Does Custom CSS, JS & PHP have any unpatched vulnerabilities?

No. All known vulnerabilities in Custom CSS, JS & PHP have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Custom CSS, JS & PHP compatible with WordPress 6.8.5?

According to WordPress.org data, Custom CSS, JS & PHP 2.4.3 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Custom CSS, JS & PHP updated?

Custom CSS, JS & PHP was last updated on Sep 8, 2025. Frequent updates are generally a positive security signal.

What is Custom CSS, JS & PHP's security score?

Custom CSS, JS & PHP has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Custom CSS, JS & PHP Security & Risk Analysis

wordpress.org/plugins/custom-css

Just another custom CSS, JavaScript & PHP tool for WordPress.

400 active installs v2.4.3 PHP + WP 4.4+ Updated Sep 8, 2025

cssjavascriptjsphp

A · Safe

CVEs total2

Unpatched0

Last CVEApr 16, 2025

Plugin page Download

Safety Verdict

Is Custom CSS, JS & PHP Safe to Use in 2026?

Generally Safe

Score 97/100

Custom CSS, JS & PHP has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Apr 16, 2025Updated 6mo ago

Risk Assessment

The 'custom-css' plugin v2.4.3 exhibits a generally positive security posture with several good practices in place. The absence of AJAX handlers and REST API routes, along with a single shortcode entry point, indicates a limited attack surface. Notably, all SQL queries are prepared, and there are no identified critical or high-severity taint flows. The presence of nonce and capability checks, though limited, further contribute to its security. However, a significant concern arises from the plugin's vulnerability history, which includes two known CVEs, with a past high-severity vulnerability and a medium-severity one. The common types of past vulnerabilities, Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), coupled with the fact that the last vulnerability was dated in the future, suggests a pattern of past security weaknesses. While the current version has no unpatched vulnerabilities and appears to have addressed past issues, this history warrants caution and highlights the importance of continued vigilance and timely updates.

Key Concerns

Vulnerability history shows past high/medium severity issues
Some output escaping is not properly implemented
Vulnerabilities common: CSRF and XSS

Vulnerabilities

Custom CSS, JS & PHP Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2025-39601high · 8.8Cross-Site Request Forgery (CSRF)

Custom CSS, JS & PHP <= 2.4.1 - Cross-Site Request Forgery to Remote Code Exectuiron

Apr 16, 2025 Patched in 2.4.2 (6d)

CVE-2024-11330medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom CSS, JS & PHP <= 2.3.0 - Reflected Cross-Site Scripting

Nov 22, 2024 Patched in 2.4.0 (1d)

Code Analysis

Analyzed Mar 16, 2026

Custom CSS, JS & PHP Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

10 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

67% escaped15 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

save_options (includes\settings\class-alg-custom-css-js-php-settings.php:142)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Custom CSS, JS & PHP Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[alg_custom_php] includes\class-alg-custom-css-js-php-core.php:52

WordPress Hooks 6

actionplugins_loadedcustom-css.php:49

actioninitincludes\class-alg-custom-css-js-php.php:68

actionadmin_initincludes\class-alg-custom-css-js-php.php:82

actionadmin_initincludes\settings\class-alg-custom-css-js-php-settings.php:28

actionadmin_menuincludes\settings\class-alg-custom-css-js-php-settings.php:29

actionadmin_enqueue_scriptsincludes\settings\class-alg-custom-css-js-php-settings.php:30

Maintenance & Trust

Custom CSS, JS & PHP Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 8, 2025

PHP min version

Downloads10K

Community Trust

Rating100/100

Number of ratings3

Active installs400

Alternatives

Custom CSS, JS & PHP Alternatives

Better WordPress Minify

bwp-minify

Allows you to combine and minify your CSS and JS files to improve page load time.

8K No CVEs

WP Minify Fix

wp-minify-fix

[Fixed] This plugin uses the Minify engine to combine and compress JS and CSS files to improve page load time.

1K No CVEs

Insert Code by Angie Makes

wpc-insert-code

Easily insert HTML, Javascript, CSS, into the head and footer areas of your site.

900 No CVEs

Custom CSS/JS

wp-custom-cssjs

WP Custom CSS JS plugin allows you to add any HTML, CSS, Javascript, jQuery or Tracking Pixel easily on your wordpress site right from your dashboard.

800 No CVEs

Code Manager

code-manager

100

Write, test and deploy PHP, JavaScript, CSS and HTML code blocks from the WordPress dashboard.

500 No CVEs

Developer Profile

Custom CSS, JS & PHP Developer Profile

WPFactory

63 plugins · 136K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

98 days

View full developer profile

Detection Fingerprints

How We Detect Custom CSS, JS & PHP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

Shortcode Output

[alg_custom_php]

FAQ