankMath.php:44
action_wp_put_post_revisionincludes\Integrations\Revisions.php:43
filterwp_creating_autosaveincludes\Integrations\Revisions.php:44
filter_wp_post_revision_fieldsincludes\Integrations\Revisions.php:45
actionwp_restore_post_revisionincludes\Integrations\Revisions.php:46
filterzionbuilder/preview/contentincludes\Integrations\TwentyNineteen.php:41
filterzionbuilderpro/theme/template_post_idincludes\Integrations\WPML.php:40
filterzionbuilder/shortcode/post_idincludes\Integrations\WPML.php:41
actionpre_get_postsincludes\Integrations\WPSearch.php:49
filterposts_joinincludes\Integrations\WPSearch.php:61
filterposts_whereincludes\Integrations\WPSearch.php:62
filterposts_distinctincludes\Integrations\WPSearch.php:63
actionadmin_enqueue_scriptsincludes\Integrations\Yoast.php:43
filterzionbuilder/admin/initial_dataincludes\MaintenanceMode.php:33
actiontemplate_redirectincludes\MaintenanceMode.php:38
filterzionbuilder/admin_page/options_schemasincludes\Modules\SmoothScroll\SmoothScroll.php:21
actionwp_footerincludes\Modules\SmoothScroll\SmoothScroll.php:24
actionzionbuilder/post/saveincludes\Modules\SmoothScroll\SmoothScroll.php:27
filtertheme_templatesincludes\PageTemplates\PageTemplates.php:27
filtertemplate_includeincludes\PageTemplates\PageTemplates.php:29
filterbody_classincludes\PageTemplates\PageTemplates.php:102
actionwp_default_scriptsincludes\Performance.php:14
actioninitincludes\Performance.php:18
filtertiny_mce_pluginsincludes\Performance.php:39
actioninitincludes\Permissions.php:44
filterzionbuilder/admin_page/options_schemasincludes\Permissions.php:45
actionafter_setup_themeincludes\Plugin.php:332
filtertemplate_includeincludes\Renderer.php:36
actionwp_enqueue_scriptsincludes\Screenshot.php:27
filterscript_loader_srcincludes\Scripts.php:56
filterstyle_loader_srcincludes\Scripts.php:57
filterscript_loader_tagincludes\Scripts.php:58
filterzionbuilder/permissions/get_allowed_post_typesincludes\Templates.php:36
filterzionbuilder/data_sets/post_typesincludes\Templates.php:37
filterzionbuilder/post/post_templateincludes\Templates.php:38
actioninitincludes\Templates.php:40
actiontemplate_redirectincludes\Templates.php:43
actionwp_headincludes\Templates.php:44
filterwp_sitemaps_post_typesincludes\Templates.php:47
actionparse_queryincludes\Templates.php:50
actionadmin_menuincludes\Templates.php:53
actionadmin_enqueue_scriptsincludes\Templates.php:63
actioninitincludes\Upgrade\Upgrader.php:23
actionzionbuilder_run_update_callbackincludes\Upgrade\Upgrader.php:24
actiondelete_attachmentincludes\WPMedia.php:23
filterimage_downsizeincludes\WPMedia.php:24
filterwp_calculate_image_srcset_metaincludes\WPMedia.php:27
actioninitzionbuilder.php:56
actionadmin_noticeszionbuilder.php:66
actionadmin_noticeszionbuilder.php:69
Maintenance & Trust

Zion Builder – Website Builder for Speed & Creativity Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 22, 2026
PHP min version7.0.0
Downloads79K

Community Trust

Rating88/100
Number of ratings30
Active installs1K
Alternatives

Zion Builder – Website Builder for Speed & Creativity Alternatives

Page Builder by SiteOrigin

Page Builder by SiteOrigin

siteorigin-panels

A
88

Build responsive page layouts using the widgets you know and love using this simple drag and drop page builder.

500K 8 CVEs
Brizy – Page Builder

Brizy – Page Builder

brizy

B
81

A page builder that is fast & easy, Brizy is a next-gen website builder that anyone can use. No designer or developer skills required.

70K 29 CVEs
Nimble Page Builder

Nimble Page Builder

nimble-builder

A
92

Simple and smart companion that allows you to insert sections into any existing page, create landing pages or entire websites including header and foo &hellip;

30K 1 CVE
FancyNav – Elementor

FancyNav – Elementor

fancynav-elementor

A
85

FancyNav is a mobile navigation for Elementor with many settings. In most cases the widget will go into a header template but it can be put anywhere.

10 No CVEs
LoftBuilder

LoftBuilder

loftbuilder

A
85

Create stunning and responsive pages with LoftBuilder. An intuitive front-end looking, drag & drop page builder.

10 No CVEs
Developer Profile

Zion Builder – Website Builder for Speed & Creativity Developer Profile

Zionbuilder

1 plugin · 1K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
213 days
View full developer profile
Detection Fingerprints

How We Detect Zion Builder – Website Builder for Speed & Creativity

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/zionbuilder/assets/css/main.css/wp-content/plugins/zionbuilder/assets/css/editor.css/wp-content/plugins/zionbuilder/assets/css/elements.css/wp-content/plugins/zionbuilder/assets/css/frontend.css/wp-content/plugins/zionbuilder/assets/js/main.js/wp-content/plugins/zionbuilder/assets/js/editor.js/wp-content/plugins/zionbuilder/assets/js/frontend.js
Script Paths
/wp-content/plugins/zionbuilder/assets/js/main.js/wp-content/plugins/zionbuilder/assets/js/editor.js/wp-content/plugins/zionbuilder/assets/js/frontend.js
Version Parameters
zionbuilder/assets/css/main.css?ver=zionbuilder/assets/css/editor.css?ver=zionbuilder/assets/css/elements.css?ver=zionbuilder/assets/css/frontend.css?ver=zionbuilder/assets/js/main.js?ver=zionbuilder/assets/js/editor.js?ver=zionbuilder/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
zionbuilder-editorzionbuilder-elementzionbuilder-editor-wrapperzionbuilder-element-contentzionbuilder-element-wrapper
HTML Comments
<!-- Zion Builder --
Data Attributes
data-zionbuilder-elementdata-zionbuilder-editor-modedata-zionbuilder-type
JS Globals
ZionBuilderAdminZionBuilderEditor
REST Endpoints
/wp-json/zionbuilder/v1/bulk-actions
FAQ

Frequently Asked Questions about Zion Builder – Website Builder for Speed & Creativity