WP-Safety

Custom CSS and JavaScript Security & Risk Analysis

wordpress.org/plugins/custom-css-and-javascript

Easily add custom CSS and JavaScript code to your WordPress site, with draft previewing, revisions, and minification!

10K active installs v2.0.16 PHP + WP 3.5+ Updated Aug 12, 2024
custom-csscustom-javascriptjavascriptstylesstylesheet
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Custom CSS and JavaScript Safe to Use in 2026?

Generally Safe

Score 92/100

Custom CSS and JavaScript has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The "custom-css-and-javascript" plugin version 2.0.16 exhibits a generally good security posture with several positive indicators. The absence of known CVEs and a clean vulnerability history, combined with the use of prepared statements for all SQL queries and robust output escaping in most instances, suggests a commitment to secure coding practices. The plugin also implements a healthy number of nonce and capability checks, further strengthening its defenses. However, a significant concern arises from the presence of one AJAX handler that lacks authentication checks. This unprotected entry point presents a clear attack vector that could be exploited to perform unauthorized actions, even if the overall attack surface is relatively small. While the taint analysis shows no critical or high severity unsanitized flows, the unprotected AJAX handler remains a notable weakness.

Key Concerns

  • Unprotected AJAX handler found
  • Moderate percentage of output not properly escaped
Vulnerabilities
None known

Custom CSS and JavaScript Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Custom CSS and JavaScript Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
6
20 escaped
Nonce Checks
6
Capability Checks
8
File Operations
6
External Requests
1
Bundled Libraries
0

SQL Query Safety

100% prepared1 total queries

Output Escaping

77% escaped26 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
hm_custom_css_js_publish (custom-css-and-javascript.php:111)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Custom CSS and JavaScript Attack Surface

Entry Points7
Unprotected1

AJAX Handlers 7

authwp_ajax_hm_custom_css_js_savecustom-css-and-javascript.php:89
authwp_ajax_hm_custom_css_js_publishcustom-css-and-javascript.php:110
authwp_ajax_hm_custom_css_js_delete_revisioncustom-css-and-javascript.php:174
authwp_ajax_hm_custom_css_js_delete_revisionscustom-css-and-javascript.php:193
authwp_ajax_hm_custom_css_js_get_revisionscustom-css-and-javascript.php:217
authwp_ajax_hm_custom_css_js_get_revisioncustom-css-and-javascript.php:257
authwp_ajax_hm_custom_css_js_rd_notice_hidecustom-css-and-javascript.php:328
WordPress Hooks 8
actionwp_enqueue_scriptscustom-css-and-javascript.php:32
actionadmin_menucustom-css-and-javascript.php:48
actionadmin_menucustom-css-and-javascript.php:53
actionadmin_enqueue_scriptscustom-css-and-javascript.php:59
actioninitcustom-css-and-javascript.php:275
actionadmin_noticescustom-css-and-javascript.php:327
actionadmin_initcustom-css-and-javascript.php:345
filteruser_has_capcustom-css-and-javascript.php:353
Maintenance & Trust

Custom CSS and JavaScript Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedAug 12, 2024
PHP min version
Downloads177K

Community Trust

Rating94/100
Number of ratings60
Active installs10K
Alternatives

Custom CSS and JavaScript Alternatives

WP Add Custom CSS

WP Add Custom CSS

wp-add-custom-css

A
100

Add custom css to the whole website and to specific posts and pages.

60K No CVEs
Better WordPress Minify

Better WordPress Minify

bwp-minify

A
85

Allows you to combine and minify your CSS and JS files to improve page load time.

8K No CVEs
Custom CSS and JS

Custom CSS and JS

custom-css-and-js

A
85

Custom CSS and JavaScript allows you to add custom internal and external CSS and JavaScripts to individual posts.

1K No CVEs
Custom JS

Custom JS

custom-js

A
85

Custom JS is easy to use. Custom JS WordPress plugin allows you to Custom JS fields in your theme - include js in head or footer.

200 No CVEs
Custom CSS for WordPress

Custom CSS for WordPress

custom-css-wp

A
85

The Easy and Lightweight Plugin to add custom CSS to your wordpress website. This plugin will help you to override Theme or Plugin CSS.

100 No CVEs
Developer Profile

Custom CSS and JavaScript Developer Profile

WP Zone

21 plugins · 40K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
124 days
View full developer profile
Detection Fingerprints

How We Detect Custom CSS and JavaScript

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/custom-css-and-javascript/codemirror/codemirror.js/wp-content/plugins/custom-css-and-javascript/codemirror/mode/css.js/wp-content/plugins/custom-css-and-javascript/codemirror/mode/javascript.js/wp-content/plugins/custom-css-and-javascript/codemirror/addon/dialog/dialog.js/wp-content/plugins/custom-css-and-javascript/codemirror/addon/edit/matchbrackets.js/wp-content/plugins/custom-css-and-javascript/codemirror/addon/search/search.js/wp-content/plugins/custom-css-and-javascript/codemirror/addon/search/searchcursor.js/wp-content/plugins/custom-css-and-javascript/codemirror/addon/search/match-highlighter.js+9 more
Script Paths
/index.php?hm_custom_js_draft=1/index.php?hm_custom_css_draft=1/wp-content/uploads/hm_custom_css_js/custom.js/wp-content/uploads/hm_custom_css_js/custom.css
Version Parameters
hm_custom_js_draft=1hm_custom_css_draft=1

HTML / DOM Fingerprints

JS Globals
pp_custom_css_js_config
FAQ

Frequently Asked Questions about Custom CSS and JavaScript