WP-Safety

CMB2 Security & Risk Analysis

wordpress.org/plugins/cmb2

CMB2 is a metabox, custom fields, and forms library for WordPress that will blow your mind.

300K active installs v2.11.0 PHP 7.4+ WP 3.8.0+ Updated Apr 2, 2024
fieldsformsmetaboxesoptionssettings
90
A · Safe
CVEs total1
Unpatched0
Last CVEApr 3, 2024
Plugin page Download
Safety Verdict

Is CMB2 Safe to Use in 2026?

Generally Safe

Score 90/100

CMB2 has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Apr 3, 2024Updated 2yr ago
Risk Assessment

CMB2 v2.11.0 exhibits a generally good security posture with several strengths, including a lack of identified REST API routes, shortcodes, and cron events, resulting in a very small attack surface. The plugin also demonstrates strong practices in SQL query handling, with 100% using prepared statements. Furthermore, it incorporates nonce and capability checks, and importantly, no external HTTP requests or file operations are present, mitigating common attack vectors. However, the presence of a `unserialize` function, even if not directly flagged in taint analysis for this version, remains a potential concern as it's a known vector for deserialization vulnerabilities. While the plugin has had a historical CVE related to deserialization of untrusted data, it's currently patched, which is a positive sign. The moderate output escaping percentage (73%) is a weakness that could lead to XSS vulnerabilities if user-supplied data is not properly sanitized before output. Overall, CMB2 v2.11.0 is a relatively secure plugin, but attention should be paid to the `unserialize` function and ensuring all output is properly escaped.

Key Concerns

  • Potential unserialize risk identified
  • Moderate output escaping (73%)
Vulnerabilities
1

CMB2 Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2024-1792high · 7.5Deserialization of Untrusted Data

CMB2 <= 2.10.1 - Authenticated (Contributor+) PHP Object Injection

Apr 3, 2024 Patched in 2.11.0 (7d)
Code Analysis
Analyzed Mar 16, 2026

CMB2 Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
49
134 escaped
Nonce Checks
3
Capability Checks
6
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$datetime = @unserialize( trim( $date_value ), array( 'allowed_classes' => array( 'DateTime' ) ) );includes\CMB2_Utils.php:571

Output Escaping

73% escaped183 total outputs
Attack Surface

CMB2 Attack Surface

Entry Points2
Unprotected0

AJAX Handlers 2

authwp_ajax_cmb2_oembed_handlerincludes\CMB2_Ajax.php:51
noprivwp_ajax_cmb2_oembed_handlerincludes\CMB2_Ajax.php:52
WordPress Hooks 46
actioncmb2_admin_initexample-functions.php:105
actioncmb2_admin_initexample-functions.php:470
actioncmb2_admin_initexample-functions.php:500
actioncmb2_admin_initexample-functions.php:564
actioncmb2_admin_initexample-functions.php:633
actioncmb2_admin_initexample-functions.php:674
actioncmb2_initexample-functions.php:777
actioncmb2_save_options-page_fieldsincludes\CMB2_Ajax.php:54
filterget_post_metadataincludes\CMB2_Ajax.php:147
filterupdate_post_metadataincludes\CMB2_Ajax.php:150
filtercmb2_show_onincludes\CMB2_Hookup.php:79
actionedit_form_topincludes\CMB2_Hookup.php:118
actionedit_form_before_permalinkincludes\CMB2_Hookup.php:122
actionedit_form_after_titleincludes\CMB2_Hookup.php:126
actionedit_form_after_editorincludes\CMB2_Hookup.php:130
actionadd_meta_boxesincludes\CMB2_Hookup.php:134
actionadd_meta_boxesincludes\CMB2_Hookup.php:137
actionadd_attachmentincludes\CMB2_Hookup.php:138
actionedit_attachmentincludes\CMB2_Hookup.php:139
actionsave_postincludes\CMB2_Hookup.php:140
actionpre_get_postsincludes\CMB2_Hookup.php:147
actionadd_meta_boxes_commentincludes\CMB2_Hookup.php:155
actionedit_commentincludes\CMB2_Hookup.php:156
filtermanage_edit-comments_columnsincludes\CMB2_Hookup.php:159
actionmanage_comments_custom_columnincludes\CMB2_Hookup.php:160
filtermanage_edit-comments_sortable_columnsincludes\CMB2_Hookup.php:161
actionpre_get_postsincludes\CMB2_Hookup.php:162
actionshow_user_profileincludes\CMB2_Hookup.php:171
actionedit_user_profileincludes\CMB2_Hookup.php:172
actionuser_new_formincludes\CMB2_Hookup.php:173
actionpersonal_options_updateincludes\CMB2_Hookup.php:175
actionedit_user_profile_updateincludes\CMB2_Hookup.php:176
actionuser_registerincludes\CMB2_Hookup.php:177
filtermanage_users_columnsincludes\CMB2_Hookup.php:180
filtermanage_users_custom_columnincludes\CMB2_Hookup.php:181
filtermanage_users_sortable_columnsincludes\CMB2_Hookup.php:182
actionpre_get_postsincludes\CMB2_Hookup.php:183
actionpre_get_postsincludes\CMB2_Hookup.php:229
actioncreated_termincludes\CMB2_Hookup.php:233
actionedited_termsincludes\CMB2_Hookup.php:234
actiondelete_termincludes\CMB2_Hookup.php:235
filterwp_prepare_attachment_for_jsincludes\CMB2_Hookup_Field.php:54
actionadmin_enqueue_scriptsincludes\CMB2_Hookup_Field.php:71
actioncmb2_do_oembedincludes\helper-functions.php:131
filteris_protected_metaincludes\rest-api\CMB2_REST.php:144
actioninitinit.php:131
Maintenance & Trust

