Does Custom CSS have any unpatched vulnerabilities?

Yes — Custom CSS currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Custom CSS compatible with WordPress 4.6.30?

According to WordPress.org data, Custom CSS 1.4.0 has been tested up to WordPress 4.6.30. Check the plugin's changelog for the latest compatibility information.

How often is Custom CSS updated?

Custom CSS was last updated on Nov 28, 2017. Frequent updates are generally a positive security signal.

What is Custom CSS's security score?

Custom CSS has a WP-Safety security score of 63/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Custom CSS Security & Risk Analysis

wordpress.org/plugins/custom-css-editor

Add custom CSS, JS, PHP, tracking code. Very easy to use!

1K active installs v1.4.0 PHP + WP 4.0.0+ Updated Nov 28, 2017

custom-codecustom-csscustom-js

C · Use Caution

CVEs total1

Unpatched1

Last CVEOct 8, 2025

Plugin page Download

Safety Verdict

Is Custom CSS Safe to Use in 2026?

Use With Caution

Score 63/100

Custom CSS has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Oct 8, 2025Updated 8yr ago

Risk Assessment

The 'custom-css-editor' v1.4.0 plugin exhibits significant security concerns, primarily stemming from a large number of unprotected entry points and a concerning lack of output escaping. The presence of three AJAX handlers without authentication checks, coupled with zero nonce checks, creates a substantial attack surface that could be exploited by unauthenticated users to perform unauthorized actions. Furthermore, the low percentage of properly escaped output (14%) suggests a high probability of cross-site scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site.

Key Concerns

Unprotected AJAX handlers
Missing nonce checks
Low output escaping percentage
Dangerous function (unserialize)
Bundled outdated library
Unpatched medium severity CVE

Vulnerabilities

Custom CSS Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-48096medium · 5.3Missing Authorization

Custom CSS <= 1.4.0 - Missing Authorization

Oct 8, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Custom CSS Code Analysis

Dangerous Functions

Raw SQL Queries

3 prepared

Unescaped Output

211

33 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$value = unserialize( $value );fresh-framework\framework\dataStorage\class.ffDataStorage.php:39

unserialize$cacheFile = unserialize( $cacheFileContent );fresh-framework\framework\dataStorage\class.ffDataStorage_Cache.php:121

unserialize$cacheFile = unserialize( $cacheFileContent );fresh-framework\framework\dataStorage\class.ffDataStorage_Cache.php:180

unserialize$value = unserialize( $value );fresh-framework\framework\dataStorage\class.ffDataStorage_WPOptions_NamespaceFacade.php:33

unserialize$value = unserialize( $value );fresh-framework\framework\dataStorage\class.ffDataStorage_WPPostMetas.php:50

unserialize$value = unserialize( $value );fresh-framework\framework\dataStorage\dataStorageOptionsPost\class.ffDataStorage_OptionsPostType.php:127

unserialize$postContentUnserialised = unserialize( $postContent );fresh-framework\framework\dataStorage\dataStorageOptionsPost\class.ffDataStorage_OptionsPostType.php:218

unserialize$value = unserialize( $value );fresh-framework\framework\dataStorage\dataStorageOptionsPost\class.ffDataStorage_OptionsPostType_NamespaceFacade.php:50

unserialize$imports = unserialize(file_get_contents($icache));fresh-framework\framework\extern\scss\scss.inc.php:4286

unserialize$optionsUnserialized = unserialize( $optionsSerialized );fresh-framework\framework\options\dataHolders\class.ffOptionsHolder_CachingFacade.php:66

unserializereturn unserialize( $this->get($query) );fresh-framework\framework\options\walkers\class.ffOptionsQuery.php:177

unserialize$revision = unserialize( $revision );fresh-framework\framework\themes\layouts\metaBoxes\metaBoxLayoutContent\class.ffMetaBoxLayoutContentView.php:109

Bundled Libraries

Select23.4.6

SQL Query Safety

75% prepared4 total queries

Output Escaping

14% escaped244 total outputs

Attack Surface

3 unprotected

Custom CSS Attack Surface

Entry Points4

Unprotected3

AJAX Handlers 3

authwp_ajax_ff_ajax_adminfresh-framework\framework\core\wplayer\class.ffHookManager.php:100

authwp_ajax_ff_ajaxfresh-framework\framework\core\wplayer\class.ffHookManager.php:104

noprivwp_ajax_ff_ajaxfresh-framework\framework\core\wplayer\class.ffHookManager.php:105

