WP-Safety

Rox Dynamic CPT Fields Engine Security & Risk Analysis

wordpress.org/plugins/rox-dynamic-cpt-fields-engine

Build Custom Post Types, Taxonomies, Custom Fields, Queries, and Listings from one unified interface.

0 active installs v1.0.0 PHP 8.0+ WP 6.5+ Updated Apr 5, 2026
custom-fieldscustom-post-typesmeta-fieldsoptions-pagestaxonomies
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Rox Dynamic CPT Fields Engine Safe to Use in 2026?

Generally Safe

Score 100/100

Rox Dynamic CPT Fields Engine has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The "rox-dynamic-cpt-fields-engine" plugin v1.0.0 exhibits a generally strong security posture based on the provided static analysis. The complete absence of AJAX handlers, REST API routes, shortcodes, and cron events with open attack surfaces significantly reduces its exploitability. Furthermore, the code demonstrates excellent security practices with 100% of SQL queries using prepared statements and a very high percentage (96%) of output being properly escaped. The presence of numerous nonce and capability checks also indicates a deliberate effort to implement access controls.

However, there is a single taint flow identified with an unsanitized path. While this flow is not classified as critical or high severity, it represents a potential area for concern as it indicates data originating from an untrusted source is not being sufficiently sanitized before being used in a way that could lead to unintended consequences, such as path traversal. The plugin's complete lack of a vulnerability history is a positive indicator, suggesting it has either been well-maintained or has not yet been a target for significant security research.

In conclusion, the plugin is well-developed from a security perspective, with minimal surface area and good implementation of security features. The lone unsanitized path is the primary area requiring attention. The absence of historical vulnerabilities is a strength, but users should remain vigilant for future updates and potential findings. The overall risk is considered low, but the identified taint flow warrants investigation and potential remediation.

Key Concerns

  • Unsanitized path in taint flow
Vulnerabilities
None known

Rox Dynamic CPT Fields Engine Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Rox Dynamic CPT Fields Engine Release Timeline

v1.0
Code Analysis
Analyzed Apr 16, 2026

Rox Dynamic CPT Fields Engine Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
20 prepared
Unescaped Output
22
491 escaped
Nonce Checks
4
Capability Checks
16
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared20 total queries

Output Escaping

96% escaped513 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths
<TaxonomyMetaFieldsManager> (app/Fields/TaxonomyMetaFieldsManager.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Rox Dynamic CPT Fields Engine Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 33
actionadmin_enqueue_scriptsapp/Admin/AdminAssets.php:48
filterscript_loader_tagapp/Admin/AdminAssets.php:115
actionadmin_noticesapp/Admin/AdminAssets.php:118
actionadmin_menuapp/Admin/AdminMenu.php:85
actionadmin_headapp/Admin/AdminMenu.php:86
actionadmin_menuapp/Admin/OptionsPageRegistrar.php:73
actionadmin_initapp/Admin/OptionsPageRegistrar.php:76
actionadmin_enqueue_scriptsapp/Admin/OptionsPageRegistrar.php:79
actioninitapp/Config/ConfigPostType.php:68
actioninitapp/Config/ConfigPostType.php:69
actioninitapp/Fields/CPTMetaFieldsManager.php:69
actionadd_meta_boxesapp/Fields/CPTMetaFieldsManager.php:72
actionsave_postapp/Fields/CPTMetaFieldsManager.php:75
actioninitapp/Fields/CPTMetaFieldsManager.php:78
actionadmin_enqueue_scriptsapp/Fields/CPTMetaFieldsManager.php:81
actionadmin_noticesapp/Fields/CPTMetaFieldsManager.php:84
filterredirect_post_locationapp/Fields/CPTMetaFieldsManager.php:1102
actionadmin_initapp/Fields/FieldAssetsManager.php:71
actionadd_meta_boxesapp/Fields/FieldGroupManager.php:85
actionsave_postapp/Fields/FieldGroupManager.php:88
actioninitapp/Fields/FieldGroupManager.php:91
actionadmin_enqueue_scriptsapp/Fields/FieldGroupManager.php:94
actionadmin_noticesapp/Fields/FieldGroupManager.php:97
filterredirect_post_locationapp/Fields/FieldGroupManager.php:246
actioninitapp/Fields/TaxonomyMetaFieldsManager.php:57
actioninitapp/Fields/TaxonomyMetaFieldsManager.php:60
actionadmin_enqueue_scriptsapp/Fields/TaxonomyMetaFieldsManager.php:63
actionrest_api_initapp/REST/RestManager.php:49
actioninitapp/Registration/RegistrationManager.php:94
actionadmin_initapp/Registration/RegistrationManager.php:97
actionadmin_noticesrox-dynamic-cpt-fields-engine.php:49
actionadmin_noticesrox-dynamic-cpt-fields-engine.php:55
actionplugins_loadedrox-dynamic-cpt-fields-engine.php:123
Maintenance & Trust

Rox Dynamic CPT Fields Engine Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 5, 2026
PHP min version8.0
Downloads77

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Rox Dynamic CPT Fields Engine Alternatives

Meta Box

Meta Box

meta-box

A
89

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K 7 CVEs
Pods – Custom Content Types and Fields

Pods – Custom Content Types and Fields

pods

A
87

Pods is a framework for creating, managing, and deploying customized content types and fields for any project.

100K 14 CVEs
CubeWP Framework

CubeWP Framework

cubewp-framework

C
52

CubeWP is an end-to-end dynamic content framework for WordPress to help you shrink time and cut cost of development up to 90%.

4K 1 unpatched
Custom post types, Custom Fields & more

Custom post types, Custom Fields & more

custom-post-types

A
99

Custom Post Types, Custom Fields, Custom Taxonomies, Custom Templates, Custom Admin Pages, Custom Admin Notices. Directly from the WP dashboard.

3K 3 CVEs
LIQUID TOOLS – Custom Fields, CPT & Security

LIQUID TOOLS – Custom Fields, CPT & Security

liquid-tools

A
100

Very simple tool to set up Custom Fields, Custom Post Types, Custom Taxonomies, and Security.

90 No CVEs
Developer Profile

Rox Dynamic CPT Fields Engine Developer Profile

XpeedStudio

3 plugins · 0 total installs

92
trust score
Avg Security Score
97/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Rox Dynamic CPT Fields Engine

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/rox-dynamic-cpt-fields-engine/assets/build/main-*.css/wp-content/plugins/rox-dynamic-cpt-fields-engine/assets/build/main-*.js
Script Paths
/wp-content/plugins/rox-dynamic-cpt-fields-engine/assets/build/main-*.js
Version Parameters
/wp-content/plugins/rox-dynamic-cpt-fields-engine/assets/build/main-*.css?ver=/wp-content/plugins/rox-dynamic-cpt-fields-engine/assets/build/main-*.js?ver=

HTML / DOM Fingerprints

Data Attributes
type="module"
JS Globals
window.rdcfeSettings
REST Endpoints
/wp-json/rdcfe/v1/
FAQ

Frequently Asked Questions about Rox Dynamic CPT Fields Engine