Does Custom HTML/PHP Post Templates have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Custom HTML/PHP Post Templates compatible with WordPress 4.8.28?

According to WordPress.org data, Custom HTML/PHP Post Templates 2.0.0 has been tested up to WordPress 4.8.28. Check the plugin's changelog for the latest compatibility information.

How often is Custom HTML/PHP Post Templates updated?

Custom HTML/PHP Post Templates was last updated on Jul 9, 2017. Frequent updates are generally a positive security signal.

What is Custom HTML/PHP Post Templates's security score?

Custom HTML/PHP Post Templates has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Custom HTML/PHP Post Templates Security & Risk Analysis

wordpress.org/plugins/html-php-pages-and-posts

Use your HTML or PHP files for any page or post.

70 active installs v2.0.0 PHP + WP 3.0.1+ Updated Jul 9, 2017

custom-pagescustom-postscustom-templateshtmlphp

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Custom HTML/PHP Post Templates Safe to Use in 2026?

Generally Safe

Score 85/100

Custom HTML/PHP Post Templates has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago

Risk Assessment

The "html-php-pages-and-posts" v2.0.0 plugin exhibits a generally good security posture based on the provided static analysis. The absence of dangerous functions, file operations, and external HTTP requests is a positive indicator. Furthermore, all SQL queries utilize prepared statements, which is a crucial security practice.

The primary area of concern lies in the output escaping. With only 6% of 33 outputs being properly escaped, there is a significant risk of Cross-Site Scripting (XSS) vulnerabilities. This means that user-supplied or dynamically generated content displayed on the frontend may not be adequately sanitized, potentially allowing attackers to inject malicious scripts.

The plugin's vulnerability history is clean, with no known CVEs. This, combined with the limited attack surface and apparent adherence to basic security practices like nonce and capability checks, suggests that the developers have a foundational understanding of security. However, the poor output escaping practices present a clear and present risk that needs immediate attention.

Key Concerns

Poor output escaping practices

Vulnerabilities

None known

Custom HTML/PHP Post Templates Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Custom HTML/PHP Post Templates Release Timeline

v2.0.3

v2.0.2

v2.0.1

v2.0.0Current

v1.1.0

v1.0.0

Code Analysis

Analyzed Mar 16, 2026

Custom HTML/PHP Post Templates Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

2 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

6% escaped33 total outputs

Attack Surface

Custom HTML/PHP Post Templates Attack Surface

Entry Points1

Unprotected0

Shortcodes 1

[html_php_page_post] html-php-pages-and-posts.php:31

WordPress Hooks 8

filtermime_typeshtml-php-pages-and-posts.php:26

filtersingle_templatehtml-php-pages-and-posts.php:27

filtertemplate_includehtml-php-pages-and-posts.php:28

filteradd_meta_boxeshtml-php-pages-and-posts.php:29

actionsave_posthtml-php-pages-and-posts.php:30

actionadmin_menuhtml-php-pages-and-posts.php:33

actionadmin_inithtml-php-pages-and-posts.php:34

actionadmin_enqueue_scriptshtml-php-pages-and-posts.php:35

Maintenance & Trust

Custom HTML/PHP Post Templates Maintenance & Trust

Maintenance Signals

WordPress version tested4.8.28

Last updatedJul 9, 2017

PHP min version

Downloads8K

Community Trust

Rating100/100

Number of ratings2

Active installs70

Alternatives

Custom HTML/PHP Post Templates Alternatives

Code Widget

code-widget

Code widget help to add Short Code, PHP Code, HTML, and Simple Text in widget.

4K No CVEs

Append extensions on Pages

append-extensions-on-pages

This plugin helps to appends .html or .asp or .htm etc on the wordpress pages when used with permalink.

900 1 unpatched

WP Page Templates

custom-page-templates-by-vegacorp

Create full width pages, add left or right sidebars, add above or below content sidebars.

400 No CVEs

Hide Header on Posts for Landing Pages

hide-header-on-posts-for-a-landing-page

Hide header on single post pages.

200 No CVEs

2MB Autocode

2mb-autocode

This plugin allows you to place predetermined text/html/php at the top or bottom of posts.

100 No CVEs

Developer Profile

Custom HTML/PHP Post Templates Developer Profile

Stephen AfamO

1 plugin · 70 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Custom HTML/PHP Post Templates

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/html-php-pages-and-posts/admin/js/custom-pages-and-posts.js/wp-content/plugins/html-php-pages-and-posts/admin/css/custom-pages-and-posts.css

Script Paths

/wp-content/plugins/html-php-pages-and-posts/admin/js/custom-pages-and-posts.js

HTML / DOM Fingerprints

Data Attributes

onclick="select_template(event, onclick="delete_template(event,

JS Globals

select_templatedelete_template

Shortcode Output

[html_php_page_post]

FAQ