Does Custom Post Type Attachment have any unpatched vulnerabilities?

Yes — Custom Post Type Attachment currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Custom Post Type Attachment compatible with WordPress 6.7.5?

According to WordPress.org data, Custom Post Type Attachment 3.4.6 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is Custom Post Type Attachment updated?

Custom Post Type Attachment was last updated on Dec 31, 2024. Frequent updates are generally a positive security signal.

What is Custom Post Type Attachment's security score?

Custom Post Type Attachment has a WP-Safety security score of 69/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Custom Post Type Attachment Security & Risk Analysis

wordpress.org/plugins/custom-post-type-pdf-attachment

This plugin will allow you to upload files to your post or pages or any other custom post types.

900 active installs v3.4.6 PHP + WP 2.0.2+ Updated Dec 31, 2024

attachmentdownloadfilefile-attachmentupload

C · Use Caution

CVEs total2

Unpatched1

Last CVESep 29, 2025

Plugin page Download

Safety Verdict

Is Custom Post Type Attachment Safe to Use in 2026?

Use With Caution

Score 69/100

Custom Post Type Attachment has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

2 known CVEs 1 unpatched Last CVE: Sep 29, 2025Updated 1yr ago

Risk Assessment

The 'custom-post-type-pdf-attachment' plugin version 3.4.6 exhibits a mixed security posture. On the positive side, it demonstrates good practices with 100% of its SQL queries using prepared statements and includes nonce and capability checks on its entry points. There are no detected critical or high-severity taint flows, and the attack surface is relatively small with no immediately apparent unprotected entry points.

However, significant concerns arise from its vulnerability history. The plugin has a known history of two CVEs, with one still unpatched, and both historical vulnerabilities were of medium severity, related to Cross-site Scripting. This pattern suggests a recurring weakness in input sanitization or output escaping, despite the static analysis indicating a moderate percentage of properly escaped outputs (26%). The presence of unpatched vulnerabilities is a direct and critical risk to any WordPress site using this plugin.

In conclusion, while the plugin implements some fundamental security measures, the recurring medium-severity XSS vulnerabilities and the existence of an unpatched CVE significantly outweigh these strengths, making it a riskier choice for deployment. Users should be aware of the historical issues and the ongoing unpatched vulnerability.

Key Concerns

Unpatched CVE found
Medium severity vulnerabilities in history (XSS)
Low percentage of properly escaped output

Vulnerabilities

Custom Post Type Attachment Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-62907medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom Post Type Attachment <= 3.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 29, 2025Unpatched

CVE-2024-4546medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom Post Type Attachment <= 3.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via pdf_attachment Shortcode

May 15, 2024 Patched in 3.4.6 (1d)

Code Analysis

Analyzed Mar 16, 2026

Custom Post Type Attachment Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

14 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared1 total queries

Output Escaping

26% escaped53 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

custom_pdf_attachment_post_data (includes\class-settings.php:8)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Custom Post Type Attachment Attack Surface

Entry Points2

Unprotected0

Shortcodes 2

[pdf_attachment] custom-pdf-attachment.php:62

[pdf_all_attachments] custom-pdf-attachment.php:63

WordPress Hooks 13

actionwidgets_initcustom-pdf-attachment.php:60

actionplugins_loadedcustom-pdf-attachment.php:65

filtermanage_posts_columnsincludes\class-attachment-list.php:6

actionmanage_posts_custom_columnincludes\class-attachment-list.php:7

filtermanage_pages_columnsincludes\class-attachment-list.php:8

actionmanage_pages_custom_columnincludes\class-attachment-list.php:9

actionadd_meta_boxesincludes\class-attachment.php:6

actionsave_postincludes\class-attachment.php:7

actionpost_edit_form_tagincludes\class-attachment.php:8

actionadmin_enqueue_scriptsincludes\class-scripts.php:5

actionwp_enqueue_scriptsincludes\class-scripts.php:6

actionadmin_menuincludes\class-settings.php:144

actionadmin_initincludes\class-settings.php:145

Maintenance & Trust

Custom Post Type Attachment Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedDec 31, 2024

PHP min version

Downloads94K

Community Trust

Rating100/100

Number of ratings3

Active installs900

Alternatives

Custom Post Type Attachment Alternatives

MultiLine Files for Contact Form 7

multiline-files-for-contact-form-7

Upload unlimited files to Contact Form 7 with an intuitive interface, file management, and automatic ZIP compression for email delivery.

10K 1 CVE

File Upload Types by WPForms

file-upload-types

Easily allow WordPress to accept and upload any file type extension or MIME type, including custom file types.

30K 1 CVE

Download Attachments

download-attachments

Download Attachments is a new approach to managing downloads in WordPress. It allows you to easily add and display download links in any post or page.

9K 3 CVEs

Shared Files – Frontend File Upload Form & Secure File Sharing

shared-files

File management plugin featuring frontend file upload form, download manager, statistics and download log.

4K 8 CVEs

File Upload For WPForms – Filenzo

file-upload-for-wpforms

100

Enhance WPForms with a secure file upload field, allowing users to upload files directly through forms.

1K No CVEs

Developer Profile

Custom Post Type Attachment Developer Profile

aviplugins.com

9 plugins · 8K total installs

trust score

Avg Security Score

76/100

Avg Patch Time

617 days

View full developer profile

Detection Fingerprints

How We Detect Custom Post Type Attachment

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/custom-post-type-pdf-attachment/css/style_admin.css/wp-content/plugins/custom-post-type-pdf-attachment/css/style_front.css/wp-content/plugins/custom-post-type-pdf-attachment/js/ap.cookie.js/wp-content/plugins/custom-post-type-pdf-attachment/js/ap-tabs.js/wp-content/plugins/custom-post-type-pdf-attachment/js/cpt.js

Script Paths

/wp-content/plugins/custom-post-type-pdf-attachment/js/ap.cookie.js/wp-content/plugins/custom-post-type-pdf-attachment/js/ap-tabs.js/wp-content/plugins/custom-post-type-pdf-attachment/js/cpt.js

Version Parameters

custom-post-type-pdf-attachment/css/style_admin.css?ver=custom-post-type-pdf-attachment/css/style_front.css?ver=custom-post-type-pdf-attachment/js/ap.cookie.js?ver=custom-post-type-pdf-attachment/js/ap-tabs.js?ver=custom-post-type-pdf-attachment/js/cpt.js?ver=

HTML / DOM Fingerprints

HTML Comments

Data Attributes

cpt_pdf_attachment_removecpt_pdf_attachment_mf_cpt_pdf_attachment

JS Globals

CPTA_PLUGIN_DIRcpta_use_media_library

Shortcode Output

[pdf_attachment][pdf_all_attachments]

FAQ