WP-Safety

PixTypes Security & Risk Analysis

wordpress.org/plugins/pixtypes

A WordPress plugin for managing custom post types and custom meta boxes from a theme.

10K active installs v2.0.0 PHP 7.4+ WP 6.0+ Updated Feb 25, 2026
buildercustomgallerymetadatapost-types
99
A · Safe
CVEs total2
Unpatched0
Last CVEAug 11, 2023
Plugin page Download
Safety Verdict

Is PixTypes Safe to Use in 2026?

Generally Safe

Score 99/100

PixTypes has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Aug 11, 2023Updated 2mo ago
Risk Assessment

The pixtypes v2.0.0 plugin exhibits a generally strong security posture, evidenced by the absence of unpatched CVEs and a high percentage of properly escaped output. The code analysis reveals a clean slate regarding dangerous functions, raw SQL queries, file operations, and external HTTP requests. Furthermore, all identified AJAX handlers and REST API routes appear to have appropriate authentication checks in place, contributing to a limited attack surface with no immediately obvious unprotected entry points. The presence of nonce and capability checks further reinforces the plugin's defensive measures.

However, the taint analysis does raise some concerns. While no critical severity flows were detected, the presence of two high-severity flows with unsanitized paths indicates potential weaknesses where user-supplied input could be manipulated in unintended ways. The vulnerability history, while not currently featuring unpatched critical or high-severity issues, does show a past of medium-severity Cross-site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities. This historical pattern, coupled with the current high-severity taint flows, suggests a recurring need for diligent input validation and output encoding to prevent these types of attacks.

In conclusion, pixtypes v2.0.0 demonstrates good security practices in many areas, particularly in its handling of core database and file operations, and its adherence to authentication mechanisms. The plugin's vulnerability history and current taint analysis, however, highlight areas that require continued vigilance. Addressing the identified high-severity taint flows and maintaining robust input sanitization will be crucial for ensuring long-term security and preventing the recurrence of past vulnerability types.

Key Concerns

  • High severity taint flows with unsanitized paths
  • Medium severity vulnerabilities in history (XSS, CSRF)
  • Bundled outdated library (Select2 v1.0.1)
Vulnerabilities
2 published

PixTypes Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2023-40205medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PixTypes <= 1.4.15 - Reflected Cross-Site Scripting

Aug 11, 2023 Patched in 1.4.16 (939d)
CVE-2023-25487medium · 4.3Cross-Site Request Forgery (CSRF)

PixTypes <= 1.4.14 - Cross-Site Request Forgery

Apr 7, 2023 Patched in 1.4.15 (291d)
Version History

PixTypes Release Timeline

v2.0.0Current
v1.4.16
v1.4.151 CVE
CVE-2023-40205
v1.4.142 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.132 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.122 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.112 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.102 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.92 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.82 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.72 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.62 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.52 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.42 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.32 CVEs
CVE-2023-25487 CVE-2023-40205
v1.4.22 CVEs
CVE-2023-25487 CVE-2023-40205
v1.3.52 CVEs
CVE-2023-25487 CVE-2023-40205
Code Analysis
Analyzed Mar 16, 2026

PixTypes Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
52
468 escaped
Nonce Checks
6
Capability Checks
5
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Select21.0.1

Output Escaping

90% escaped520 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

4 flows3 with unsanitized paths
pixtypes_cmb_editor_footer_scripts (features\metaboxes\init.php:1116)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

