WP-Safety

Custom Post Type UI Security & Risk Analysis

wordpress.org/plugins/custom-post-type-ui

Admin UI for creating custom content types like post types and taxonomies

1.0M active installs v1.18.3 PHP 7.4+ WP 6.6+ Updated Jan 8, 2026
content-typescustom-post-typespost-typetaxonomytypes
93
A · Safe
CVEs total4
Unpatched0
Last CVEDec 12, 2025
Plugin page Download
Safety Verdict

Is Custom Post Type UI Safe to Use in 2026?

Generally Safe

Score 93/100

Custom Post Type UI has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Dec 12, 2025Updated 4mo ago
Risk Assessment

The static analysis of Custom Post Type UI v1.18.3 reveals a generally strong security posture, with no identified vulnerabilities in attack surface, taint analysis, or critical code signals. The plugin demonstrates good practices by exclusively using prepared statements for SQL queries and implementing nonce and capability checks. However, a significant concern arises from the output escaping, where only 64% of outputs are properly escaped. This indicates a potential for cross-site scripting vulnerabilities, especially given the plugin's history of medium and high severity XSS and authorization issues.

The vulnerability history shows four past CVEs, with a high-severity XSS vulnerability reported last in 2025. While there are currently no unpatched vulnerabilities, this history suggests a recurring pattern of input validation or authorization weaknesses. The types of past vulnerabilities (XSS, Missing Authorization, Information Exposure, CSRF) are common in plugins that handle user input and manage data, reinforcing the need for rigorous output escaping and authorization enforcement.

In conclusion, Custom Post Type UI v1.18.3 benefits from a robust foundational security framework, particularly in its handling of database operations and authorization. The primary weakness lies in the incomplete output escaping, which, coupled with its past vulnerability trends, presents a moderate risk that requires attention. Continuous vigilance and thorough auditing of output handling are recommended.

Key Concerns

  • Low output escaping percentage
  • Past high-severity XSS vulnerability
  • Past medium-severity vulnerabilities
Vulnerabilities
4 published

Custom Post Type UI Security Vulnerabilities

CVEs by Year

1 CVE in 2020
2020
1 CVE in 2023
2023
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2025-14056medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom Post Type UI <= 1.18.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'label' Import Parameter

Dec 12, 2025 Patched in 1.18.2 (1d)
CVE-2025-12826medium · 4.8Missing Authorization

Custom Post Type UI <= 1.18.0 - Missing Authorization to Unauthenticated (Previously Administrator+) Custom Post Type Modification

Dec 3, 2025 Patched in 1.18.1 (1d)
CVE-2023-1623medium · 5.4Exposure of Sensitive Information to an Unauthorized Actor

Custom Post Type UI <= 1.13.4 - Cross-Site Request Forgery to Sensitive Information Exposure

Mar 28, 2023 Patched in 1.13.5 (301d)
WF-08115f30-f38b-4c13-803e-5de873f83a17-custom-post-type-uihigh · 8.8Cross-Site Request Forgery (CSRF)

Custom Post Type UI <= 1.7.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Mar 18, 2020 Patched in 1.7.4 (1406d)
Version History

