Does Custom Query Blocks have any unpatched vulnerabilities?

No. All known vulnerabilities in Custom Query Blocks have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Custom Query Blocks compatible with WordPress 7.0?

According to WordPress.org data, Custom Query Blocks 5.6.0 has been tested up to WordPress 7.0. Check the plugin's changelog for the latest compatibility information.

Is Custom Query Blocks compatible with PHP 7.2+?

Custom Query Blocks requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Custom Query Blocks updated?

Custom Query Blocks was last updated on Mar 6, 2026. Frequent updates are generally a positive security signal.

What is Custom Query Blocks's security score?

Custom Query Blocks has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Custom Query Blocks Security & Risk Analysis

wordpress.org/plugins/post-type-archive-mapping

Map your archives to pages. Map 404 and term archives as well.

800 active installs v5.6.0 PHP 7.2+ WP 6.5+ Updated Mar 6, 2026

404-pagearchivescategory-gridmap-pagespost-type-block

A · Safe

CVEs total2

Unpatched0

Last CVEAug 29, 2024

Plugin page Download

Safety Verdict

Is Custom Query Blocks Safe to Use in 2026?

Generally Safe

Score 99/100

Custom Query Blocks has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Aug 29, 2024Updated 28d ago

Risk Assessment

The "post-type-archive-mapping" plugin, version 5.6.0, demonstrates a generally good security posture based on the static analysis. The plugin effectively utilizes WordPress security features, with all identified entry points (AJAX handlers and REST API routes) appearing to have proper authorization checks. SQL queries are 100% prepared, and output escaping is highly effective with only a negligible percentage of outputs not being properly escaped. The absence of dangerous functions, file operations, and external HTTP requests further strengthens its security. The plugin also implements nonce and capability checks, indicating an awareness of common WordPress security vulnerabilities. The lack of critical or high-severity taint flows is a very positive sign. However, the plugin's vulnerability history is a significant concern. Two medium-severity vulnerabilities have been recorded, one of which was relatively recent (2024-08-29). These vulnerabilities were of the Cross-site Scripting and Missing Authorization types, which are critical for any web application. While there are no currently unpatched vulnerabilities, the historical pattern of these types of issues suggests a potential for them to re-emerge if not vigilantly addressed in future development. The strengths lie in the robust implementation of security features in the current version, while the weakness lies in the historical presence of significant vulnerability types.

Key Concerns

Two medium severity CVEs recorded
Past Cross-site Scripting vulnerability
Past Missing Authorization vulnerability

Vulnerabilities

Custom Query Blocks Security Vulnerabilities

CVEs by Year

2 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2024-44059medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom Query Blocks <= 5.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 29, 2024 Patched in 5.4.0 (463d)

CVE-2024-38794medium · 5.3Missing Authorization

Custom Query Blocks <= 5.2.0 - Missing Authorization via REST Routes

Jul 22, 2024 Patched in 5.3.0 (11d)

Code Analysis

Analyzed Mar 16, 2026

Custom Query Blocks Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

395 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared1 total queries

Output Escaping

99% escaped398 total outputs

Attack Surface

Custom Query Blocks Attack Surface

Entry Points8

Unprotected0

AJAX Handlers 1

authwp_ajax_ptam_dismiss_noticeincludes\admin\tabs\class-settings.php:32

REST API Routes 7

POST/wp-json/ptam/v2/get_termsincludes\rest\class-rest.php:27

POST/wp-json/ptam/v2/get_postsincludes\rest\class-rest.php:38

POST/wp-json/ptam/v2/get_taxonomiesincludes\rest\class-rest.php:49

POST/wp-json/ptam/v2/get_imagesincludes\rest\class-rest.php:60

POST/wp-json/ptam/v2/get_tax_termsincludes\rest\class-rest.php:71

POST/wp-json/ptam/v2/get_tax_term_dataincludes\rest\class-rest.php:82

POST/wp-json/ptam/v2/get_featured_postsincludes\rest\class-rest.php:93

WordPress Hooks 40

actionadmin_menuincludes\admin\class-admin-settings.php:23

filterplugin_row_metaincludes\admin\class-admin-settings.php:25

filterblock_categoriesincludes\admin\class-gutenberg.php:20

filterblock_categories_allincludes\admin\class-gutenberg.php:22

filtermanage_pages_columnsincludes\admin\class-page-columns.php:19

actionmanage_pages_custom_columnincludes\admin\class-page-columns.php:20

filterptam_admin_tabsincludes\admin\tabs\class-settings.php:29

filterptam_admin_sub_tabsincludes\admin\tabs\class-settings.php:30

filterptam_admin_tabsincludes\admin\tabs\class-support.php:29

filterptam_admin_sub_tabsincludes\admin\tabs\class-support.php:30

actioninitincludes\blocks\custom-post-types\class-custom-post-types.php:23

actionafter_setup_themeincludes\blocks\custom-post-types\class-custom-post-types.php:24