CMB2 Maintenance & Trust

Maintenance Signals

WordPress version tested6.4.8
Last updatedApr 2, 2024
PHP min version7.4
Downloads5.0M

Community Trust

Rating100/100
Number of ratings91
Active installs300K
Alternatives

CMB2 Alternatives

CMB2 Admin Extension

CMB2 Admin Extension

cmb2-admin-extension

A
100

Create and manage CMB2 meta boxes from the WordPress admin without writing code.

200 No CVEs
CMB2 Taxonomy

CMB2 Taxonomy

cmb2-taxonomy

A
85

CMB2 Taxonomy will create metaboxes and forms with custom fields for your taxonomies using the CMB2 API (and yes, it will blow your mind too).

200 No CVEs
One Click Demo Import

One Click Demo Import

one-click-demo-import

A
97

Import your demo content, widgets and theme settings with one click. Theme authors! Enable simple theme demo import for your users.

1.0M 2 CVEs
Conditional Fields for Contact Form 7

Conditional Fields for Contact Form 7

cf7-conditional-fields

A
97

Adds conditional logic to Contact Form 7.

100K 4 CVEs
OptionTree

OptionTree

option-tree

B
82

Theme Options UI Builder for WordPress. A simple way to create & save Theme Options and Meta Boxes for free or premium themes.

60K 5 CVEs
Developer Profile

CMB2 Developer Profile

Justin Sternberg

8 plugins · 301K total installs

90
trust score
Avg Security Score
86/100
Avg Patch Time
7 days
View full developer profile
Detection Fingerprints

How We Detect CMB2

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/cmb2/assets/css/cmb2-icon-fonts.css/wp-content/plugins/cmb2/assets/css/frontend.css/wp-content/plugins/cmb2/assets/css/media-uploader.css/wp-content/plugins/cmb2/assets/css/wysiwyg.css/wp-content/plugins/cmb2/assets/js/cmb2.min.js/wp-content/plugins/cmb2/assets/js/codemirror/lib/codemirror.js/wp-content/plugins/cmb2/assets/js/codemirror/mode/css/css.js/wp-content/plugins/cmb2/assets/js/codemirror/mode/htmlmixed/htmlmixed.js+7 more
Script Paths
cmb2.min.jscodemirror/lib/codemirror.jscodemirror/mode/css/css.jscodemirror/mode/htmlmixed/htmlmixed.jscodemirror/mode/javascript/javascript.jscodemirror/mode/php/php.js+5 more
Version Parameters
cmb2/assets/css/cmb2-icon-fonts.css?ver=cmb2/assets/css/frontend.css?ver=cmb2/assets/css/media-uploader.css?ver=cmb2/assets/css/wysiwyg.css?ver=cmb2/assets/js/cmb2.min.js?ver=cmb2/assets/js/codemirror/lib/codemirror.js?ver=cmb2/assets/js/codemirror/mode/css/css.js?ver=cmb2/assets/js/codemirror/mode/htmlmixed/htmlmixed.js?ver=cmb2/assets/js/codemirror/mode/javascript/javascript.js?ver=cmb2/assets/js/codemirror/mode/php/php.js?ver=cmb2/assets/js/codemirror/mode/xml/xml.js?ver=cmb2/assets/js/codemirror/mode/yaml/yaml.js?ver=cmb2/assets/js/date-time-picker.js?ver=cmb2/assets/js/media-uploader.js?ver=cmb2/assets/js/wysiwyg.js?ver=

HTML / DOM Fingerprints

CSS Classes
cmb2-wrapcmb2-metaboxcmb2-titlecmb2-descriptioncmb2-tablecmb2-rowcmb2-fieldcmb2-label+66 more
HTML Comments
<!-- START: CMB2 Metabox --><!-- END: CMB2 Metabox --><!-- START: CMB2 Field --><!-- END: CMB2 Field -->+4 more
Data Attributes
data-iddata-field-iddata-group-iddata-row-iddata-repeatabledata-field-type+4 more
JS Globals
CMB2
REST Endpoints
/wp-json/cmb2/v1/fields
FAQ

Frequently Asked Questions about CMB2