PixTypes Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 4

authwp_ajax_unset_pixtypesclass-pixtypes.php:108
authwp_ajax_cmb_oembed_handlerfeatures\metaboxes\init.php:1186
authwp_ajax_ajax_pixgallery_previewfeatures\metaboxes\init.php:1277
authwp_ajax_pixplaylist_previewfeatures\metaboxes\init.php:1305
WordPress Hooks 31
actioninitclass-pixtypes.php:83
actionadmin_menuclass-pixtypes.php:87
actionadmin_enqueue_scriptsclass-pixtypes.php:96
actionadmin_enqueue_scriptsclass-pixtypes.php:97
actionplugins_loadedclass-pixtypes.php:99
actioninitclass-pixtypes.php:100
actioninitclass-pixtypes.php:103
filtercmb_render_pw_selectfeatures\metaboxes\cmb-field-select2\cmb-field-select2.php:26
filtercmb_render_pw_multiselectfeatures\metaboxes\cmb-field-select2\cmb-field-select2.php:27
filtercmb_render_pw_multiselect_cptfeatures\metaboxes\cmb-field-select2\cmb-field-select2.php:30
filtercmb_render_pw_select_v2features\metaboxes\cmb-field-select2-v2\cmb-field-select2.php:26
filtercmb_render_pw_multiselect_v2features\metaboxes\cmb-field-select2-v2\cmb-field-select2.php:27
filtercmb_render_pw_multiselect_cpt_v2features\metaboxes\cmb-field-select2-v2\cmb-field-select2.php:30
actionadmin_footerfeatures\metaboxes\fields\pix_builder.php:177
filtertiny_mce_before_initfeatures\metaboxes\fields\pix_builder.php:210
actionadmin_headfeatures\metaboxes\init.php:118
actionadmin_menufeatures\metaboxes\init.php:124
actionsave_postfeatures\metaboxes\init.php:127
actionadmin_headfeatures\metaboxes\init.php:129
filtercmb_show_onfeatures\metaboxes\init.php:131
filterdefault_hidden_meta_boxesfeatures\metaboxes\init.php:136
actionadmin_enqueue_scriptsfeatures\metaboxes\init.php:1108
actionadmin_print_footer_scriptsfeatures\metaboxes\init.php:1131
filterget_media_item_argsfeatures\metaboxes\init.php:1134
filter_wp_post_revision_fieldsfeatures\metaboxes\init.php:1323
filter_wp_post_revision_field__pile_project_builderfeatures\metaboxes\init.php:1342
actionwp_restore_post_revisionfeatures\metaboxes\init.php:1363
actionsave_postfeatures\metaboxes\init.php:1385
filtercmb_meta_boxesfeatures\metaboxes\metaboxes.php:42
filtercmb_meta_boxesfeatures\metaboxes\metaboxes.php:59
actioninitfeatures\metaboxes\metaboxes.php:74
Maintenance & Trust

PixTypes Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedFeb 25, 2026
PHP min version7.4
Downloads370K

Community Trust

Rating40/100
Number of ratings2
Active installs10K
Alternatives

PixTypes Alternatives

Apollo13 Framework Extensions

Apollo13 Framework Extensions

apollo13-framework-extensions

A
95

Adds custom post types, shortcodes and some features that are used in themes built on Apollo13 Framework.

20K 6 CVEs
JSM Show Post Metadata

JSM Show Post Metadata

jsm-show-post-meta

A
99

Show post metadata (aka custom fields) in a metabox when editing posts / pages - a great tool for debugging issues with post metadata.

10K 1 CVE
WebMan Amplifier

WebMan Amplifier

webman-amplifier

A
99

Amplifies functionality of WP themes. Provides custom post types, shortcodes, metaboxes, icons. Theme developer's best friend!

2K 1 CVE
Display post meta, term meta, comment meta, and user meta

Display post meta, term meta, comment meta, and user meta

display-metadata

B
71

Displays metadata in a metabox on the creation/editing pages for posts (any CPT), terms (any taxonomy), and users. The metadata is shown in a human-re &hellip;

80 1 unpatched
Floorplans

Floorplans

floorplans

A
85

Create a catalog of sortable, filterable, and searchable floorplans with image and video galleries.

10 No CVEs
Developer Profile

PixTypes Developer Profile

pixelgrade

8 plugins · 37K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
214 days
View full developer profile
Detection Fingerprints

How We Detect PixTypes

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2/js/select2/select2.min.js/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2/js/select2-init.js/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2/js/select2/select2.css/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2/css/select2.css/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2-v2/js/select2/select2.full.min.js/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2-v2/js/select2-init.js/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2-v2/js/select2/select2.css/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2-v2/css/select2.css
Script Paths
/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2/js/select2/select2.min.js/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2/js/select2-init.js/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2-v2/js/select2/select2.full.min.js/wp-content/plugins/pixtypes/features/metaboxes/cmb-field-select2-v2/js/select2-init.js
Version Parameters
pixtypes/features/metaboxes/cmb-field-select2/js/select2/select2.min.js?ver=pixtypes/features/metaboxes/cmb-field-select2/js/select2/select2.css?ver=pixtypes/features/metaboxes/cmb-field-select2-v2/js/select2/select2.full.min.js?ver=pixtypes/features/metaboxes/cmb-field-select2-v2/js/select2/select2.css?ver=

HTML / DOM Fingerprints

CSS Classes
select2
Data Attributes
data-placeholderdata-allow-clear
JS Globals
pw_select2_datapw_multiselect_datapw_multiselect_cpt_datapw_select2_v2_datapw_multiselect_v2_datapw_multiselect_cpt_v2_data
FAQ

Frequently Asked Questions about PixTypes