Does Meta Box have any unpatched vulnerabilities?

No. All known vulnerabilities in Meta Box have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Meta Box compatible with WordPress 6.9.4?

According to WordPress.org data, Meta Box 5.11.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Meta Box compatible with PHP 7.1+?

Meta Box requires PHP 7.1 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Meta Box updated?

Meta Box was last updated on Mar 5, 2026. Frequent updates are generally a positive security signal.

What is Meta Box's security score?

Meta Box has a WP-Safety security score of 89/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Meta Box Security & Risk Analysis

wordpress.org/plugins/meta-box

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K active installs v5.11.2 PHP 7.1+ WP 6.5+ Updated Mar 5, 2026

custom-fieldscustom-post-typescustom-taxonomiesmeta-boxpost-type

A · Safe

CVEs total6

Unpatched0

Last CVEMar 6, 2026

Plugin page Download

Safety Verdict

Is Meta Box Safe to Use in 2026?

Generally Safe

Score 89/100

Meta Box has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Mar 6, 2026Updated 1mo ago

Risk Assessment

The static analysis of Meta Box v5.11.2 indicates a generally strong security posture with excellent adherence to secure coding practices. The plugin demonstrates a high level of output escaping (99%) and utilizes prepared statements for all SQL queries. The presence of nonce and capability checks on a majority of its entry points (all 11 are protected) further enhances its security. The absence of dangerous functions, critical or high severity taint flows, and unsanitized paths is highly encouraging.

However, the vulnerability history presents a significant concern. With 6 known CVEs, including 3 high and 3 medium severity vulnerabilities, this plugin has a concerning track record. The types of past vulnerabilities, such as Path Traversal, Exposure of Sensitive Information, Cross-site Scripting, Missing Authorization, and External Control of File Name or Path, suggest recurring issues with input validation and authorization, even though current analysis shows these are addressed. The last reported vulnerability was in March 2026, which is in the future, suggesting potential data entry error or a forward-looking vulnerability reporting system; assuming this is a past event, the plugin has a history of critical security flaws.

In conclusion, while the current version of Meta Box v5.11.2 exhibits strong secure coding practices and a clean static analysis, its past vulnerability history necessitates caution. Users should remain vigilant and ensure they are always running the latest patched versions, as the plugin has demonstrated a tendency for exploitable security flaws in the past. The success in addressing past issues is positive, but the sheer number and severity of historical vulnerabilities cannot be overlooked.

Key Concerns

History of high severity vulnerabilities
History of medium severity vulnerabilities
Bundled library Select2 (potential outdated component)

Vulnerabilities

Meta Box Security Vulnerabilities

CVEs by Year

2 CVEs in 2019

2019

3 CVEs in 2024

2024

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

6 total CVEs

CVE-2025-14675high · 7.2Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Meta Box <= 5.11.1 - Authenticated (Contributor+) Arbitrary File Deletion

Mar 6, 2026 Patched in 5.11.2 (1d)

CVE-2024-43235medium · 4.3Missing Authorization

Meta Box – WordPress Custom Fields Framework <= 5.9.10 - Missing Authorization to Information Exposure

Aug 9, 2024 Patched in 5.9.11 (5d)

CVE-2024-1204medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Meta Box – WordPress Custom Fields Framework <= 5.9.3 - Authenticated (Contributor+) Information Exposure via Post Meta

Mar 25, 2024 Patched in 5.9.4 (30d)

CVE-2023-6526medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Meta Box – WordPress Custom Fields Framework <= 5.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 5, 2024 Patched in 5.9.3 (176d)

CVE-2019-14793high · 8.1Missing Authorization

Meta Box - WordPress Custom Fields Framework <= 4.16.2 - File Deletion via attachment_id Parameter

Feb 2, 2019 Patched in 4.16.3 (1816d)

CVE-2019-14794high · 7.5External Control of File Name or Path

Meta Box <= 4.16.1 - Mishandling of File Upload

Feb 1, 2019 Patched in 4.16.2 (1817d)

