Does Custom Related Posts have any unpatched vulnerabilities?

No. All known vulnerabilities in Custom Related Posts have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Custom Related Posts compatible with WordPress 6.9.4?

According to WordPress.org data, Custom Related Posts 1.8.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Custom Related Posts updated?

Custom Related Posts was last updated on Jan 23, 2026. Frequent updates are generally a positive security signal.

What is Custom Related Posts's security score?

Custom Related Posts has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Custom Related Posts Security & Risk Analysis

wordpress.org/plugins/custom-related-posts

Manual related posts without slowing down your website!

3K active installs v1.8.1 PHP + WP 3.5+ Updated Jan 23, 2026

custom-post-typemanual-related-postsrelated-postswidget

A · Safe

CVEs total3

Unpatched0

Last CVEDec 25, 2025

Plugin page Download

Safety Verdict

Is Custom Related Posts Safe to Use in 2026?

Generally Safe

Score 96/100

Custom Related Posts has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Dec 25, 2025Updated 2mo ago

Risk Assessment

The "custom-related-posts" plugin v1.8.1 exhibits a mixed security posture. While it demonstrates several good security practices such as a substantial number of nonce and capability checks, and a moderate use of prepared statements for SQL queries, there are notable areas of concern. The presence of one REST API route without permission callbacks presents a direct attack vector that could be exploited by unauthenticated users. Furthermore, the taint analysis reveals two flows with unsanitized paths, both categorized as high severity, indicating potential vulnerabilities in how user-supplied data is handled, which could lead to code execution or information disclosure.

Key Concerns

REST API route without permission callbacks
High severity taint flow with unsanitized paths (2 instances)
Output escaping is only 48% properly escaped
Bundled library (TinyMCE) may have unpatched vulnerabilities

Vulnerabilities

Custom Related Posts Security Vulnerabilities

CVEs by Year

3 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-68033medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Custom Related Posts <= 1.8.0 - Unauthenticated Information Exposure

Dec 25, 2025 Patched in 1.8.1 (34d)

CVE-2025-46227medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom Related Posts <= 1.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 22, 2025 Patched in 1.7.5 (9d)

CVE-2024-12825medium · 5.4Missing Authorization

Custom Related Posts <= 1.7.3 - Missing Authorization to Authenticated (Subscriber+) Private Post Search and Relation Updates

Jan 31, 2025 Patched in 1.7.4 (1d)

Code Analysis

Analyzed Mar 16, 2026

Custom Related Posts Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

43 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TinyMCE

SQL Query Safety

67% prepared3 total queries

Output Escaping

48% escaped89 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

3 flows2 with unsanitized paths

ajax_search_posts (helpers\ajax.php:29)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Custom Related Posts Attack Surface

Entry Points11

Unprotected1

AJAX Handlers 5

authwp_ajax_crp_search_postshelpers\ajax.php:7

authwp_ajax_crp_link_postshelpers\ajax.php:8

authwp_ajax_crp_remove_relationhelpers\ajax.php:9

authwp_ajax_crp_get_permalinks_counthelpers\ajax.php:10

authwp_ajax_crp_update_permalinks_batchhelpers\ajax.php:11

REST API Routes 5

GET/wp-json/custom-related-posts/v1/relations/(?P<id>\d+)helpers\api.php:12

POST/wp-json/custom-related-posts/v1/relations/(?P<id>\d+)helpers\api.php:22

PUT/wp-json/custom-related-posts/v1/relations/(?P<id>\d+)/orderhelpers\api.php:32

DELETE/wp-json/custom-related-posts/v1/relations/(?P<id>\d+)helpers\api.php:42

GET/wp-json/custom-related-posts/v1/searchhelpers\api.php:52

Shortcodes 1

[custom-related-posts] helpers\shortcode.php:7

WordPress Hooks 24

actionadmin_menuaddons\import-xml\import-xml.php:13

actionadmin_menuaddons\import-xml\import-xml.php:14

actionadmin_menuaddons\update-permalinks\update-permalinks.php:9

actioninitcustom-related-posts.php:100

actionadmin_noticeshelpers\activate.php:8

actionrest_api_inithelpers\api.php:7

filterposts_wherehelpers\api.php:211

actionwp_enqueue_scriptshelpers\assets.php:9

actionadmin_enqueue_scriptshelpers\assets.php:10

actionenqueue_block_editor_assetshelpers\assets.php:11

actioninithelpers\blocks.php:7

actionsave_posthelpers\cache.php:7

actiontransition_post_statushelpers\cache.php:8

actionwp_headhelpers\css.php:7

actionadmin_inithelpers\giveaway.php:7

actionadmin_noticeshelpers\giveaway.php:8

actionadmin_inithelpers\meta_box.php:7

actionadmin_inithelpers\migration.php:7

filterplugin_action_links_custom-related-posts/custom-related-posts.phphelpers\plugin_action_link.php:7

actionafter_setup_themehelpers\settings.php:9

filtermce_external_pluginshelpers\shortcode.php:10

filtermce_buttonshelpers\shortcode.php:11

actionadmin_footer-settings_page_bv_settings_crphelpers\support_tab.php:7

actionwidgets_inithelpers\widget.php:93

Maintenance & Trust

Custom Related Posts Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 23, 2026

PHP min version

Downloads76K

Community Trust

Rating98/100

Number of ratings46

Active installs3K

Alternatives

Custom Related Posts Alternatives

Apollo13 Framework Extensions

apollo13-framework-extensions

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs

Custom Post Type Widgets

custom-post-type-widgets

Custom Post Type Widgets plugin adds default custom post type widgets.

10K No CVEs

Social LikeBox & Feed

facebook-by-weblizar

Display your FaceBook Feed and Like box on your website with this outstanding plugin. It is completely customizable, responsive and the code is search …

10K 1 CVE

Ultimate Posts Widget

ultimate-posts-widget

The ultimate widget for displaying posts, custom post types or sticky posts with an array of options.

10K 1 CVE

Same Category Posts

same-category-posts

Show posts related to the current category or other custom post types.

3K 1 CVE

Developer Profile

Custom Related Posts Developer Profile

Brecht

6 plugins · 79K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

104 days

View full developer profile

Detection Fingerprints

How We Detect Custom Related Posts

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/custom-related-posts/dist/public.css/wp-content/plugins/custom-related-posts/dist/admin.css/wp-content/plugins/custom-related-posts/dist/admin.js

Script Paths

/wp-content/plugins/custom-related-posts/dist/admin.js

Version Parameters

custom-related-posts/dist/public.css?ver=custom-related-posts/dist/admin.css?ver=custom-related-posts/dist/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

crp_remove_relationcrp_remove_relation_tocrp_remove_relation_both

Data Attributes