WP-Safety

Magic Fields 2 Toolkit Security & Risk Analysis

wordpress.org/plugins/magic-fields-2-toolkit

A toolkit for the Magic Fields 2 plugin for media oriented CMS web design by non programmers.

20 active installs v1.2.1.2.1 PHP + WP 3.6+ Updated Nov 15, 2015
custom-fieldspost-copiershortcodestemplates
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Magic Fields 2 Toolkit Safe to Use in 2026?

Generally Safe

Score 85/100

Magic Fields 2 Toolkit has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The Magic Fields 2 Toolkit plugin exhibits a concerning security posture primarily due to a significant number of unprotected AJAX handlers and a lack of proper output escaping. While the plugin demonstrates good practices in its use of prepared statements for SQL queries and the absence of known CVEs, the raw number of entry points that lack authentication checks opens the door to potential unauthorized actions. The taint analysis revealing flows with unsanitized paths, particularly two of high severity, points to direct risks of data manipulation or execution if these flows are reachable by attackers. The limited nonce checks and zero capability checks further exacerbate these issues, suggesting that attackers could potentially trigger these vulnerabilities without significant hurdles.

Despite the clean vulnerability history, which is positive, it does not negate the risks identified in the static and taint analysis. The absence of known vulnerabilities might be due to a lack of rigorous public security auditing or that the identified potential weaknesses have not yet been exploited in the wild. The critical findings in taint analysis and the high number of unprotected AJAX endpoints are the most pressing concerns. Overall, while the plugin has some positive aspects like prepared SQL statements, the identified weaknesses represent a substantial risk that requires immediate attention and remediation to ensure the security of WordPress sites using this plugin.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flows
  • Low output escaping coverage
  • Unsanitized paths in taint analysis
  • Dangerous function: unserialize
  • Missing capability checks
  • Limited nonce checks
Vulnerabilities
None known

Magic Fields 2 Toolkit Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Magic Fields 2 Toolkit Code Analysis

Dangerous Functions
9
Raw SQL Queries
12
120 prepared
Unescaped Output
307
14 escaped
Nonce Checks
1
Capability Checks
0
File Operations
7
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$values = ( $field[ 'input_value' ] ) ? ( is_serialized( $field[ 'input_value' ] ) ) ? unserialize( alt_dropdown_field\alt_dropdown_field.php:77
unserialize$options = unserialize( $wpdb->get_var( $wpdb->prepare( 'SELECT options FROM ' . MF_TABLE_CUSTOM_FIEalt_embed_field\alt_embed_field.php:179
unserialize$options = unserialize( $result['options'] );alt_media_field.php:289
unserialize$values = ( $field[ 'input_value' ] ) ? ( is_serialized( $field[ 'input_value' ] ) ) ? unserialize( alt_related_type_field\alt_related_type_field.php:89
unserialize$entries = unserialize( $meta_value );magic-fields-2-search-by-custom-field-kai.php:695
unserialize$options = unserialize( $mf_field->options );magic-fields-2-toolkit.php:324
unserialize$result['options'] = unserialize($result['options']);magic-fields-2-toolkit.php:436
unserialize$result['meta_value'] = unserialize( $result['meta_value'] );magic-fields-2-toolkit.php:439
unserialize$field_options_cache_item[ $result[ 'name' ] ] = unserialize( $result[ 'options' ] );magic-fields-2-utility-functions.php:134

SQL Query Safety

91% prepared132 total queries

Output Escaping

4% escaped321 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

7 flows6 with unsanitized paths
admin_refresh (alt_embed_field\alt_embed_field.php:176)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
7 unprotected

