Does Effortless Custom Fields :: ECF have any unpatched vulnerabilities?

No. All known vulnerabilities in Effortless Custom Fields :: ECF have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Effortless Custom Fields :: ECF compatible with WordPress 6.8.5?

According to WordPress.org data, Effortless Custom Fields :: ECF 1.0 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Effortless Custom Fields :: ECF compatible with PHP 5.6.2+?

Effortless Custom Fields :: ECF requires PHP 5.6.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Effortless Custom Fields :: ECF updated?

Effortless Custom Fields :: ECF was last updated on Apr 16, 2025. Frequent updates are generally a positive security signal.

What is Effortless Custom Fields :: ECF's security score?

Effortless Custom Fields :: ECF has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Effortless Custom Fields :: ECF Security & Risk Analysis

wordpress.org/plugins/effortless-custom-fields

World’s least confusing custom fields plugin.

0 active installs v1.0 PHP 5.6.2+ WP 5.0+ Updated Apr 16, 2025

custom-fieldsmeta-fieldsmetaboxpostmetaprofile-fields

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is Effortless Custom Fields :: ECF Safe to Use in 2026?

Generally Safe

Score 100/100

Effortless Custom Fields :: ECF has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11mo ago

Risk Assessment

The 'effortless-custom-fields' v1.0 plugin exhibits a significant security concern due to its extensive use of AJAX handlers without proper authentication or authorization checks. With all seven identified AJAX entry points lacking these essential security measures, it creates a large attack surface that could be exploited by unauthenticated users. While the plugin demonstrates good practices in other areas, such as using prepared statements for SQL queries and a high percentage of properly escaped output, these strengths are overshadowed by the critical vulnerability in its AJAX handling.

The taint analysis, though limited in scope, did not reveal critical or high-severity unsanitized path flows. Furthermore, the plugin's vulnerability history is clean, with no recorded CVEs. This suggests a potential for good development hygiene in general. However, the lack of recorded vulnerabilities could also mean that specific attack vectors targeting the unprotected AJAX endpoints have not yet been discovered or reported, making the existing unprotected entry points a latent, but significant, risk.

In conclusion, while 'effortless-custom-fields' v1.0 scores points for its secure database interactions and output escaping, the complete absence of authentication on its AJAX handlers presents a critical security weakness. This oversight poses a substantial risk and requires immediate attention. Users should be strongly advised to ensure proper access controls are implemented on these AJAX endpoints or to seek alternative solutions until this vulnerability is addressed.

Key Concerns

AJAX handlers without authentication checks
Large attack surface without authentication
Flows with unsanitized paths (3)
Limited capability checks

Vulnerabilities

None known

Effortless Custom Fields :: ECF Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Effortless Custom Fields :: ECF Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

351 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

88% escaped397 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths

save_config (inc\Ajax_Actions.php:124)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