Code Analysis

Analyzed Mar 16, 2026

Meta Box Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

171 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

100% prepared2 total queries

Output Escaping

99% escaped173 total outputs

Attack Surface

Meta Box Attack Surface

Entry Points11

Unprotected0

AJAX Handlers 10

authwp_ajax_rwmb_delete_fileinc\fields\file.php:23

authwp_ajax_rwmb_get_embedinc\fields\oembed.php:37

authwp_ajax_rwmb_get_postsinc\fields\post.php:9

noprivwp_ajax_rwmb_get_postsinc\fields\post.php:10

authwp_ajax_rwmb_get_termsinc\fields\taxonomy.php:9

noprivwp_ajax_rwmb_get_termsinc\fields\taxonomy.php:10

authwp_ajax_rwmb_get_usersinc\fields\user.php:9

noprivwp_ajax_rwmb_get_usersinc\fields\user.php:10

authwp_ajax_mb_dashboard_plugin_actionsrc\Dashboard\Dashboard.php:46

authwp_ajax_mb_dashboard_feedsrc\Dashboard\Dashboard.php:49

Shortcodes 1

[rwmb_meta] inc\shortcode.php:6

WordPress Hooks 38

filterplugin_action_links_meta-box/meta-box.phpinc\core.php:4

actioninitinc\core.php:7

actionedit_page_forminc\core.php:8

filtershould_load_block_editor_scripts_and_stylesinc\fields\block-editor.php:51

actionpost_edit_form_taginc\fields\file.php:22

filterupload_dirinc\fields\file.php:487

filterposts_searchinc\fields\post.php:131

actionclean_user_cacheinc\fields\user.php:11

actioninitinc\media-modal.php:15

filterattachment_fields_to_editinc\media-modal.php:17

filterattachment_fields_to_saveinc\media-modal.php:18

actionadmin_enqueue_scriptsinc\meta-box.php:80

actionadd_meta_boxesinc\meta-box.php:101

filterdefault_hidden_meta_boxesinc\meta-box.php:104

actionedit_attachmentinc\meta-box.php:111

actionadd_attachmentinc\meta-box.php:112

filterrwmb_sanitizeinc\sanitizer.php:7

actionrwmb_afterinc\validation.php:7

actionrwmb_enqueue_scriptsinc\validation.php:8

filterplugin_action_links_meta-box/meta-box.phpsrc\Dashboard\Dashboard.php:33

actionadmin_menusrc\Dashboard\Dashboard.php:36

actionadmin_menusrc\Dashboard\Dashboard.php:37

actionadmin_headsrc\Dashboard\Dashboard.php:40

actionactivated_pluginsrc\Dashboard\Dashboard.php:43

filterplugins_api_resultsrc\FeaturedPlugins.php:6

filterblock_categories_allsrc\Integrations\Block.php:6

filterbricks/builder/i18nsrc\Integrations\Bricks.php:6

actionelementor/elements/categories_registeredsrc\Integrations\Elementor.php:6

actionoxygen_add_plus_sectionssrc\Integrations\Oxygen.php:7

actioninitsrc\Integrations\WPML.php:14

filterwpml_duplicate_generic_stringsrc\Integrations\WPML.php:21

filterrwmb_normalize_fieldsrc\Integrations\WPML.php:22

filterrwmb_get_valuesrc\Integrations\WPML.php:25

filter_rwmb_post_format_single_valuesrc\Integrations\WPML.php:26

actioninitsrc\Updater\Checker.php:15

filterpre_set_site_transient_update_pluginssrc\Updater\Checker.php:20

filterplugins_apisrc\Updater\Checker.php:21

filterrwmb_admin_menusrc\Updater\Settings.php:28

Maintenance & Trust

Meta Box Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 5, 2026

PHP min version7.1

Downloads23.1M

Community Trust

Rating96/100

Number of ratings162

Active installs500K

Alternatives

Meta Box Alternatives

Pods – Custom Content Types and Fields

pods

Pods is a framework for creating, managing, and deploying customized content types and fields for any project.

100K 14 CVEs

CubeWP Framework

cubewp-framework

CubeWP is an end-to-end dynamic content framework for WordPress to help you shrink time and cut cost of development up to 90%.

4K 1 unpatched

Custom post types, Custom Fields & more

custom-post-types

Custom Post Types, Custom Fields, Custom Taxonomies, Custom Templates, Custom Admin Pages, Custom Admin Notices. Directly from the WP dashboard.

3K 3 CVEs

LIQUID TOOLS – Simple Custom Fields & Custom Post Types

liquid-tools

Very simple tool to set up Custom Fields, Custom Post Types, Custom Taxonomies.

90 No CVEs

MB ACF Migration

mb-acf-migration

100

Migrate custom fields from Advanced Custom Fields to Meta Box.