actioninitincludes\blocks\featured-posts\class-posts.php:21

actioninitincludes\blocks\term-grid\class-terms.php:21

actionenqueue_block_assetsincludes\class-enqueue.php:25

actionenqueue_block_editor_assetsincludes\class-enqueue.php:26

actionadmin_enqueue_scriptsincludes\class-enqueue.php:30

actionwpincludes\class-yoast.php:21

filterwpseo_opengraph_descincludes\class-yoast.php:25

filterwpseo_twitter_descriptionincludes\class-yoast.php:26

filterwpseo_opengraph_titleincludes\class-yoast.php:27

filterwpseo_twitter_titleincludes\class-yoast.php:28

filterwpseo_opengraph_urlincludes\class-yoast.php:29

filterwpseo_json_ld_outputincludes\class-yoast.php:31

actionrest_api_initincludes\rest\class-rest.php:20

filterterms_clausesincludes\rest\class-rest.php:116

actioninitpost-type-archive-mapping.php:79

actionadmin_initpost-type-archive-mapping.php:157

actionpre_get_postspost-type-archive-mapping.php:158

actionadmin_noticespost-type-archive-mapping.php:161

filtertemplate_includepost-type-archive-mapping.php:164

actionedit_termpost-type-archive-mapping.php:382

actionplugins_loadedpost-type-archive-mapping.php:559

filterptam_the_contentpost-type-archive-mapping.php:567

filterptam_the_contentpost-type-archive-mapping.php:568

filterptam_the_contentpost-type-archive-mapping.php:569

filterptam_the_contentpost-type-archive-mapping.php:570

filterptam_the_contentpost-type-archive-mapping.php:571

filterptam_the_contentpost-type-archive-mapping.php:572

filterptam_the_contentpost-type-archive-mapping.php:573

Maintenance & Trust

Custom Query Blocks Maintenance & Trust

Maintenance Signals

WordPress version tested7.0

Last updatedMar 6, 2026

PHP min version7.2

Downloads34K

Community Trust

Rating92/100

Number of ratings25

Active installs800

Alternatives

Custom Query Blocks Alternatives

404 to 301 – Redirect, Log and Notify 404 Errors

404-to-301

Automatically redirect, log and notify all 404 page errors to any page using 301 redirect for SEO. No more 404 Errors in WebMaster tool.

100K 6 CVEs

Smart Custom 404 Error Page

404page

Create a custom 404 error page the easy way! No coding, and no redirects.

100K 1 CVE

Disable Author Archives

disable-author-archives

100

Disable Author Archives completely removes author archives and makes the web server return status code 404 ('Not Found') instead.

10K No CVEs

Redirect 404 Error Page to Homepage or Custom Page with Logs

redirect-404-error-page-to-homepage-or-custom-page

Redirect the 404 error page to the homepage or any other page with logs. Supports permanent (301), temporary (302) redirects & not found (404).

10K 2 CVEs

Product Category Slider & Grid for WooCommerce – WooCategory

woo-category-slider-grid

100

Display product categories in responsive sliders or grids to showcase them effectively on your WooCommerce store and improve shoppers' navigation.

10K 1 CVE

Developer Profile

Custom Query Blocks Developer Profile

Ronald Huereca

11 plugins · 29K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

93 days

View full developer profile

Detection Fingerprints

How We Detect Custom Query Blocks

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/post-type-archive-mapping/assets/css/ptam-admin-style.css/wp-content/plugins/post-type-archive-mapping/assets/css/ptam-style.css/wp-content/plugins/post-type-archive-mapping/assets/js/ptam-admin-script.js/wp-content/plugins/post-type-archive-mapping/assets/js/ptam-script.js

Script Paths

/wp-content/plugins/post-type-archive-mapping/assets/js/ptam-admin-script.js/wp-content/plugins/post-type-archive-mapping/assets/js/ptam-script.js

Version Parameters

post-type-archive-mapping/assets/css/ptam-admin-style.css?ver=post-type-archive-mapping/assets/css/ptam-style.css?ver=post-type-archive-mapping/assets/js/ptam-admin-script.js?ver=post-type-archive-mapping/assets/js/ptam-script.js?ver=

HTML / DOM Fingerprints

CSS Classes

ptam-admin-settings

Data Attributes

_post_type_mapped_term_archive_mapping

JS Globals

PTAM_SPONSORS_URL

FAQ