Does Native Custom Fields – Custom Content Types and Meta Fields have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Native Custom Fields – Custom Content Types and Meta Fields compatible with WordPress 6.9.4?

According to WordPress.org data, Native Custom Fields – Custom Content Types and Meta Fields 1.0.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Native Custom Fields – Custom Content Types and Meta Fields compatible with PHP 7.4+?

Native Custom Fields – Custom Content Types and Meta Fields requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

Native Custom Fields – Custom Content Types and Meta Fields Security & Risk Analysis

wordpress.org/plugins/native-custom-fields

Custom Content Types and Meta Fields built with WordPress native components. Modern, clean, and performance-focused.

0 active installs v1.0.2 PHP 7.4+ WP 6.0+ Updated Mar 18, 2026

block-editorcustom-fieldscustom-post-typegutenbergmeta-box

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Native Custom Fields – Custom Content Types and Meta Fields Safe to Use in 2026?

Generally Safe

Score 100/100

Native Custom Fields – Custom Content Types and Meta Fields has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The "native-custom-fields" plugin v1.0.2 demonstrates a generally good security posture with several strengths. The complete absence of known CVEs and critical/high severity taint flows is a positive indicator. Furthermore, the plugin utilizes prepared statements for all SQL queries, a crucial practice for preventing SQL injection vulnerabilities. A high percentage of properly escaped output also suggests a commitment to preventing cross-site scripting (XSS) attacks. The presence of nonce and capability checks on a good portion of its entry points also contributes to its security.

However, there are notable areas of concern. The plugin exposes a significant attack surface through AJAX handlers and REST API routes, with a portion of these entry points lacking essential authentication or permission checks. Specifically, one AJAX handler and two REST API routes are identified as unprotected. While taint analysis shows no immediate exploitable flows, these unprotected entry points represent potential gateways for unauthorized actions or information disclosure if further vulnerabilities exist or are introduced. The plugin also performs a file operation, which, without more context, is a potential area for concern if not handled securely.

Overall, while the plugin benefits from a clean vulnerability history and strong practices in SQL and output sanitization, the unprotected AJAX and REST API routes present a clear and immediate risk. Addressing these specific entry points should be the top priority for improving the plugin's security. The lack of recorded vulnerabilities is encouraging but doesn't negate the identified weaknesses in its current implementation.

Key Concerns

Unprotected AJAX handler
Unprotected REST API routes (2)
File operation present

Vulnerabilities

None known

Native Custom Fields – Custom Content Types and Meta Fields Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Native Custom Fields – Custom Content Types and Meta Fields Release Timeline

v1.0.2Current

Code Analysis

Analyzed Apr 16, 2026

Native Custom Fields – Custom Content Types and Meta Fields Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

120 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

97% escaped124 total outputs

Attack Surface

3 unprotected

Native Custom Fields – Custom Content Types and Meta Fields Attack Surface

Entry Points11

Unprotected3

AJAX Handlers 1

authwp_ajax_native_custom_fields_upload_filesincludes/Services/AjaxService.php:23

REST API Routes 10

GET/wp-json/native-custom-fields/v1post-meta/get-post-typesincludes/Presentation/Admin/Controllers/PostMetaController.php:54

GET/wp-json/native-custom-fields/v1post-meta/get-post-meta-config-by-post-typeincludes/Presentation/Admin/Controllers/PostMetaController.php:63

POST/wp-json/native-custom-fields/v1post-meta/save-post-type-configincludes/Presentation/Admin/Controllers/PostMetaController.php:78

POST/wp-json/native-custom-fields/v1post-meta/save-post-meta-fields-configincludes/Presentation/Admin/Controllers/PostMetaController.php:97

GET/wp-json/native-custom-fields/v1/post-meta/delete-post-typeincludes/Presentation/Admin/Controllers/PostMetaController.php:116

GET/wp-json/native-custom-fields/v1term-meta/get-taxonomiesincludes/Presentation/Admin/Controllers/TermMetaController.php:52

POST/wp-json/native-custom-fields/v1term-meta/save-custom-taxonomy-configincludes/Presentation/Admin/Controllers/TermMetaController.php:61

POST/wp-json/native-custom-fields/v1term-meta/save-term-meta-fields-configincludes/Presentation/Admin/Controllers/TermMetaController.php:80

GET/wp-json/native-custom-fields/v1/term-meta/delete-taxonomyincludes/Presentation/Admin/Controllers/TermMetaController.php:99