Shortcodes 1

[ffrow] fresh-framework\framework\shortcodes\class.ffShortcodeManager.php:95

WordPress Hooks 52

actionadmin_noticesbootstrap\pluginClass.php:42

actionafter_setup_themebootstrap\pluginClass.php:107

actionwp_enqueue_scriptsbootstrap\pluginClass.php:108

actionwp_headbootstrap\pluginClass.php:109

actionwp_footerbootstrap\pluginClass.php:110

actionadmin_initfresh-framework\framework\adminScreens\class.ffAdminScreenManager.php:54

actionadd_meta_boxesfresh-framework\framework\adminScreens\metaBoxes\class.ffMetaBoxManager.php:30

actionsave_postfresh-framework\framework\adminScreens\metaBoxes\class.ffMetaBoxManager.php:31

actionadmin_menufresh-framework\framework\adminScreens\metaBoxes\class.ffMetaBoxManager.php:33

actionadmin_footerfresh-framework\framework\assetsIncluding\lessScssCompiler\class.ffLessScssCompiler.php:81

actionactivated_pluginfresh-framework\framework\core\class.ffPluginLoader.php:50

actionff_wp_enqueue_scriptsfresh-framework\framework\core\wplayer\class.ffHookManager.php:28

actionadmin_menufresh-framework\framework\core\wplayer\class.ffHookManager.php:50

actionadmin_initfresh-framework\framework\core\wplayer\class.ffHookManager.php:57

actionwidgets_initfresh-framework\framework\core\wplayer\class.ffHookManager.php:63

actionwp_print_scriptsfresh-framework\framework\core\wplayer\class.ffHookManager.php:67

actionadmin_print_stylesfresh-framework\framework\core\wplayer\class.ffHookManager.php:71

actionwp_print_stylesfresh-framework\framework\core\wplayer\class.ffHookManager.php:73

actionff_ajax_shutdownfresh-framework\framework\core\wplayer\class.ffHookManager.php:127

actionshutdownfresh-framework\framework\core\wplayer\class.ffHookManager.php:130

actionwp_loadedfresh-framework\framework\core\wplayer\class.ffHookManager.php:141

actionadmin_enqueue_scriptsfresh-framework\framework\core\wplayer\class.ffWPLayer.php:493

actionwp_enqueue_scriptsfresh-framework\framework\core\wplayer\class.ffWPLayer.php:495

actionwp_footerfresh-framework\framework\core\wplayer\class.ffWPLayer.php:524

filterfilesystem_methodfresh-framework\framework\fileSystem\factories\class.ffFileSystem_Factory.php:12

actionplugins_loadedfresh-framework\framework\init\class.ffFrameworkVersionManager.php:111

actionadmin_footerfresh-framework\framework\options\walkers\printers\class.ffOptionsPrinterDataBoxGenerator.php:16

actionmime_typesfresh-framework\framework\query\attachments\class.ffMimeTypesManager.php:67

actionpost_mime_typesfresh-framework\framework\query\attachments\class.ffMimeTypesManager.php:94

actionext2typefresh-framework\framework\query\attachments\class.ffMimeTypesManager.php:115

actionwpfresh-framework\framework\query\identificators\query\class.ffFrontendQueryIdentificator.php:38

filtermanage_posts_columnsfresh-framework\framework\query\posts\class.ffPostAdminColumnManager.php:16

actionmanage_posts_custom_columnfresh-framework\framework\query\posts\class.ffPostAdminColumnManager.php:17

actioninitfresh-framework\framework\query\posts\registrator\class.ffPostTypeRegistratorManager.php:14

filterpost_updated_messagesfresh-framework\framework\query\posts\registrator\class.ffPostTypeRegistratorManager.php:33

filterpost_updated_messagesfresh-framework\framework\query\posts\registrator\class.ffPostTypeRegistratorManager.php:46

filterpost_row_actionsfresh-framework\framework\query\posts\registrator\class.ffPostTypeRegistratorManager.php:54

filterpost_row_actionsfresh-framework\framework\query\posts\registrator\class.ffPostTypeRegistratorManager.php:62

