Does Flow Fields have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Flow Fields compatible with WordPress 6.2.9?

According to WordPress.org data, Flow Fields 1.1.5 has been tested up to WordPress 6.2.9. Check the plugin's changelog for the latest compatibility information.

How often is Flow Fields updated?

Flow Fields was last updated on Jan 28, 2024. Frequent updates are generally a positive security signal.

What is Flow Fields's security score?

Flow Fields has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Flow Fields Security & Risk Analysis

wordpress.org/plugins/flow-fields

Flow Fields is a WordPress plugin that allows you to easily add custom fields to your posts, pages, and other custom post types.

10 active installs v1.1.5 PHP + WP 5.0+ Updated Jan 28, 2024

acfcustom-fieldsmeta-boxes

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Flow Fields Safe to Use in 2026?

Generally Safe

Score 85/100

Flow Fields has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2yr ago

Risk Assessment

The "flow-fields" plugin v1.1.5 exhibits a mixed security posture. While it demonstrates good practices in SQL query sanitization and output escaping, there are significant concerns regarding its attack surface and lack of authorization checks on entry points. The static analysis reveals a total of 5 entry points, with a concerning 4 of them lacking any authentication or authorization checks. This means that any unauthenticated user could potentially interact with these unprotected AJAX handlers, leading to unintended actions or information disclosure.

Taint analysis further exacerbates these concerns, with 8 out of 11 analyzed flows involving unsanitized paths. The presence of 5 high-severity taint flows directly indicates potential vulnerabilities where user-supplied data could be misused, possibly leading to code execution or other critical issues. The absence of any recorded vulnerabilities in its history is a positive indicator, suggesting the developers have not introduced known, exploitable flaws in the past. However, this does not negate the risks identified in the current code analysis.

In conclusion, the "flow-fields" plugin has strengths in its handling of SQL and output, but the large number of unprotected AJAX handlers and high-severity taint flows present substantial risks. The plugin's security can be significantly improved by implementing proper authorization checks on all AJAX handlers and addressing the unsanitized path issues identified in the taint analysis.

Key Concerns

AJAX handlers without auth checks
High severity taint flows
Flows with unsanitized paths
No nonce checks on AJAX
Limited capability checks

Vulnerabilities

None known

Flow Fields Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Flow Fields Release Timeline

No version history available.

Code Analysis

Analyzed Mar 17, 2026

Flow Fields Code Analysis

Dangerous Functions

Raw SQL Queries

35 prepared

Unescaped Output

658 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

73% prepared48 total queries

Output Escaping

95% escaped693 total outputs

Data Flows · Security

8 unsanitized

Data Flow Analysis

11 flows8 with unsanitized paths

flow_tools_admin_page (includes\templates\create_admin_pages.php:227)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Flow Fields Attack Surface

Entry Points5

Unprotected4

AJAX Handlers 4

authwp_ajax_my_select2_ajax_handlerincludes\fields\flow_fields_output.php:835

noprivwp_ajax_my_select2_ajax_handlerincludes\fields\flow_fields_output.php:838

authwp_ajax_get_box_dataincludes\templates\create_admin_pages.php:484

noprivwp_ajax_get_box_dataincludes\templates\create_admin_pages.php:485

Shortcodes 1

[ff] includes\general_functions.php:333

WordPress Hooks 18

actionplugins_loadedflow-fields.php:17

actioninitincludes\cpt\flow_cpt_admin.php:531

filterbricks/dynamic_tags_listincludes\fields\flow_fields_for_bricks.php:8

filterbricks/dynamic_data/render_contentincludes\fields\flow_fields_for_bricks.php:27

filterbricks/frontend/render_dataincludes\fields\flow_fields_for_bricks.php:28

filterbricks/setup/control_optionsincludes\fields\flow_fields_for_bricks.php:61

filterbricks/query/runincludes\fields\flow_fields_for_bricks.php:63

filterbricks/query/loop_objectincludes\fields\flow_fields_for_bricks.php:65

actionsave_postincludes\fields\flow_fields_manage.php:76

actionadd_meta_boxesincludes\fields\flow_fields_output.php:29

actionadmin_noticesincludes\general_functions.php:554

actionadmin_initincludes\general_functions.php:562

actionadmin_noticesincludes\general_functions.php:574

actioninitincludes\taxonomies\flow_tax.php:265

actionadmin_enqueue_scriptsincludes\templates\admin_assets.php:20

actionadmin_enqueue_scriptsincludes\templates\admin_assets.php:31

actionadmin_initincludes\templates\create_admin_pages.php:75

actionadmin_menuincludes\templates\create_admin_pages.php:78

Maintenance & Trust

Flow Fields Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9

Last updatedJan 28, 2024

PHP min version

Downloads1K

Community Trust

Rating100/100

Number of ratings1

Active installs10

Alternatives

Flow Fields Alternatives

Advanced Custom Fields (ACF®)

advanced-custom-fields

ACF helps customize WordPress with powerful, professional and intuitive fields. Proudly powering over 2 million sites, WordPress developers love ACF.

2.0M 10 CVEs

ACF Content Analysis for Yoast SEO

acf-content-analysis-for-yoast-seo

100

WordPress plugin that adds the content of all ACF fields to the Yoast SEO score analysis.

100K No CVEs

Advanced Custom Fields: Extended

acf-extended

All-in-one enhancement suite that improves WordPress & Advanced Custom Fields.

100K 5 CVEs

Advanced Custom Fields: Font Awesome Field

advanced-custom-fields-font-awesome

Adds a new 'Font Awesome Icon' field to the popular Advanced Custom Fields plugin.

100K 1 CVE

Table Field Add-on for ACF and SCF

advanced-custom-fields-table-field

A Table Field Add-on for the Advanced Custom Fields and Secure Custom Fields Plugin.

50K 2 CVEs

Developer Profile

Flow Fields Developer Profile

Flow Byte

3 plugins · 20 total installs

trust score

Avg Security Score

87/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Flow Fields

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/flow-fields/assets/flow-fields.js/wp-content/plugins/flow-fields/assets/flow-relationship-fields.js/wp-content/plugins/flow-fields/assets/flow-fields-conditional-manage.js/wp-content/plugins/flow-fields/assets/flow-fields-conditional-output.js/wp-content/plugins/flow-fields/assets/flow-cpt.js/wp-content/plugins/flow-fields/assets/flow-tax.js/wp-content/plugins/flow-fields/assets/flow-fields.css

Script Paths

../../assets/flow-fields.js../../assets/flow-relationship-fields.js../../assets/flow-fields-conditional-manage.js../../assets/flow-fields-conditional-output.js../../assets/flow-cpt.js../../assets/flow-tax.js

Version Parameters

flow-fields/style.css?ver=flow-fields.js?ver=flow-relationship-fields.js?ver=flow-fields-conditional-manage.js?ver=flow-fields-conditional-output.js?ver=flow-cpt.js?ver=flow-tax.js?ver=flow-fields.css?ver=

HTML / DOM Fingerprints

CSS Classes

flow-field-wrapflow-field-control

Data Attributes

data-flow-field-type

JS Globals

my_select2

FAQ