WP-Safety

Betta Boxes CMS Security & Risk Analysis

wordpress.org/plugins/betta-boxes-cms

Create custom fields linked to posts, pages, or any custom post type with a point-and-click user interface.

20 active installs v1.1.5 PHP + WP 3.0+ Updated Apr 8, 2013
boxescustomcustom-fieldsfieldsmeta
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Betta Boxes CMS Safe to Use in 2026?

Generally Safe

Score 85/100

Betta Boxes CMS has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 13yr ago
Risk Assessment

The "betta-boxes-cms" v1.1.5 plugin presents a mixed security picture. On the positive side, it has a remarkably small attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, there is no known vulnerability history, which is a strong indicator of past security diligence. However, the static analysis reveals significant concerns within the code itself. The presence of six instances of the `unserialize` function is a major red flag, as it is notoriously difficult to use securely and can lead to Remote Code Execution vulnerabilities if not handled with extreme care and strict input validation. The low percentage of SQL queries using prepared statements (33%) and the very low rate of properly escaped output (7%) are also deeply concerning, suggesting potential SQL injection and Cross-Site Scripting (XSS) vulnerabilities respectively. The taint analysis showing all five analyzed flows with unsanitized paths further amplifies these concerns, even without a critical or high severity rating, as it indicates data is not being handled securely. The lack of any capability checks or nonce checks is also a weakness, especially given the use of `unserialize`.

Key Concerns

  • Dangerous function: unserialize used
  • Low percentage of prepared statements
  • Very low rate of output escaping
  • Taint flows with unsanitized paths found
  • No nonce checks
  • No capability checks
Vulnerabilities
None known

Betta Boxes CMS Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Betta Boxes CMS Release Timeline

v1.1.5Current
v1.1.4
v1.1.3
v1.1.2
v1.1.1
v1.1
v1.0.2
v1.0.1
Code Analysis
Analyzed Mar 16, 2026

Betta Boxes CMS Code Analysis

Dangerous Functions
6
Raw SQL Queries
8
4 prepared
Unescaped Output
62
5 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserializeif(($extra = unserialize($val['extra'])) !== false) {betta-boxes.php:844
unserialize$extra = unserialize($field['extra']);types\scfui_checkboxes\scfui_checkboxes.php:15
unserialize$extra = unserialize($field['extra']);types\scfui_drop_down\scfui_drop_down.php:14
unserialize$extra = unserialize($field['extra']);types\scfui_html_text\scfui_html_text.php:24
unserialize$extra = unserialize($field['extra']);types\scfui_html_text\scfui_html_text.php:32
unserialize$extra = unserialize($field['extra']);types\scfui_radio_buttons\scfui_radio_buttons.php:14

SQL Query Safety

33% prepared12 total queries

Output Escaping

7% escaped67 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

5 flows5 with unsanitized paths
adminListBoxes (betta-boxes.php:593)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Betta Boxes CMS Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 4
actionadmin_initbetta-boxes.php:22
actionadmin_menubetta-boxes.php:23
actionsave_postbetta-boxes.php:542
filtertiny_mce_before_inittypes\scfui_html_text\scfui_html_text.php:9
Maintenance & Trust

Betta Boxes CMS Maintenance & Trust

Maintenance Signals

WordPress version tested3.5.2
Last updatedApr 8, 2013
PHP min version
Downloads8K

Community Trust

Rating100/100
Number of ratings2
Active installs20
Alternatives

Betta Boxes CMS Alternatives

PT Theme Addon

PT Theme Addon

pt-theme-addon

A
85

Plugin to add team, testimonial portfolio and clients custom post type. Each post type has its widget and shortcode to use in theme.

1K No CVEs
Business Era Extension

Business Era Extension

business-era-extension

A
85

Plugin to extend features of Business Era Theme. This plugin registers custom post types, widgets and custom fields for the Business Era theme.

100 No CVEs
Theme Toolkit

Theme Toolkit

theme-toolkit

A
85

Theme toolkit is a plugin to register custom post types, widgets and shortcodes to add additional feature and functionality to any WordPress theme.

100 No CVEs
C7 Form Builder

C7 Form Builder

c7-form-builder

A
85

Provides an easy to use and powerful API for building forms that can be displayed, customized and saved any way you want.

30 No CVEs
Flow Fields

Flow Fields

flow-fields

A
85

Flow Fields is a WordPress plugin that allows you to easily add custom fields to your posts, pages, and other custom post types.

10 No CVEs
Developer Profile

Betta Boxes CMS Developer Profile

shauno

3 plugins · 1K total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Betta Boxes CMS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/betta-boxes-cms/css/admin.css/wp-content/plugins/betta-boxes-cms/css/style.css/wp-content/plugins/betta-boxes-cms/js/admin.js/wp-content/plugins/betta-boxes-cms/js/frontend.js
Script Paths
/wp-content/plugins/betta-boxes-cms/js/admin.js/wp-content/plugins/betta-boxes-cms/js/frontend.js
Version Parameters
betta-boxes-cms/css/admin.css?ver=betta-boxes-cms/css/style.css?ver=betta-boxes-cms/js/admin.js?ver=betta-boxes-cms/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
betta-boxes-cms
Data Attributes
data-betta-boxes-cms-plugin-url
JS Globals
bettaBoxesCMSAdmin
FAQ

Frequently Asked Questions about Betta Boxes CMS