actioninitfresh-framework\framework\query\taxonomies\registrator\class.ffCustomTaxonomyManager.php:10

filterthe_contentfresh-framework\framework\shortcodes\class.ffShortcodeManager.php:44

filterthe_contentfresh-framework\framework\shortcodes\class.ffShortcodeManager.php:45

actionwp_footerfresh-framework\framework\themes\assetsIncluding\class.ffThemeAssetsManager.php:39

actionwp_trash_postfresh-framework\framework\themes\layouts\class.ffLayoutPostType.php:173

actionbefore_delete_postfresh-framework\framework\themes\layouts\class.ffLayoutPostType.php:174

actionuntrash_postfresh-framework\framework\themes\layouts\class.ffLayoutPostType.php:175

actionadmin_print_scriptsfresh-framework\framework\themes\layouts\class.ffLayoutsEmojiManager.php:27

actionadmin_footerfresh-framework\framework\themes\layouts\metaBoxes\metaBoxLayoutConditions\class.ffMetaBoxLayoutConditionsView.php:22

actionadmin_footerfresh-framework\framework\themes\layouts\metaBoxes\metaBoxLayoutContent\class.ffMetaBoxLayoutContentView.php:21

actionadmin_footerfresh-framework\framework\themes\layouts\metaBoxes\metaBoxLayoutPlacement\class.ffMetaBoxLayoutPlacementView.php:26

actioncurrent_screenfresh-framework\framework\themes\menuOptions\class.ffMenuOptionsManager.php:73

actionwp_update_nav_menufresh-framework\framework\themes\menuOptions\class.ffMenuOptionsManager.php:74

actionadmin_footerfresh-framework\framework\themes\menuOptions\class.ffMenuOptionsManager.php:75

Maintenance & Trust

Custom CSS Maintenance & Trust

Maintenance Signals

WordPress version tested4.6.30

Last updatedNov 28, 2017

PHP min version

Downloads69K

Community Trust

Rating50/100

Number of ratings17

Active installs1K

Alternatives

Custom CSS Alternatives

Devpri Custom Code

devpri-custom-code

A simple plugin to display HTML/CSS/JS custom code.

0 No CVEs

Simple Custom CSS and JS

custom-css-js

100

Easily add Custom CSS or JS to your website with an awesome editor.

700K 1 CVE

Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript

add-custom-codes

Add custom codes to your wordpress site. A completely free plugin to add Custom PHP functions, HTML, CSS, Javascript, any other codes to your website.

1K 4 unpatched

Live Custom CSS JS Code Editor

live-css-js-code-editor

Live Custom CSS JS Code Editor allows you to easily add custom CSS, JavaScript, Header, Footer Code to your site, straight from your WordPress Customi …

400 No CVEs

Custom JS

custom-js

Custom JS is easy to use. Custom JS WordPress plugin allows you to Custom JS fields in your theme - include js in head or footer.

200 No CVEs

Developer Profile

Custom CSS Developer Profile

FRESHFACE

2 plugins · 1K total installs

trust score

Avg Security Score

82/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Custom CSS

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/fresh-custom-code-lite/fresh-framework/css/custom-code-editor.css/wp-content/plugins/fresh-custom-code-lite/fresh-framework/js/custom-code-editor.js

HTML / DOM Fingerprints

CSS Classes

ff-ark-notice-dismiss

HTML Comments

Hello, you are using "Custom CSS Editor" plugin - lite versionFRESHFACE hereWe just created **ARK**, currently the **best WP theme on this planet** (yes, you should hear the testimonials...)In the next 24 hours, there is a way for our customers to **get the ARK ($97) for FREE.**+1 more

JS Globals

jQuery

FAQ

Custom CSS Security & Risk Analysis

Is Custom CSS Safe to Use in 2026?

Use With Caution

Key Concerns

Custom CSS Security Vulnerabilities

CVEs by Year

Severity Breakdown

Custom CSS Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Custom CSS Attack Surface

AJAX Handlers 3

Shortcodes 1

Custom CSS Maintenance & Trust

Maintenance Signals

Community Trust

Custom CSS Alternatives

Devpri Custom Code

Simple Custom CSS and JS

Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript

Live Custom CSS JS Code Editor

Custom JS

Custom CSS Developer Profile

How We Detect Custom CSS

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Custom CSS