Does Custom Background Changer have any unpatched vulnerabilities?

Yes — Custom Background Changer currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Custom Background Changer compatible with WordPress 4.9.29?

According to WordPress.org data, Custom Background Changer 3.0 has been tested up to WordPress 4.9.29. Check the plugin's changelog for the latest compatibility information.

How often is Custom Background Changer updated?

Custom Background Changer was last updated on Mar 26, 2018. Frequent updates are generally a positive security signal.

What is Custom Background Changer's security score?

Custom Background Changer has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Custom Background Changer Security & Risk Analysis

wordpress.org/plugins/custom-background-changer

Custom Background Changer Plugin is allows you to very easily to add custom color or background image on each post and pages.

1K active installs v3.0 PHP + WP 3.5+ Updated Mar 26, 2018

background-changerbg-chnagecustom-backgroundcustom-background-changerpost-backgraound

C · Use Caution

CVEs total1

Unpatched1

Last CVEDec 31, 2025

Plugin page Download

Safety Verdict

Is Custom Background Changer Safe to Use in 2026?

Use With Caution

Score 63/100

Custom Background Changer has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Dec 31, 2025Updated 8yr ago

Risk Assessment

The custom-background-changer plugin v3.0 exhibits a mixed security posture. Static analysis reveals a very small attack surface with no identified entry points lacking authentication, which is a positive sign. The code also demonstrates good practices in utilizing prepared statements for SQL queries and performing nonce checks. However, a significant concern arises from the output escaping, where a notable percentage (21%) of outputs are not properly escaped, potentially leaving the plugin vulnerable to Cross-Site Scripting (XSS) attacks. Taint analysis yielded no critical or high severity flows, which is encouraging.

The vulnerability history is a major red flag. The plugin has one known CVE, which is currently unpatched and categorized as medium severity, specifically related to Cross-Site Scripting. This indicates a recurring or unaddressed security flaw. While the current code analysis doesn't highlight a direct path for this specific XSS, the historical vulnerability and the unescaped outputs suggest a weakness that could be exploited. The late date of the last vulnerability (2025-12-31) might be a placeholder or indicate a future discovery, but the existence of an unpatched medium CVE is a present risk.

In conclusion, while the plugin has some good security foundations, the unpatched medium severity XSS vulnerability and the unescaped outputs present a clear and present danger. The lack of critical findings in static and taint analysis is positive, but the historical context and the identified output escaping issue necessitate caution. The plugin should be updated or remediated to address the known vulnerability.

Key Concerns

Unpatched medium severity CVE
Significant unescaped output percentage

Vulnerabilities

Custom Background Changer Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-62125medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom Background Changer <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 31, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Custom Background Changer Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

11 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

79% escaped14 total outputs

Attack Surface

Custom Background Changer Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 5

actionadmin_enqueue_scriptscustom-background-changer.php:41

actionadd_meta_boxescustom-background-changer.php:63

actionsave_postcustom-background-changer.php:166

filterbody_classcustom-background-changer.php:213

actionwp_headcustom-background-changer.php:224

Maintenance & Trust

Custom Background Changer Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29

Last updatedMar 26, 2018

PHP min version

Downloads46K

Community Trust

Rating98/100

Number of ratings7

Active installs1K

Alternatives

Custom Background Changer Alternatives

HA Background Color Customizer

ha-background-color-customizer

100

Add custom background color options panel in any WP theme Customize section to easily and quickly change background color of any HTML tags in your WP …

200 No CVEs

Widget Customizer for WordPress – Free Version

asd-123-456-widget

Customize your widgets without any CSS knowledge! - Mihajlovicnenad.com

100 No CVEs

cbParallax

cb-parallax

100

Custom background images with parallax effect for posts, pages and products.

100 No CVEs

Background Patterns

bg-patterns

Use a library of beatiful patterns and decorate your webpage background.

70 No CVEs

Genesis Custom Backgrounds

genesis-custom-backgrounds

This plugin provides the option to select a default custom background.

70 No CVEs

Developer Profile

Custom Background Changer Developer Profile

Anshul Gangrade

4 plugins · 1K total installs

trust score

Avg Security Score

83/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Custom Background Changer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/custom-background-changer/assets/css/cbc-metabox.css/wp-content/plugins/custom-background-changer/assets/js/cbc-metabox.js

Script Paths

/wp-content/plugins/custom-background-changer/assets/js/cbc-metabox.js

HTML / DOM Fingerprints

CSS Classes

cbc-infocbc-field-wrapcbc-row-titlecbc-row-contentcbc-bgcolorcbc-bgimagecbc-bg-attachcbc-bgrepeat+1 more

HTML Comments

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License, version 2, as
published by the Free Software Foundation.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA

+3 more

Data Attributes

name="cbc-bgoption"id="cbc-bg-option-one"id="cbc-bg-option-two"name="cbc-bgcolor"class="cbc-bgcolor"name="cbc-bgimage"+11 more

JS Globals

meta_image

FAQ