WP-Safety

CSS & JavaScript Toolbox Security & Risk Analysis

wordpress.org/plugins/css-javascript-toolbox

Add CSS, JavaScript, PHP and HTML code snippets to your site. For AI-powered snippets, get our free plugin here: wpsnippets.ai

10K active installs v12.0.6 PHP 7.4.0+ WP 5.0+ Updated Oct 28, 2025
codejavascriptphpscriptssnippets
93
A · Safe
CVEs total4
Unpatched0
Last CVEOct 31, 2025
Plugin page Download
Safety Verdict

Is CSS & JavaScript Toolbox Safe to Use in 2026?

Generally Safe

Score 93/100

CSS & JavaScript Toolbox has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Oct 31, 2025Updated 5mo ago
Risk Assessment

The 'css-javascript-toolbox' plugin v12.0.6 exhibits a concerning security posture, primarily due to a significant number of unprotected AJAX handlers. While the plugin demonstrates good practices in its SQL query handling by exclusively using prepared statements, the 8 AJAX handlers without authentication checks represent a substantial attack surface. This could allow unauthenticated users to trigger potentially dangerous actions within the plugin.

Taint analysis reveals two high-severity flows with unsanitized paths, indicating a risk of malicious input being used to navigate file systems or execute code. The high percentage of unsanitized paths in the analyzed flows (100%) further exacerbates this concern. Additionally, the plugin only properly escapes 32% of its outputs, suggesting a risk of Cross-Site Scripting (XSS) vulnerabilities.

The plugin's vulnerability history, with 4 known CVEs including high and medium severity issues like XSS and PHP Remote File Inclusion, reinforces these concerns. Although there are currently no unpatched vulnerabilities, the recurring pattern of critical and high-severity flaws suggests a history of security weaknesses that have required remediation. The presence of a critical function like `create_function` also raises a red flag. Overall, while the plugin has some security strengths, the numerous unprotected entry points and past vulnerability patterns warrant significant caution.

Key Concerns

  • 8 unprotected AJAX handlers
  • 2 high severity taint flows with unsanitized paths
  • 32% proper output escaping
  • 1 high severity known CVE
  • 3 medium severity known CVEs
  • Dangerous function: create_function
  • Only 1 nonce check
  • Only 1 capability check
  • 100% of flows with unsanitized paths
Vulnerabilities
4

CSS & JavaScript Toolbox Security Vulnerabilities

CVEs by Year

1 CVE in 2018
2018
1 CVE in 2023
2023
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2025-11928medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CSS & JavaScript Toolbox <= 12.0.5 - Authenticated (Admin+) Stored Cross-Site Scripting

Oct 31, 2025 Patched in 12.0.6 (1d)
CVE-2025-3703high · 7.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CSS & JavaScript Toolbox < 12.0.3 - Authenticated (Subscriber+) Local File Inclusion

Jul 22, 2025 Patched in 12.0.3 (7d)
CVE-2023-50823medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CSS & JavaScript Toolbox <= 11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via shortcode

Dec 19, 2023 Patched in 11.9 (36d)
WF-868b7492-c550-4c06-adb0-3478eb7d9b55-css-javascript-toolboxmedium · 5.8Exposure of Sensitive Information to an Unauthorized Actor

CSS & JavaScript Toolbox <= 8.4.1 - Information Exposure

Dec 8, 2018 Patched in 8.4.2 (1872d)
Code Analysis
Analyzed Mar 16, 2026

CSS & JavaScript Toolbox Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
12 prepared
Unescaped Output
52
25 escaped
Nonce Checks
1
Capability Checks
1
File Operations
17
External Requests
4
Bundled Libraries
1

Dangerous Functions Found

create_functionadd_action( 'admin_notices', create_function( '', $importHTMLFileCode ) );css-js-toolbox.php:248

Bundled Libraries

TinyMCE

SQL Query Safety

100% prepared12 total queries

Output Escaping

32% escaped77 total outputs
Data Flows
8 unsanitized

Data Flow Analysis

8 flows8 with unsanitized paths
loadUrlAction (controllers\block.php:193)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
8 unprotected

CSS & JavaScript Toolbox Attack Surface

Entry Points9
Unprotected8

AJAX Handlers 8

authwp_ajax_cjtoolbox_get_info_viewcontrollers\block-ajax.php:30
authwp_ajax_cjtoolbox_set_propertycontrollers\block-ajax.php:31
authwp_ajax_cjtoolbox_get_revisioncontrollers\block-ajax.php:32
authwp_ajax_cjtoolbox_get_revisionscontrollers\block-ajax.php:33
authwp_ajax_cjtoolbox_createcontrollers\blocks-backups.php:36
authwp_ajax_cjtoolbox_deletecontrollers\blocks-backups.php:37
authwp_ajax_cjtoolbox_listcontrollers\blocks-backups.php:38
authwp_ajax_cjtoolbox_restorecontrollers\blocks-backups.php:39