Magic Fields 2 Toolkit Attack Surface

Entry Points7
Unprotected7

AJAX Handlers 7

authwp_ajax_mf2tk_update_content_macromagic-fields-2-dumb-macros.php:128
authwp_ajax_tpcti_eval_post_contentmagic-fields-2-dumb-macros.php:155
noprivwp_ajax_tpcti_eval_post_contentmagic-fields-2-dumb-macros.php:309
authwp_ajax_mf2tk_get_search_result_template_formmagic-fields-2-search-by-custom-field-kai.php:808
authwp_ajax_mf2tk_get_search_result_templatemagic-fields-2-search-by-custom-field-kai.php:1096
authwp_ajax_mf2tk_update_search_result_templatemagic-fields-2-search-by-custom-field-kai.php:1110
authwp_ajax_mf2tk_sync_fieldsmagic-fields-2-toolkit-settings.php:261
WordPress Hooks 44
actionadmin_enqueue_scriptsalt_table_field\alt_table_field.php:3
actionadmin_enqueue_scriptsmagic-fields-2-clean-files_mf.php:23
actionadmin_noticesmagic-fields-2-clean-files_mf.php:131
actionsettings_page_magic-fields-2-toolkit-pagemagic-fields-2-clean-files_mf.php:137
actionadmin_menumagic-fields-2-clean-files_mf.php:144
filterpost_row_actionsmagic-fields-2-custom-post-copier.php:31
actionadmin_action_magic_fields_2_toolkit_copy_postmagic-fields-2-custom-post-copier.php:38
actionadmin_noticesmagic-fields-2-custom-post-copier.php:105
actioninitmagic-fields-2-dumb-macros.php:77
filterpost_row_actionsmagic-fields-2-dumb-macros.php:165
actionadmin_headmagic-fields-2-dumb-macros.php:180
actionadmin_enqueue_scriptsmagic-fields-2-dumb-macros.php:217
actionadmin_footer-post.phpmagic-fields-2-dumb-macros.php:296
actionadmin_footer-post-new.phpmagic-fields-2-dumb-macros.php:297
actionadmin_footer-post.phpmagic-fields-2-dumb-macros.php:298
actionadmin_footer-post-new.phpmagic-fields-2-dumb-macros.php:299
actionload-post-new.phpmagic-fields-2-dumb-macros.php:302
actionload-post.phpmagic-fields-2-dumb-macros.php:303
actionadmin_initmagic-fields-2-dumb-macros.php:1002
actionadmin_menumagic-fields-2-dumb-macros.php:1105
filterthe_contentmagic-fields-2-dumb-shortcodes-kai.php:67
actionwp_enqueue_scriptsmagic-fields-2-dumb-shortcodes-kai.php:136
actionwidgets_initmagic-fields-2-search-by-custom-field-kai.php:505
actionadmin_enqueue_scriptsmagic-fields-2-search-by-custom-field-kai.php:513
actionadmin_headmagic-fields-2-search-by-custom-field-kai.php:522
actionwp_enqueue_scriptsmagic-fields-2-search-by-custom-field-kai.php:1142
actionparse_querymagic-fields-2-search-by-custom-field-kai.php:1149
filterposts_wheremagic-fields-2-search-by-custom-field-kai.php:1160
filterquery_stringmagic-fields-2-search-by-custom-field-kai.php:1391
filterpost_limitsmagic-fields-2-search-by-custom-field-kai.php:1402
actionwp_enqueue_scriptsmagic-fields-2-search-by-custom-field-kai.php:1409
actiontemplate_redirectmagic-fields-2-search-by-custom-field-kai.php:1421
actionwp_headmagic-fields-2-search-by-custom-field-kai.php:1497
actionadmin_noticesmagic-fields-2-toolkit-loader.php:41
actionadmin_noticesmagic-fields-2-toolkit-loader.php:57
actionadmin_enqueue_scriptsmagic-fields-2-toolkit-settings.php:69
actionadmin_initmagic-fields-2-toolkit-settings.php:77
actionadmin_menumagic-fields-2-toolkit-settings.php:236
actionadmin_initmagic-fields-2-toolkit.php:24
actionadmin_noticesmagic-fields-2-toolkit.php:26
actionadmin_enqueue_scriptsmagic-fields-2-toolkit.php:34
actionsave_postmagic-fields-2-toolkit.php:316
filterplugin_action_linksmagic-fields-2-toolkit.php:374
actionplugins_loadedmagic-fields-2-toolkit.php:381
Maintenance & Trust

Magic Fields 2 Toolkit Maintenance & Trust

Maintenance Signals

WordPress version tested4.2.39
Last updatedNov 15, 2015
PHP min version
Downloads7K

Community Trust

Rating60/100
Number of ratings3
Active installs20
Alternatives

Magic Fields 2 Toolkit Alternatives

Custom Shortcodes

Custom Shortcodes

custom-shortcodes

A
85

Manage custom fields using the insert shortcodes or HTML comment in text of post.

6K No CVEs
Custom post types, Custom Fields & more

Custom post types, Custom Fields & more

custom-post-types

A
98

Custom Post Types, Custom Fields, Custom Taxonomies, Custom Templates, Custom Admin Pages, Custom Admin Notices. Directly from the WP dashboard.

3K 3 CVEs
Display custom fields in the frontend – Post and User Profile Fields

Display custom fields in the frontend – Post and User Profile Fields

shortcode-to-display-post-and-user-data

B
83

Display post and user custom fields data anywhere on the frontend using a shortcode, including advanced custom fields (ACF) fields.

600 4 CVEs
Custom Fields Shortcodes

Custom Fields Shortcodes

custom-fields-shortcodes

A
85

Lets you insert custom fields in the visual editor without coding in PHP.

100 No CVEs
Ultimate Post Types

Ultimate Post Types

ultimate-post-types

A
85

Manage your Custom Post Types (CPT) and Custom Taxonomies, their templates and fields, without touching a line of code!

10 No CVEs
Developer Profile

Magic Fields 2 Toolkit Developer Profile

Magenta Cuda

4 plugins · 40 total installs

86
trust score
Avg Security Score
89/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Magic Fields 2 Toolkit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/magic-fields-2-toolkit/css/mf2tk_admin.css/wp-content/plugins/magic-fields-2-toolkit/js/mf2tk_admin.js/wp-content/plugins/magic-fields-2-toolkit/js/mf2tk_alt_media.js
Script Paths
/wp-content/plugins/magic-fields-2-toolkit/js/mf2tk_admin.js/wp-content/plugins/magic-fields-2-toolkit/js/mf2tk_alt_media.js

HTML / DOM Fingerprints

HTML Comments
Copyright 2013 Magenta Cuda This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License, version 2, as published by the Free Software Foundation.+29 more
Data Attributes
data-mf2tk-key
JS Globals
mf2tkDisableHowToUsemf2tk_admin_data
Shortcode Output
[show_custom_field
FAQ

Frequently Asked Questions about Magic Fields 2 Toolkit