30 No CVEs

Developer Profile

Meta Box Developer Profile

Meta Box

2 plugins · 500K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

641 days

View full developer profile

Detection Fingerprints

How We Detect Meta Box

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/meta-box/css/color.css/wp-content/plugins/meta-box/css/file-input.css/wp-content/plugins/meta-box/css/select.css/wp-content/plugins/meta-box/css/wysiwyg.css/wp-content/plugins/meta-box/css/slider.css/wp-content/plugins/meta-box/css/datetime.css/wp-content/plugins/meta-box/css/number.css/wp-content/plugins/meta-box/css/range.css+94 more

Script Paths

/wp-content/plugins/meta-box/js/color.js/wp-content/plugins/meta-box/js/file-input.js/wp-content/plugins/meta-box/js/select.js/wp-content/plugins/meta-box/js/wysiwyg.js/wp-content/plugins/meta-box/js/slider.js/wp-content/plugins/meta-box/js/datetime.js+95 more

Version Parameters

meta-box/css/color.css?ver=meta-box/css/file-input.css?ver=meta-box/css/select.css?ver=meta-box/css/wysiwyg.css?ver=meta-box/css/slider.css?ver=meta-box/css/datetime.css?ver=meta-box/css/number.css?ver=meta-box/css/range.css?ver=meta-box/css/button-group.css?ver=meta-box/css/checkbox-list.css?ver=meta-box/css/radio-list.css?ver=meta-box/css/table.css?ver=meta-box/css/map.css?ver=meta-box/css/single-image.css?ver=meta-box/css/single-file.css?ver=meta-box/css/image-upload.css?ver=meta-box/css/text.css?ver=meta-box/css/textarea.css?ver=meta-box/css/email.css?ver=meta-box/css/url.css?ver=meta-box/css/password.css?ver=meta-box/css/hidden.css?ver=meta-box/css/wysiwyg.css?ver=meta-box/css/date.css?ver=meta-box/css/time.css?ver=meta-box/css/datetime.css?ver=meta-box/css/user.css?ver=meta-box/css/post.css?ver=meta-box/css/taxonomy.css?ver=meta-box/css/term.css?ver=meta-box/css/sidebar-id.css?ver=meta-box/css/sidebar-name.css?ver=meta-box/css/media-id.css?ver=meta-box/css/media-url.css?ver=meta-box/css/media-image.css?ver=meta-box/css/media-gallery.css?ver=meta-box/css/oembed.css?ver=meta-box/css/switch.css?ver=meta-box/css/custom-html.css?ver=meta-box/css/html.css?ver=meta-box/css/divider.css?ver=meta-box/css/heading.css?ver=meta-box/css/fieldset.css?ver=meta-box/css/group.css?ver=meta-box/css/clone.css?ver=meta-box/css/tab.css?ver=meta-box/css/accordion.css?ver=meta-box/css/tab.css?ver=meta-box/css/group.css?ver=meta-box/css/autocomplete.css?ver=meta-box/css/background.css?ver=meta-box/css/image-choices.css?ver=meta-box/css/map.css?ver=meta-box/css/textarea.css?ver=meta-box/css/select.css?ver=meta-box/css/custom-css.css?ver=meta-box/css/wysiwyg.css?ver=meta-box/css/clone.css?ver=meta-box/css/group.css?ver=meta-box/css/hidden.css?ver=meta-box/css/text.css?ver=meta-box/css/textarea.css?ver=meta-box/css/email.css?ver=meta-box/css/url.css?ver=meta-box/css/password.css?ver=meta-box/css/number.css?ver=meta-box/css/range.css?ver=meta-box/css/slider.css?ver=meta-box/css/button-group.css?ver=meta-box/css/checkbox-list.css?ver=meta-box/css/radio-list.css?ver=meta-box/css/select.css?ver=meta-box/css/multiselect.css?ver=meta-box/css/date.css?ver=meta-box/css/time.css?ver=meta-box/css/datetime.css?ver=meta-box/css/user.css?ver=meta-box/css/post.css?ver=meta-box/css/taxonomy.css?ver=meta-box/css/term.css?ver=meta-box/css/sidebar-id.css?ver=meta-box/css/sidebar-name.css?ver=meta-box/css/media-id.css?ver=meta-box/css/media-url.css?ver=meta-box/css