WP-Safety

Custom Field Builder – WordPress custom fields plugin Security & Risk Analysis

wordpress.org/plugins/custom-field-builder

Custom Field Builder is a powerful and lightweight developer plugin to create custom meta boxes and custom fields for WordPress.

10 active installs v1.2.4 PHP 5.4+ WP 4.6+ Updated Mar 5, 2019
cfbcustom-field-buildercustom-fieldscustom-metacustom-meta-fields
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Custom Field Builder – WordPress custom fields plugin Safe to Use in 2026?

Generally Safe

Score 85/100

Custom Field Builder – WordPress custom fields plugin has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The "custom-field-builder" plugin version 1.2.4 exhibits a concerning security posture primarily due to a significant lack of input sanitization and authentication checks. The static analysis reveals one AJAX handler that does not implement any authentication checks, making it a direct entry point for potential attackers. Furthermore, all SQL queries are executed without prepared statements, indicating a high risk of SQL injection vulnerabilities. The taint analysis highlights two flows with unsanitized paths, both classified as high severity. This suggests that data entering the plugin is not being properly validated before being used in sensitive operations. While there is no recorded vulnerability history, this should not be interpreted as a sign of strong security, but rather a potential lack of past scrutiny or reporting. The limited attack surface is a minor positive, but it is overshadowed by the critical weaknesses identified in the code's handling of user input and database interactions. Without addressing the unauthenticated AJAX endpoint and the raw SQL queries, the plugin remains highly vulnerable.

Key Concerns

  • Unauthenticated AJAX handler
  • SQL queries without prepared statements
  • High severity unsanitized taint flows
  • Low percentage of properly escaped output
  • No nonce checks on entry points
Vulnerabilities
None known

Custom Field Builder – WordPress custom fields plugin Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Custom Field Builder – WordPress custom fields plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
63
5 escaped
Nonce Checks
0
Capability Checks
1
File Operations
1
External Requests
0
Bundled Libraries
0

SQL Query Safety

0% prepared1 total queries

Output Escaping

7% escaped68 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
findEntities (components\CFBPostRelationship.php:53)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Custom Field Builder – WordPress custom fields plugin Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_cfb_relationship_find_entitiescomponents\CFBPostRelationship.php:14
WordPress Hooks 6
actionadmin_enqueue_scriptscomponents\CFBComponent.php:25
actioninitcore\CFBuilder.php:20
actionadmin_enqueue_scriptscore\CFBuilderLoader.php:12
actionadmin_enqueue_scriptscore\CFBuilderLoader.php:13
actionadd_meta_boxescore\CFBuilderTemplate.php:19
actionsave_postcore\CFBuilderTemplate.php:20
Maintenance & Trust

Custom Field Builder – WordPress custom fields plugin Maintenance & Trust

Maintenance Signals

WordPress version tested5.0.0
Last updatedMar 5, 2019
PHP min version5.4
Downloads1K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Alternatives

Custom Field Builder – WordPress custom fields plugin Alternatives

Codeideal Open Fields

Codeideal Open Fields

codeideal-open-fields

A
100

A free, modern custom fields plugin for WordPress. Build field groups with a visual editor — no code required.

0 No CVEs
Advanced Custom Fields (ACF®)

Advanced Custom Fields (ACF®)

advanced-custom-fields

A
93

ACF helps customize WordPress with powerful, professional and intuitive fields. Proudly powering over 2 million sites, WordPress developers love ACF.

2.0M 9 CVEs
Meta Box

Meta Box

meta-box

A
89

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K 6 CVEs
Checkout Field Editor (Checkout Manager) for WooCommerce

Checkout Field Editor (Checkout Manager) for WooCommerce

woo-checkout-field-editor-pro

A
93

Checkout Field Editor (Checkout Manager) for WooCommerce – The best WooCommerce checkout manager plugin to manage WooCommerce checkout fields.

500K 3 CVEs
ACF Content Analysis for Yoast SEO

ACF Content Analysis for Yoast SEO

acf-content-analysis-for-yoast-seo

A
100

WordPress plugin that adds the content of all ACF fields to the Yoast SEO score analysis.

100K No CVEs
Developer Profile

Custom Field Builder – WordPress custom fields plugin Developer Profile

kirillbdev

5 plugins · 7K total installs

88
trust score
Avg Security Score
92/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Custom Field Builder – WordPress custom fields plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/custom-field-builder/assets/css/style.min.css/wp-content/plugins/custom-field-builder/assets/js/core.min.js
Script Paths
/wp-content/plugins/custom-field-builder/assets/js/core.min.js
Version Parameters
cf-builder-csscf-builder-js

HTML / DOM Fingerprints

CSS Classes
cfb-inputcfb-editorcfb-media-uploadcfb-post-relationship-itemcfb-checkbox-group-input
Data Attributes
data-cfb-field-typedata-cfb-field-iddata-cfb-editor-id
JS Globals
CFBuilder
REST Endpoints
/wp-json/cfb/v1/relationship/find
FAQ

Frequently Asked Questions about Custom Field Builder – WordPress custom fields plugin