Custom Post Type UI Release Timeline

v1.18.3Current5 files changed
v1.18.29 files changed
v1.18.11 CVE17 files changed
CVE-2025-14056
v1.18.02 CVEs18 files changed
CVE-2025-14056 CVE-2025-12826
v1.17.32 CVEs6 files changed
CVE-2025-14056 CVE-2025-12826
v1.17.22 CVEs3 files changed
CVE-2025-14056 CVE-2025-12826
v1.17.12 CVEs7 files changed
CVE-2025-14056 CVE-2025-12826
v1.17.02 CVEs19 files changed
CVE-2025-14056 CVE-2025-12826
v1.16.02 CVEs8 files changed
CVE-2025-14056 CVE-2025-12826
v1.15.12 CVEs6 files changed
CVE-2025-14056 CVE-2025-12826
v1.15.02 CVEs8 files changed
CVE-2025-14056 CVE-2025-12826
v1.14.02 CVEs15 files changed
CVE-2025-14056 CVE-2025-12826
v1.13.72 CVEs4 files changed
CVE-2025-14056 CVE-2025-12826
v1.13.62 CVEs9 files changed
CVE-2025-14056 CVE-2025-12826
v1.13.52 CVEs4 files changed
CVE-2025-14056 CVE-2025-12826
v1.13.43 CVEs4 files changed
CVE-2025-14056 CVE-2025-12826 CVE-2023-1623
v1.13.33 CVEs5 files changed
CVE-2025-14056 CVE-2025-12826 CVE-2023-1623
v1.13.23 CVEs6 files changed
CVE-2025-14056 CVE-2025-12826 CVE-2023-1623
v1.13.13 CVEs3 files changed
CVE-2025-14056 CVE-2025-12826 CVE-2023-1623
v1.13.03 CVEs
CVE-2025-14056 CVE-2025-12826 CVE-2023-1623
Code Analysis
Analyzed Mar 16, 2026

Custom Post Type UI Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
245
432 escaped
Nonce Checks
12
Capability Checks
6
File Operations
2
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

64% escaped677 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

6 flows
system_status (classes\class.cptui_debug_info.php:39)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Custom Post Type UI Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 63
actioninitcustom-post-type-ui.php:50
actionadmin_initcustom-post-type-ui.php:98
actionadmin_menucustom-post-type-ui.php:155
actionplugins_loadedcustom-post-type-ui.php:179
actioncptui_loadedcustom-post-type-ui.php:205
actioninitcustom-post-type-ui.php:223
actionadmin_enqueue_scriptscustom-post-type-ui.php:241
actioninitcustom-post-type-ui.php:324
actioninitcustom-post-type-ui.php:631
actionadmin_initcustom-post-type-ui.php:899
actioncptui_inside_wrapcustom-post-type-ui.php:1171
actionadmin_enqueue_scriptsinc\about.php:36
actioncptui_main_page_extra_notesinc\about.php:134
actioncptui_main_page_before_changeloginc\about.php:158
actioncptui_main_page_extra_notesinc\about.php:173
actionadmin_enqueue_scriptsinc\listings.php:36
actioncptui_no_post_types_listinginc\listings.php:503
actioncptui_no_taxonomies_listinginc\listings.php:525
actionadmin_enqueue_scriptsinc\post-types.php:65
filtercptui_get_tabsinc\post-types.php:130
filtercptui_convert_post_type_postsinc\post-types.php:2043
filtercptui_custom_error_messageinc\post-types.php:2062
filtercptui_custom_error_messageinc\post-types.php:2079
filtercptui_custom_error_messageinc\post-types.php:2085
filtercptui_post_type_slug_existsinc\post-types.php:2372
filtercptui_post_type_deletedinc\post-types.php:2430
actionadmin_noticesinc\post-types.php:2435
actioninitinc\post-types.php:2450
actioninitinc\post-types.php:2482
filtercptui_post_type_slug_existsinc\post-types.php:2504
filtercptui_post_type_slug_existsinc\post-types.php:2522
filterenter_title_hereinc\post-types.php:2591
actionadmin_enqueue_scriptsinc\support.php:39
actionadmin_enqueue_scriptsinc\taxonomies.php:69
filtercptui_get_tabsinc\taxonomies.php:134
filtercptui_custom_error_messageinc\taxonomies.php:1601
filtercptui_convert_taxonomy_termsinc\taxonomies.php:1607
filtercptui_custom_error_messageinc\taxonomies.php:1624
filtercptui_custom_error_messageinc\taxonomies.php:1641
filtercptui_taxonomy_slug_existsinc\taxonomies.php:1977
filtercptui_taxonomy_deletedinc\taxonomies.php:2013
actionadmin_noticesinc\taxonomies.php:2017
actioninitinc\taxonomies.php:2030
actioninitinc\taxonomies.php:2062
filtercptui_taxonomy_slug_existsinc\taxonomies.php:2084
actionadmin_enqueue_scriptsinc\tools.php:38
filtercptui_get_tabsinc\tools.php:119
actioncptui_tools_sectionsinc\tools.php:486
actionadmin_noticesinc\tools.php:535
actioninitinc\tools.php:538
filteradmin_footer_textinc\utility.php:143
actionadmin_initinc\utility.php:171
actioncptui_below_post_type_tab_menuinc\utility.php:370
actioncptui_below_taxonomy_tab_menuinc\utility.php:371
actionadmin_enqueue_scriptsinc\utility.php:455
filtercptui_adsinc\utility.php:517
actionupgrader_process_completeinc\utility.php:877
actioncptui_post_register_post_typesinc\utility.php:999
actionafter_setup_themeinc\utility.php:1047
actioncptui_taxonomy_after_fieldsetsinc\utility.php:1057
actionadmin_noticesinc\utility.php:1174
actionadmin_initinc\utility.php:1203
actionupgrader_process_completeinc\utility.php:1227
Maintenance & Trust