/media-image.css?ver=meta-box/css/media-gallery.css?ver=meta-box/css/oembed.css?ver=meta-box/css/switch.css?ver=meta-box/css/custom-html.css?ver=meta-box/css/html.css?ver=meta-box/css/divider.css?ver=meta-box/css/heading.css?ver=meta-box/css/fieldset.css?ver=meta-box/css/group.css?ver=meta-box/css/clone.css?ver=meta-box/css/tab.css?ver=meta-box/css/accordion.css?ver=meta-box/js/color.js?ver=meta-box/js/file-input.js?ver=meta-box/js/select.js?ver=meta-box/js/wysiwyg.js?ver=meta-box/js/slider.js?ver=meta-box/js/datetime.js?ver=meta-box/js/number.js?ver=meta-box/js/range.js?ver=meta-box/js/button-group.js?ver=meta-box/js/checkbox-list.js?ver=meta-box/js/radio-list.js?ver=meta-box/js/table.js?ver=meta-box/js/map.js?ver=meta-box/js/single-image.js?ver=meta-box/js/single-file.js?ver=meta-box/js/image-upload.js?ver=meta-box/js/text.js?ver=meta-box/js/textarea.js?ver=meta-box/js/email.js?ver=meta-box/js/url.js?ver=meta-box/js/password.js?ver=meta-box/js/hidden.js?ver=meta-box/js/wysiwyg.js?ver=meta-box/js/date.js?ver=meta-box/js/time.js?ver=meta-box/js/datetime.js?ver=meta-box/js/user.js?ver=meta-box/js/post.js?ver=meta-box/js/taxonomy.js?ver=meta-box/js/term.js?ver=meta-box/js/sidebar-id.js?ver=meta-box/js/sidebar-name.js?ver=meta-box/js/media-id.js?ver=meta-box/js/media-url.js?ver=meta-box/js/media-image.js?ver=meta-box/js/media-gallery.js?ver=meta-box/js/oembed.js?ver=meta-box/js/switch.js?ver=meta-box/js/custom-html.js?ver=meta-box/js/html.js?ver=meta-box/js/divider.js?ver=meta-box/js/heading.js?ver=meta-box/js/fieldset.js?ver=meta-box/js/group.js?ver=meta-box/js/clone.js?ver=meta-box/js/tab.js?ver=meta-box/js/accordion.js?ver=meta-box/js/tab.js?ver=meta-box/js/group.js?ver=meta-box/js/autocomplete.js?ver=meta-box/js/background.js?ver=meta-box/js/image-choices.js?ver=meta-box/js/map.js?ver=meta-box/js/textarea.js?ver=meta-box/js/select.js?ver=meta-box/js/custom-css.js?ver=meta-box/js/wysiwyg.js?ver=meta-box/js/clone.js?ver=meta-box/js/group.js?ver=meta-box/js/hidden.js?ver=meta-box/js/text.js?ver=meta-box/js/textarea.js?ver=meta-box/js/email.js?ver=meta-box/js/url.js?ver=meta-box/js/password.js?ver=meta-box/js/number.js?ver=meta-box/js/range.js?ver=meta-box/js/slider.js?ver=meta-box/js/button-group.js?ver=meta-box/js/checkbox-list.js?ver=meta-box/js/radio-list.js?ver=meta-box/js/select.js?ver=meta-box/js/multiselect.js?ver=meta-box/js/date.js?ver=meta-box/js/time.js?ver=meta-box/js/datetime.js?ver=meta-box/js/user.js?ver=meta-box/js/post.js?ver=meta-box/js/taxonomy.js?ver=meta-box/js/term.js?ver=meta-box/js/sidebar-id.js?ver=meta-box/js/sidebar-name.js?ver=meta-box/js/media-id.js?ver=meta-box/js/media-url.js?ver=meta-box/js/media-image.js?ver=meta-box/js/media-gallery.js?ver=meta-box/js/oembed.js?ver=meta-box/js/switch.js?ver=meta-box/js/custom-html.js?ver=meta-box/js/html.js?ver=meta-box/js/divider.js?ver=meta-box/js/heading.js?ver=meta-box/js/fieldset.js?ver=meta-box/js/group.js?ver=meta-box/js/clone.js?ver=meta-box/js/tab.js?ver=meta-box/js/accordion.js?ver=meta-box/js/autocomplete.js?ver=meta-box/js/background.js?ver=meta-box/js/image-choices.js?ver=meta-box/js/map.js?ver=

HTML / DOM Fingerprints

CSS Classes

rwmb-autocomplete-searchrwmb-autocompleterwmb-autocomplete-resultsrwmb-autocomplete-resultrwmb-autocomplete-valuerwmb-background-row

HTML Comments

Data Attributes

data-options

JS Globals

RWMB_Autocomplete

FAQ