Advanced Custom Field Widget Security & Risk Analysis
wordpress.org/plugins/advanced-custom-field-widgetThe Advanced Custom Field Widget is an extension of the Custom Field Widget by Scott Wallick, and displays values of custom field keys.
Is Advanced Custom Field Widget Safe to Use in 2026?
Generally Safe
Score 85/100Advanced Custom Field Widget has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The "advanced-custom-field-widget" plugin, version 0.992, exhibits a generally strong security posture based on the provided static analysis and vulnerability history. The absence of known CVEs and the plugin's recent history of not having recorded vulnerabilities suggest a commitment to security by the developers. The analysis indicates a limited attack surface with only one shortcode entry point, and critically, no unprotected entry points were identified. The plugin also demonstrates good practices by using prepared statements for half of its SQL queries and performing capability checks. However, a significant concern lies in the low percentage of properly escaped output (13%), indicating a high potential for cross-site scripting (XSS) vulnerabilities, especially if user-supplied data is directly reflected in the output without sufficient sanitization. The lack of any detected taint flows is positive, but the low output escaping rate overshadows this, suggesting the potential for vulnerabilities exists even if not detected by the current taint analysis methods. The complete absence of nonce checks is also a weakness, as it leaves the shortcode vulnerable to cross-site request forgery (CSRF) attacks.
Key Concerns
- Low output escaping rate (13%)
- No nonce checks
- 50% of SQL queries not prepared
Advanced Custom Field Widget Security Vulnerabilities
Advanced Custom Field Widget Code Analysis
SQL Query Safety
Output Escaping
Advanced Custom Field Widget Attack Surface
Shortcodes 1
WordPress Hooks 4
Maintenance & Trust
Advanced Custom Field Widget Maintenance & Trust
Maintenance Signals
Community Trust
Advanced Custom Field Widget Alternatives
Custom Field Widget
custom-field-widget
The Custom Field Widget displays values of custom field keys, allowing post- and page-specific meta sidebar content with limitless applications.
Zen Custom Fields
zen-custom-fields
Easy to implement and use custom fields for WordPress templates.
Display Custom Fields
display-custom-fields
This plugin allows you to display the value of a custom field on a page or post. Permitted values are raw text, html, javascript, javascript file url, …
Advanced Custom Fields (ACF®)
advanced-custom-fields
ACF helps customize WordPress with powerful, professional and intuitive fields. Proudly powering over 2 million sites, WordPress developers love ACF.
Meta Box
meta-box
Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.
Advanced Custom Field Widget Developer Profile
3 plugins · 120 total installs
How We Detect Advanced Custom Field Widget
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/advanced-custom-field-widget/style.css/wp-content/plugins/advanced-custom-field-widget/adv-custom-field-widget.js/wp-content/plugins/advanced-custom-field-widget/adv-custom-field-widget.jsadvanced-custom-field-widget/style.css?ver=advanced-custom-field-widget.js?ver=HTML / DOM Fingerprints
widget-adv-custom-fieldADVANCED CUSTOM FIELD WIDGET
by Christina Louise Warne (aka AthenaOfDelphi), http://athena.outer-reaches.com/
from The Outer Reaches, http://www.outer-reaches.com/
Based on the original CUSTOM FIELD WIDGET, by SCOTT ALLAN WALLICK, http://scottwallick.com/
from PLAINTXT.ORG, http://www.plaintxt.org/.
ADVANCED CUSTOM FIELD WIDGET is free software: you can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation, either version 3 of
the License, or (at your option) any later version.
ADVANCED CUSTOM FIELD WIDGET is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for details.
You should have received a copy of the GNU General Public License
along with ADVANCED CUSTOM FIELD WIDGET.
If not, see www.gnu.org/licenses/widget-adv-custom-fieldacfw_widget_obj