WP-Safety

ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns Security & Risk Analysis

wordpress.org/plugins/zoloblocks

Empowering Gutenberg block editor to help you create WordPress websites with 55+ free Advanced blocks, 300+ patterns, 100+ ready pages and more.

1K active installs v2.7.0 PHP 7.4+ WP 6.1+ Updated Mar 10, 2026
blocksdynamic-contenteditorgutenberggutenberg-blocks
89
A · Safe
CVEs total6
Unpatched0
Last CVENov 4, 2025
Plugin page Download
Safety Verdict

Is ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns Safe to Use in 2026?

Generally Safe

Score 89/100

ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Nov 4, 2025Updated 25d ago
Risk Assessment

The zoloblocks plugin v2.7.0 presents a mixed security posture. On the positive side, the plugin demonstrates good practices regarding SQL query handling, with 100% of queries using prepared statements. Output escaping is also robust, with 97% of outputs properly handled. File operations and dangerous function usage are notably absent, and a substantial number of nonce and capability checks are implemented, indicating an awareness of security fundamentals.

However, significant concerns arise from the attack surface. Two AJAX handlers lack authentication checks, creating a direct pathway for unauthorized actions. While REST API routes are properly permissioned, the presence of unprotected AJAX endpoints is a critical flaw. The taint analysis revealed two flows with unsanitized paths, which, although not reaching critical or high severity in this specific scan, warrant attention as they represent potential avenues for exploitation if input validation is insufficient.

The vulnerability history is a major red flag. With a total of six known CVEs, including two high and four medium severity issues, the plugin has a pattern of security weaknesses. Common vulnerability types such as missing authorization, SSRF, XSS, and RFI suggest recurring problems with input sanitization and access control. The fact that the last vulnerability was reported in late 2025, and there are currently no unpatched CVEs, is a positive sign for this specific version, but the historical prevalence of severe issues necessitates caution and continuous monitoring.

Key Concerns

  • Unprotected AJAX handlers found
  • Taint flows with unsanitized paths
  • History of high severity CVEs (2)
  • History of medium severity CVEs (4)
Vulnerabilities
6

ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns Security Vulnerabilities

CVEs by Year

6 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
4

6 total CVEs

CVE-2025-49903medium · 5.3Missing Authorization

ZoloBlocks <= 2.3.11 - Missing Authorization

Nov 4, 2025 Patched in 2.3.12 (1d)
CVE-2025-12134medium · 5.3Missing Authorization

ZoloBlocks <= 2.3.11 - Missing Authorization to Unauthenticated Popup Enable/Disable

Oct 23, 2025 Patched in 2.3.12 (6d)
CVE-2025-9075medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns <= 2.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 30, 2025 Patched in 2.3.11 (1d)
CVE-2025-60161high · 7.2Server-Side Request Forgery (SSRF)

ZoloBlocks <= 2.3.11 - Unauthenticated Sever-Side Request Forgery

Sep 26, 2025 Patched in 2.3.12 (19d)
CVE-2025-58230medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ZoloBlocks <= 2.3.12 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 22, 2025 Patched in 2.3.13 (30d)
CVE-2025-53210high · 7.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

ZoloBlocks <= 2.3.2 - Authenticated (Subscriber+) Local File Inclusion

Aug 7, 2025 Patched in 2.3.3 (5d)
Code Analysis
Analyzed Mar 16, 2026

ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
7 prepared
Unescaped Output
12
374 escaped
Nonce Checks
21
Capability Checks
12
File Operations
0
External Requests
4
Bundled Libraries
0

SQL Query Safety

100% prepared7 total queries

Output Escaping

97% escaped386 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
subscription (includes\Mailchimp\Mailchimp.php:42)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns Attack Surface

Entry Points20
Unprotected2

AJAX Handlers 12

authwp_ajax_bdt_admin_api_biggopti_dismissincludes\Admin\Biggopties.php:17
authwp_ajax_zolo_select2_searchincludes\Classes\ZoloAJAX.php:32
authwp_ajax_zolo_post_categoryincludes\Classes\ZoloAJAX.php:33
authwp_ajax_zolo_author_ajaxincludes\Classes\ZoloAJAX.php:34
authwp_ajax_zolo_comments_ajaxincludes\Classes\ZoloAJAX.php:35
authwp_ajax_zolo_ajax_post_paginationincludes\Classes\ZoloAJAX.php:37
authwp_ajax_zolo_get_filter_termsincludes\Classes\ZoloAJAX.php:38
authwp_ajax_send_form_dataincludes\Form\Form.php:33
noprivwp_ajax_send_form_dataincludes\Form\Form.php:34
authwp_ajax_zolo_subscribe_newsletterincludes\Mailchimp\Mailchimp.php:28
noprivwp_ajax_zolo_subscribe_newsletterincludes\Mailchimp\Mailchimp.php:29
authwp_ajax_zolo_update_popup_statusincludes\Popup\PopupBuilder.php:36