Custom Post Type UI Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 8, 2026
PHP min version7.4
Downloads22.6M

Community Trust

Rating92/100
Number of ratings273
Active installs1.0M
Alternatives

Custom Post Type UI Alternatives

Essential Content Types

Essential Content Types

essential-content-types

A
100

Essential Content Types allows you to feature the impressive content through different content/post types on your website just the way you want it.

20K No CVEs
Pods – Custom Content Types and Fields

Pods – Custom Content Types and Fields

pods

A
87

Pods is a framework for creating, managing, and deploying customized content types and fields for any project.

100K 14 CVEs
Gravity Forms + Custom Post Types

Gravity Forms + Custom Post Types

gravity-forms-custom-post-types

A
100

Map your Gravity-Forms-generated posts to a custom post type and/or custom taxonomies.

10K No CVEs
Posts in Page

Posts in Page

posts-in-page

B
84

Easily add one or more posts to any page using simple shortcodes.

10K 1 CVE
Advanced Views – Display Custom Fields (ACF, Pods, MetaBox), Posts, CPT and Woo Products anywhere in Gutenberg, Elementor, Divi, Beaver…

Advanced Views – Display Custom Fields (ACF, Pods, MetaBox), Posts, CPT and Woo Products anywhere in Gutenberg, Elementor, Divi, Beaver…

acf-views

A
98

Display content with full control over selection and layout. Lightweight and compatible with any theme or page builder.

2K 1 CVE
Developer Profile

Custom Post Type UI Developer Profile

webdevstudios

10 plugins · 1.0M total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
642 days
View full developer profile
Detection Fingerprints

How We Detect Custom Post Type UI

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/custom-post-type-ui/build/cptui-styles.css/wp-content/plugins/custom-post-type-ui/build/dashiconsPicker.js/wp-content/plugins/custom-post-type-ui/build/cptui.js
Script Paths
/wp-content/plugins/custom-post-type-ui/build/cptui.js/wp-content/plugins/custom-post-type-ui/build/dashiconsPicker.js
Version Parameters
custom-post-type-ui/build/cptui-styles.css?ver=custom-post-type-ui/build/cptui.js?ver=custom-post-type-ui/build/dashiconsPicker.js?ver=

HTML / DOM Fingerprints

CSS Classes
cptui-dashboard-widgetcptui-nav-menu-classcptui-post-type-editcptui-taxonomy-edit
Data Attributes
data-cptui-tabdata-cptui-tab-content
JS Globals
cptui_nonce
FAQ

Frequently Asked Questions about Custom Post Type UI