7 unprotected

Effortless Custom Fields :: ECF Attack Surface

Entry Points7

Unprotected7

AJAX Handlers 7

authwp_ajax_effcf_save_configinc\Ajax_Actions.php:37

authwp_ajax_effcf_save_new_formatinc\Ajax_Actions.php:38

authwp_ajax_effcf_import_configinc\Ajax_Actions.php:39

authwp_ajax_effcf_load_configinc\Ajax_Actions.php:40

authwp_ajax_effcf_load_all_postsinc\Ajax_Actions.php:41

authwp_ajax_effcf_load_all_termsinc\Ajax_Actions.php:42

authwp_ajax_effcf_load_embedinc\Ajax_Actions.php:43

WordPress Hooks 25

actionadmin_enqueue_scriptsinc\Assets_Loader.php:34

actionadmin_enqueue_scriptsinc\Assets_Loader.php:35

actionwp_enqueue_scriptsinc\Assets_Loader.php:36

actionadmin_footerinc\Assets_Loader.php:46

filterscript_loader_taginc\Assets_Loader.php:48

actioneffcf_before_field_createinc\builders\Customizer_Fields.php:89

actionadd_meta_boxesinc\builders\Custom_Fields.php:53

actionsave_postinc\builders\Custom_Fields.php:57

actionedit_attachmentinc\builders\Custom_Fields.php:61

filterwp_setup_nav_menu_iteminc\builders\Menu_Fields.php:53

filterwp_update_nav_menu_iteminc\builders\Menu_Fields.php:54

filterwp_edit_nav_menu_walkerinc\builders\Menu_Fields.php:55

actionwp_nav_menu_item_custom_fieldsinc\builders\Menu_Fields.php:57

actionshow_user_profileinc\builders\Profile_Fields.php:53

actionpersonal_options_updateinc\builders\Profile_Fields.php:54

actionedit_terminc\builders\Taxonomy_Fields.php:66

actioncreated_terminc\builders\Taxonomy_Fields.php:70

actioncustomize_controls_print_footer_scriptsinc\Facades_Autoloader.php:50

actionadmin_footerinc\Facades_Autoloader.php:51

actionadmin_initinc\factories\Fields_Factory.php:65

actioncustomize_registerinc\factories\Fields_Factory.php:204

actionadmin_menuinc\Initializer.php:75

filtercron_schedulesinc\Initializer.php:118

actionadmin_print_footer_scriptsinc\inputs\Dropdown.php:43

actioncustomize_controls_print_footer_scriptsinc\inputs\Dropdown.php:44

Maintenance & Trust

Effortless Custom Fields :: ECF Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedApr 16, 2025

PHP min version5.6.2

Downloads1K

Community Trust

Rating100/100

Number of ratings1

Active installs0

Alternatives

Effortless Custom Fields :: ECF Alternatives

Bonzer Custom Fields Creator

bonzer-custom-fields

100

Create wide array of input fields at various location in the admin panel.

10 No CVEs

Pure Metafields

pure-metafields

100

Pure Metafields is very light weight plugin tused to create custom metabox for any post type like page, post and your custom post type support it.

10K No CVEs

CubeWP Framework

cubewp-framework

CubeWP is an end-to-end dynamic content framework for WordPress to help you shrink time and cut cost of development up to 90%.

4K 1 unpatched

PT Theme Addon

pt-theme-addon

Plugin to add team, testimonial portfolio and clients custom post type. Each post type has its widget and shortcode to use in theme.

1K No CVEs

WP-Admin Search Post Meta

wp-admin-search-meta

Enables searching post meta fields on admin pages.

300 No CVEs

Developer Profile

Effortless Custom Fields :: ECF Developer Profile

Paras Ralhan

2 plugins · 10 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Effortless Custom Fields :: ECF

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/effortless-custom-fields/assets/css/front-end.css/wp-content/plugins/effortless-custom-fields/assets/dist/libs/jquery.ui.touch-punch.min.js/wp-content/plugins/effortless-custom-fields/assets/dist/libs/jquery.ui.sortable-animation.js/wp-content/plugins/effortless-custom-fields/assets/dist/libs/ionicons/ionicons.js/wp-content/plugins/effortless-custom-fields/assets/dist/libs/ionicons/ionicons.esm.js/wp-content/plugins/effortless-custom-fields/assets/dist/js/real-fields-bundle.js/wp-content/plugins/effortless-custom-fields/assets/dist/js/builder-bundle.js

Script Paths

/wp-content/plugins/effortless-custom-fields/assets/dist/libs/jquery.ui.touch-punch.min.js/wp-content/plugins/effortless-custom-fields/assets/dist/libs/jquery.ui.sortable-animation.js/wp-content/plugins/effortless-custom-fields/assets/dist/libs/ionicons/ionicons.js/wp-content/plugins/effortless-custom-fields/assets/dist/libs/ionicons/ionicons.esm.js/wp-content/plugins/effortless-custom-fields/assets/dist/js/real-fields-bundle.js/wp-content/plugins/effortless-custom-fields/assets/dist/js/builder-bundle.js

Version Parameters

effortless-custom-fields/assets/css/front-end.css?ver=1.0.0effortless-custom-fields/assets/dist/libs/jquery.ui.touch-punch.min.js?ver=0.0.2effortless-custom-fields/assets/dist/libs/jquery.ui.sortable-animation.js?ver=0.0.1effortless-custom-fields/assets/dist/libs/ionicons/ionicons.js?ver=0.0.2effortless-custom-fields/assets/dist/libs/ionicons/ionicons.esm.js?ver=0.0.2effortless-custom-fields/assets/dist/js/real-fields-bundle.js?ver=0.0.3effortless-custom-fields/assets/dist/js/builder-bundle.js?ver=0.0.2

HTML / DOM Fingerprints

CSS Classes

effcf-builder-container

HTML Comments

Data Attributes

data-effcf-field-iddata-effcf-field-type

JS Globals

window.EFFCF_APP_CONFIGwindow.EFFCF_APP_CONSTANTS

REST Endpoints

/wp-json/effortless-custom-fields/v1/save

FAQ