Shortcodes 1

[cjtoolbox] controllers\blocks-coupling.php:278
WordPress Hooks 39
actionadmin_initaccess.points\autoupgrade.accesspoint.php:38
actionwp_dashboard_setupaccess.points\dashboardmetabox.accesspoint.php:40
actionadmin_noticesaccess.points\installer.accesspoint.php:38
actionplugins_loadedaccess.points\main.accesspoint.php:50
actionadmin_menuaccess.points\manage.accesspoint.php:33
actionadd_meta_boxesaccess.points\metabox.accesspoint.php:33
actionadmin_menuaccess.points\packages.accesspoint.php:33
actionadmin_initcontrollers\blocks-coupling.php:274
actionadmin_noticescss-js-toolbox.php:248
actionadmin_noticescss-js-toolbox.php:386
actionupgrader_process_completecss-js-toolbox.php:389
actionadmin_noticesframework\CJTStoreUpdate.class.php:130
filterpre_set_site_transient_update_pluginsframework\CJTStoreUpdate.class.php:164
filterplugins_apiframework\CJTStoreUpdate.class.php:166
actionadmin_noticesframework\extensions\extensions.class.php:384
actioninitframework\extensions\package\extension.php:146
actionadmin_initframework\ServicesFW\Ajax.Service.class.php:139
actionadmin_print_stylesframework\ServicesFW\View.class.php:64
actionadmin_print_scriptsframework\ServicesFW\View.class.php:65
actionadmin_footerincludes\html\incompatible_cjtplus_version.html.php:8
actionadmin_print_stylesviews\blocks\block\view.php:66
actionadmin_print_scriptsviews\blocks\block\view.php:67
actionadmin_print_scriptsviews\blocks\cjt-block\view.php:56
actionadmin_print_stylesviews\blocks\cjt-block\view.php:57
actionadmin_print_scriptsviews\blocks\create-metabox\view.php:43
actionadmin_print_stylesviews\blocks\create-metabox\view.php:44
actionadmin_print_stylesviews\blocks\manager\view.php:78
actionadmin_print_scriptsviews\blocks\manager\view.php:80
filterget_user_option_meta-box-order_cjtoolboxviews\blocks\manager\view.php:83
actionadmin_print_scriptsviews\blocks\metabox\view.php:53
actionadmin_print_stylesviews\blocks\metabox\view.php:54
actionadmin_print_stylesviews\extensions\plugins-list\view.php:45
actionadmin_print_scriptsviews\extensions\plugins-list\view.php:46
filterparent_fileviews\extensions\plugins-list\view.php:109
actionadmin_footerviews\extensions\plugins-list\view.php:112
filterplugin_action_linksviews\extensions\plugins-list\view.php:114
actionadmin_print_stylesviews\packages\manager\view.php:52
actionadmin_print_scriptsviews\packages\manager\view.php:54
actionadmin_print_scriptsviews\setup\setup\view.php:38
Maintenance & Trust

CSS & JavaScript Toolbox Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 28, 2025
PHP min version7.4.0
Downloads536K

Community Trust

Rating94/100
Number of ratings85
Active installs10K
Alternatives

CSS & JavaScript Toolbox Alternatives

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts

insert-php

A
91

Insert PHP, JavaScript, CSS, HTML, ads, and tracking code into WordPress headers, footers, pages, and content using conditional logic, without editing &hellip;

60K 7 CVEs
Code Manager

Code Manager

code-manager

A
100

Write, test and deploy PHP, JavaScript, CSS and HTML code blocks from the WordPress dashboard.

500 No CVEs
WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

WPCode – Insert Headers and Footers + Custom Code Snippets – WordPress Code Manager

insert-headers-and-footers

A
99

Easily add code snippets in WordPress. Insert header & footer scripts, add PHP code snippets with conditional logic, insert ads pixel code, and more.

3.0M 3 CVEs
Code Snippets

Code Snippets

code-snippets

A
89

An easy, clean and simple way to enhance your site with code snippets.

1.0M 7 CVEs
Shortcoder — Create Shortcodes for Anything

Shortcoder — Create Shortcodes for Anything

shortcoder

A
98

Create custom "Shortcodes" easily for HTML, JavaScript, CSS code snippets and use the shortcodes within posts, pages & widgets

100K 2 CVEs
Developer Profile

CSS & JavaScript Toolbox Developer Profile

wipeoutmedia

1 plugin · 10K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
479 days
View full developer profile
Detection Fingerprints

How We Detect CSS & JavaScript Toolbox

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/css-javascript-toolbox/framework/events/definition.class.php/wp-content/plugins/css-javascript-toolbox/framework/events/events.class.php/wp-content/plugins/css-javascript-toolbox/framework/events/hookable.class.php/wp-content/plugins/css-javascript-toolbox/framework/events/hookable.interface.php/wp-content/plugins/css-javascript-toolbox/framework/events/wordpress.class.php/wp-content/plugins/css-javascript-toolbox/framework/php/includes.class.php/wp-content/plugins/css-javascript-toolbox/autoload.inc.php/wp-content/plugins/css-javascript-toolbox/access.points/main.accesspoint.php+6 more

HTML / DOM Fingerprints

JS Globals
CJTOOLBOX_PLUGIN_BASECJTOOLBOX_PLUGIN_FILECJTOOLBOX_NAMECJTOOLBOX_TEXT_DOMAINCJTOOLBOX_LANGUAGESCJTOOLBOX_PATH+7 more
FAQ

Frequently Asked Questions about CSS & JavaScript Toolbox