POST/wp-json/native-custom-fields/v1user-meta/save-user-meta-fields-configincludes/Presentation/Admin/Controllers/UserMetaController.php:49

WordPress Hooks 27

actionplugins_loadedincludes/App.php:69

actioninitincludes/App.php:72

actionadmin_enqueue_scriptsincludes/Presentation/Admin/Controllers/AdminController.php:30

actionadmin_enqueue_scriptsincludes/Presentation/Admin/Controllers/AdminController.php:31

actioncustomize_controls_enqueue_scriptsincludes/Presentation/Admin/Controllers/AdminController.php:32

actioncustomize_controls_enqueue_scriptsincludes/Presentation/Admin/Controllers/AdminController.php:33

actionadmin_menuincludes/Presentation/Admin/Controllers/AdminController.php:34

actionadmin_menuincludes/Presentation/Admin/Controllers/AdminController.php:35

actionadmin_menuincludes/Presentation/Admin/Controllers/OptionsController.php:45

actionrest_api_initincludes/Presentation/Admin/Controllers/OptionsController.php:48

actionrest_api_initincludes/Presentation/Admin/Controllers/PostMetaController.php:39

actionrest_api_initincludes/Presentation/Admin/Controllers/TermMetaController.php:37

actionrest_api_initincludes/Presentation/Admin/Controllers/UserMetaController.php:37

actionwp_enqueue_scriptsincludes/Presentation/Client/Controllers/ClientController.php:28

actionwp_enqueue_scriptsincludes/Presentation/Client/Controllers/ClientController.php:29

actioninitincludes/Services/PostMetaService.php:50

actionadd_meta_boxesincludes/Services/PostMetaService.php:53

actionregistered_post_typeincludes/Services/PostMetaService.php:56

actionsave_postincludes/Services/PostMetaService.php:59

actioninitincludes/Services/TermMetaService.php:49

actionregistered_taxonomyincludes/Services/TermMetaService.php:52

actionregistered_taxonomyincludes/Services/TermMetaService.php:55

actionregistered_taxonomyincludes/Services/TermMetaService.php:58

actionshow_user_profileincludes/Services/UserMetaService.php:45

actionedit_user_profileincludes/Services/UserMetaService.php:46

actionpersonal_options_updateincludes/Services/UserMetaService.php:49

actionedit_user_profile_updateincludes/Services/UserMetaService.php:50

Maintenance & Trust

Native Custom Fields – Custom Content Types and Meta Fields Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 18, 2026

PHP min version7.4

Downloads233

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Native Custom Fields – Custom Content Types and Meta Fields Alternatives

Voxycure Framework

voxycure-framework

100

Create custom fields, blocks, and post types with no limitations. A flexible, free solution for building with custom data in WordPress.

10 No CVEs

Meta Box

meta-box

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K 7 CVEs

Custom Fields for Gutenberg

custom-fields-gutenberg

100

Restores the Custom Field meta box for the Gutenberg Block Editor.

1K No CVEs

MB ACF Migration

mb-acf-migration

100

Migrate custom fields from Advanced Custom Fields to Meta Box.

30 No CVEs

Custom Fields to Metaboxes

custom-fields-to-metaboxes

Migrate custom fields to metabox fields.

10 No CVEs

Developer Profile

Native Custom Fields – Custom Content Types and Meta Fields Developer Profile

Kadim Gültekin

6 plugins · 760 total installs

trust score

Avg Security Score

99/100

Avg Patch Time

96 days

View full developer profile

Detection Fingerprints

How We Detect Native Custom Fields – Custom Content Types and Meta Fields

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/native-custom-fields/build/admin/index.css/wp-content/plugins/native-custom-fields/build/admin/index.js/wp-content/plugins/native-custom-fields/includes/Presentation/Admin/Assets/img/ncf_icon.png

Version Parameters

native-custom-fields/build/admin/index.css?ver=native-custom-fields/build/admin/index.js?ver=

HTML / DOM Fingerprints

CSS Classes

native-custom-fields-post-meta-builder-wrappernative-custom-fields-term-meta-builder-wrappernative-custom-fields-user-meta-builder-wrapper

Data Attributes

data-noncedata-assets-urldata-rest-urldata-ajax-urldata-admin-urldata-site-url

JS Globals

nativeCustomFieldsData

FAQ