REST API Routes 8

GET/wp-json/zolo/v1/blocksincludes\Admin\Settings.php:206
GET/wp-json/zolo/v1/favoritesincludes\Admin\Settings.php:218
GET/wp-json/zolo/v1/extensionsincludes\Admin\Settings.php:230
GET/wp-json/zolo/v1/meta-listincludes\API\GetPostMetaV1.php:23
POST/wp-json/zolo/v1postsincludes\API\GetPostsV1.php:29
GET/wp-json/zolo/v1zoloaiincludes\API\ZoloAi.php:29
GET/wp-json/zolo/v1/blocksincludes\Helpers\Settings.php:38
GET/wp-json/zolo/v1/extensionsincludes\Helpers\Settings.php:50
WordPress Hooks 95
actionadmin_enqueue_scriptsincludes\Admin\Assets.php:28
actionenqueue_block_editor_assetsincludes\Admin\Assets.php:31
actionadmin_enqueue_scriptsincludes\Admin\Assets.php:32
filteruser_contactmethodsincludes\Admin\Author.php:17
filterrest_prepare_userincludes\Admin\Author.php:18
actionadmin_enqueue_scriptsincludes\Admin\Biggopties.php:19
actionadmin_menuincludes\Admin\Dashboard.php:31
actionadmin_initincludes\Admin\Dashboard.php:32
actionadmin_initincludes\Admin\Dashboard.php:33
actionadmin_enqueue_scriptsincludes\Admin\Dashboard.php:34
actioncategory_add_form_fieldsincludes\Admin\PostCategoryImage.php:19
actioncreated_categoryincludes\Admin\PostCategoryImage.php:20
actioncategory_edit_form_fieldsincludes\Admin\PostCategoryImage.php:21
actionedited_categoryincludes\Admin\PostCategoryImage.php:22
actionadmin_enqueue_scriptsincludes\Admin\PostCategoryImage.php:23
actionadmin_footerincludes\Admin\PostCategoryImage.php:24
filtermanage_edit-category_columnsincludes\Admin\PostCategoryImage.php:26
filtermanage_category_custom_columnincludes\Admin\PostCategoryImage.php:27
actionrest_api_initincludes\Admin\Settings.php:28
actionadmin_initincludes\Admin\Settings.php:29
actionadmin_initincludes\Admin\Settings.php:30
actionadmin_initincludes\Admin\Settings.php:31
actionrest_api_initincludes\API\GetPostMetaV1.php:16
actionrest_api_initincludes\API\GetPostsV1.php:20
actionrest_api_initincludes\API\ZoloAi.php:22
filterrender_block_zolo/chartsincludes\Blocks\ChartsBlock.php:31
filterrender_block_zolo/noticeincludes\Blocks\NoticeBlock.php:29
filtercomment_form_fieldsincludes\Blocks\PostCommentsForm.php:38
filtercomment_form_default_fieldsincludes\Blocks\PostCommentsForm.php:39
actioncomment_form_before_fieldsincludes\Blocks\PostCommentsForm.php:40
actioncomment_form_after_fieldsincludes\Blocks\PostCommentsForm.php:41
filterrender_block_zolo/social-shareincludes\Blocks\SocialShareBlock.php:31
actionwp_enqueue_scriptsincludes\Classes\FontLoader.php:32
actionenqueue_block_assetsincludes\Classes\FontLoader.php:33
actionzolo_block_render_blockincludes\Classes\FontLoader.php:34
actiontemplate_redirectincludes\Classes\Maintenance.php:21
actionadmin_initincludes\Classes\Maintenance.php:25
filterinitincludes\Classes\PostMeta.php:31
filterblock_categories_allincludes\Classes\Registration.php:13
filterinitincludes\Classes\Registration.php:16
filterthe_contentincludes\Classes\StyleGenerator.php:20
filterrender_blockincludes\Classes\StyleGenerator.php:23
filterrender_blockincludes\Classes\StyleGenerator.php:24
actionwp_headincludes\Classes\StyleGenerator.php:28
actionwp_footerincludes\Classes\StyleGenerator.php:30
filterupload_mimesincludes\Classes\SupportSVG.php:24
filterwp_prepare_attachment_for_jsincludes\Classes\SupportSVG.php:25
filterwp_generate_attachment_metadataincludes\Classes\SupportSVG.php:26
filterwp_get_attachment_metadataincludes\Classes\SupportSVG.php:27
actionenqueue_block_editor_assetsincludes\Classes\ZoloEnqueues.php:37
actionenqueue_block_assetsincludes\Classes\ZoloEnqueues.php:40
filterrender_blockincludes\Classes\ZoloEnqueues.php:43
actionenqueue_block_editor_assetsincludes\Extensions\AI.php:21
actionenqueue_block_editor_assetsincludes\Extensions\BackgroundVideo.php:19
actioninitincludes\Extensions\ClassManager.php:22
actionenqueue_block_editor_assetsincludes\Extensions\ClassManager.php:23
filterrender_blockincludes\Extensions\ClassManager.php:24
filterzolo_dynamic_stylesincludes\Extensions\ClassManager.php:25
actionbefore_delete_postincludes\Extensions\ClassManager.php:26
actionenqueue_block_editor_assetsincludes\Extensions\ExportPattern.php:21
actionenqueue_block_editor_assetsincludes\Extensions\ImportPattern.php:21
actioninitincludes\Extensions\Particles.php:21
actionenqueue_block_editor_assetsincludes\Extensions\Particles.php:22
filterrender_block_dataincludes\Extensions\Particles.php:24
filterblock_type_metadataincludes\Extensions\Particles.php:26
actionenqueue_block_editor_assetsincludes\Extensions\ShapeDivider.php:21
actionenqueue_block_editor_assetsincludes\Extensions\Transform.php:21
actionenqueue_block_assetsincludes\Extensions\Transform.php:22
actioninitincludes\Form\FormDataPostType.php:24
actionsave_postincludes\Form\FormDataPostType.php:25
actioninitincludes\Form\FormEntries.php:23
filterpost_row_actionsincludes\Form\FormEntries.php:24
actioninitincludes\Form\Hooks.php:22
filterrender_blockincludes\Form\Recaptcha.php:26
actionwp_enqueue_scriptsincludes\Form\Recaptcha.php:27
actionwp_headincludes\Form\Recaptcha.php:28
actionrest_api_initincludes\Helpers\Settings.php:28
actionadmin_initincludes\Helpers\Settings.php:29
actionadmin_initincludes\Helpers\Settings.php:30
filteradmin_body_classincludes\Helpers\ZoloHelpers.php:33
filterbody_classincludes\Helpers\ZoloHelpers.php:34
actioninitincludes\Popup\PopupBuilder.php:31
actioninitincludes\Popup\PopupBuilder.php:32
filtermanage_zolo-popup_posts_columnsincludes\Popup\PopupBuilder.php:33
actionmanage_zolo-popup_posts_custom_columnincludes\Popup\PopupBuilder.php:34
filtermanage_edit-zolo-popup_sortable_columnsincludes\Popup\PopupBuilder.php:35
actionadmin_enqueue_scriptsincludes\Popup\PopupBuilder.php:37
actionwp_headincludes\Popup\PopupBuilder.php:38
actionplugins_loadedincludes\zoloblocks-loader.php:51
actioninitincludes\zoloblocks-loader.php:52
filterupload_mimesincludes\zoloblocks-loader.php:53
filterwp_check_filetype_and_extincludes\zoloblocks-loader.php:54
actionadmin_noticeszoloblocks.php:49
actionadmin_noticeszoloblocks.php:51
actionadmin_noticeszoloblocks.php:53
Maintenance & Trust

ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version7.4
Downloads34K

Community Trust

Rating100/100
Number of ratings12
Active installs1K
Alternatives

ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns Alternatives

Scheduled Content Block

Scheduled Content Block

scheduled-content-block

A
100

Scheduled Content Block makes creating scheduled content within blocks simple and completely hands-free.

0 No CVEs
Spectra Gutenberg Blocks – Website Builder for the Block Editor

Spectra Gutenberg Blocks – Website Builder for the Block Editor

ultimate-addons-for-gutenberg

A
92

Power-up Gutenberg with advanced blocks for faster website creation. Build your WordPress website effortlessly using powerful building blocks!

1.0M 26 CVEs
Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

Kadence Blocks — Page Builder Toolkit for Gutenberg Editor

kadence-blocks

A
86

20+ AI-powered Gutenberg Blocks with endless options, enabling top-notch efficiency for high-performance dynamic website creation.

600K 32 CVEs
Page Builder: Pagelayer – Drag and Drop website builder

Page Builder: Pagelayer – Drag and Drop website builder

pagelayer

A
88

The most advanced frontend drag & drop page builder. Pagelayer is a light weight but extremely powerful Website Builder.

400K 26 CVEs
Superb Addons: Blocks, Patterns & Theme Designer for the Block Editor & FSE

Superb Addons: Blocks, Patterns & Theme Designer for the Block Editor & FSE

superb-blocks

A
100

Create beautiful WordPress websites easily with 10+ blocks, 200+ patterns, 100+ pre-built pages, animations and Theme Designer. No coding needed!

80K No CVEs
Developer Profile

ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns Developer Profile

bdthemes

24 plugins · 251K total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
21 days
View full developer profile
Detection Fingerprints

How We Detect ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/zoloblocks/build/admin/index.js/wp-content/plugins/zoloblocks/build/admin/style-index.css/wp-content/plugins/zoloblocks/build/admin/index.css
Script Paths
/wp-content/plugins/zoloblocks/build/admin/index.js
Version Parameters
zoloblocks/build/admin/index.js?ver=zoloblocks/build/admin/style-index.css?ver=zoloblocks/build/admin/index.css?ver=

HTML / DOM Fingerprints

CSS Classes
zolo-admin-js
Data Attributes
data-zolo-setting
JS Globals
zoloBlocks
REST Endpoints
/wp-json/zolo/v1/settings
FAQ

Frequently Asked Questions about ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns