WP-Safety

Custom Field Variables Security & Risk Analysis

wordpress.org/plugins/custom-field-variables

Enables the display of custom-field variables in the WordPress post editor via a TinyMCE button. Works well with custom post types as well as default …

0 active installs v1.0.1 PHP + WP 4.0+ Updated Jul 30, 2017
custom-fieldsmetatinymce
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Custom Field Variables Safe to Use in 2026?

Generally Safe

Score 85/100

Custom Field Variables has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago
Risk Assessment

The "custom-field-variables" plugin exhibits a mixed security posture. On one hand, it demonstrates good practices by avoiding dangerous functions, external HTTP requests, and performing 100% of its SQL queries using prepared statements. There is also no recorded vulnerability history, suggesting a relatively stable and secure past.

However, significant concerns arise from the static analysis. The plugin has a total of one entry point, an AJAX handler, which critically lacks any authentication or capability checks. This exposes a direct pathway for unauthenticated users to potentially interact with the plugin's backend logic. Furthermore, 50% of its output is not properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is echoed directly. The absence of nonce checks on the AJAX handler exacerbates the risk associated with that entry point.

While the lack of known CVEs is a positive indicator, it does not negate the identified vulnerabilities within the code. The critical finding of an unprotected AJAX endpoint combined with potential XSS issues forms the primary security risk for this plugin. A balanced view acknowledges the good SQL practices but highlights the urgent need to address the unprotected entry point and output escaping.

Key Concerns

  • AJAX handler without auth checks
  • Unescaped output
  • Missing nonce checks on AJAX
Vulnerabilities
None known

Custom Field Variables Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Custom Field Variables Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
1
1 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

50% escaped2 total outputs
Attack Surface
1 unprotected

Custom Field Variables Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_cw_get_custom_fieldsincludes\class-cw-custom-field-variables.php:169
WordPress Hooks 6
actionplugins_loadedincludes\class-cw-custom-field-variables.php:139
filterthe_contentincludes\class-cw-custom-field-variables.php:153
actionadmin_enqueue_scriptsincludes\class-cw-custom-field-variables.php:168
filtermce_buttonsincludes\class-cw-custom-field-variables.php:170
filtermce_external_pluginsincludes\class-cw-custom-field-variables.php:171
actionadmin_headincludes\class-cw-custom-field-variables.php:173
Maintenance & Trust

Custom Field Variables Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28
Last updatedJul 30, 2017
PHP min version
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Custom Field Variables Alternatives

Advanced Custom Fields (ACF®)

Advanced Custom Fields (ACF®)

advanced-custom-fields

A
93

ACF helps customize WordPress with powerful, professional and intuitive fields. Proudly powering over 2 million sites, WordPress developers love ACF.

2.0M 9 CVEs
Meta Box

Meta Box

meta-box

A
89

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K 6 CVEs
Advanced Custom Fields: Extended

Advanced Custom Fields: Extended

acf-extended

B
84

All-in-one enhancement suite that improves WordPress & Advanced Custom Fields.

100K 4 CVEs
Secure Custom Fields

Secure Custom Fields

secure-custom-fields

A
100

Secure Custom Fields boosts content management with custom fields and options. It deactivates Advanced Custom Fields to prevent duplicate code errors.

60K No CVEs
Custom Field Template

Custom Field Template

custom-field-template

C
67

The Custom Field Template plugin extends the functionality of custom fields.

30K 1 unpatched
Developer Profile

Custom Field Variables Developer Profile

Edward

3 plugins · 410 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Custom Field Variables

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/custom-field-variables/css/cw-custom-field-variables-admin.css
Script Paths
/wp-content/plugins/custom-field-variables/js/cw-custom-field-variables-admin.js
Version Parameters
cw-custom-field-variables-admin.css?ver=cw-custom-field-variables-admin.js?ver=

HTML / DOM Fingerprints

HTML Comments
<!-- tinyMCE CW Custom Field Plugin -->
JS Globals
cwcustomFieldVariables
FAQ

Frequently Asked Questions about Custom Field Variables