Profile CCT Security & Risk Analysis
wordpress.org/plugins/profile-custom-content-typeManage and display advanced user profiles on your website.
Is Profile CCT Safe to Use in 2026?
Generally Safe
Score 85/100Profile CCT has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.
The plugin "profile-custom-content-type" v1.3.2 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all its SQL queries and incorporates a reasonable number of nonce and capability checks within its codebase. Its vulnerability history is clean, with no recorded CVEs, suggesting a history of responsible development or a lack of past exploitable issues. However, there are significant concerns regarding its attack surface and data sanitization.
Specifically, the plugin exposes two AJAX handlers, with one entirely lacking authentication checks. This unprotected entry point is a critical security risk, as it could be leveraged by unauthenticated users to execute arbitrary code or manipulate data if not properly secured within the handler's logic. Furthermore, the taint analysis reveals three flows with unsanitized paths, indicating potential vulnerabilities where user-supplied data might not be adequately validated or escaped before being used in sensitive operations, despite the absence of reported critical or high severity taint flows.
While the plugin has a clean vulnerability history, the identified structural weaknesses in the attack surface and potential for unsanitized data flows warrant caution. The lack of proper authentication on one AJAX endpoint is a direct and significant risk. The proper escaping of output is also a concern, with only 26% of outputs being properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities.
Key Concerns
- AJAX handler without auth check
- Low percentage of properly escaped output
- Flows with unsanitized paths
Profile CCT Security Vulnerabilities
Profile CCT Code Analysis
SQL Query Safety
Output Escaping
Data Flow Analysis
Profile CCT Attack Surface
AJAX Handlers 2
WordPress Hooks 4
Maintenance & Trust
Profile CCT Maintenance & Trust
Maintenance Signals
Community Trust
Profile CCT Alternatives
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin
ultimate-member
Membership & community plugin with user profiles, registration & login, member directories, content restriction, user roles and much more.
One User Avatar | User Profile Picture
one-user-avatar
Use any image from your WordPress Media Library as a custom user avatar or user profile picture. Add your own Default Avatar.
Simple Local Avatars
simple-local-avatars
Adds an avatar upload field to user profiles. Generates requested sizes on demand just like Gravatar!
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
wp-user-avatar
Setup paid membership, accept payment, sell subscription & digital product, paywall, create login & registration form, user profile & member directory
User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder
user-registration
Build membership sites with tiered plans, content restriction, drag-&-drop custom registration & login form builder, and built-in payment system.
Profile CCT Developer Profile
15 plugins · 6K total installs
How We Detect Profile CCT
Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.
Asset Fingerprints
/wp-content/plugins/profile-custom-content-type/css/profile-picture.cssprofile-custom-content-type/css/profile-picture.css?ver=HTML / DOM Fingerprints
user-avatar-display-imageadd-multipledata-field-type="picture"profile_cct_picture_refresh_imageprofile_cct_add_remove_avatar_linkprofile_cct_picture_remove_imageprofile_cct_picture_add_photo_step1