Does Smart Custom Fields have any unpatched vulnerabilities?

No. All known vulnerabilities in Smart Custom Fields have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Smart Custom Fields compatible with WordPress 6.8.5?

According to WordPress.org data, Smart Custom Fields 5.0.6 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Smart Custom Fields compatible with PHP 7.4+?

Smart Custom Fields requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Smart Custom Fields updated?

Smart Custom Fields was last updated on Dec 11, 2025. Frequent updates are generally a positive security signal.

What is Smart Custom Fields's security score?

Smart Custom Fields has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Smart Custom Fields Security & Risk Analysis

wordpress.org/plugins/smart-custom-fields

Smart Custom Fields is a simple plugin for managing custom fields.

50K active installs v5.0.6 PHP 7.4+ WP 6.4+ Updated Dec 11, 2025

customcustom-fieldfieldmetameta-field

A · Safe

CVEs total2

Unpatched0

Last CVEJan 6, 2025

Plugin page Download

Safety Verdict

Is Smart Custom Fields Safe to Use in 2026?

Generally Safe

Score 99/100

Smart Custom Fields has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 6, 2025Updated 3mo ago

Risk Assessment

The 'smart-custom-fields' plugin v5.0.6 exhibits a generally strong security posture based on the static analysis. The code demonstrates excellent adherence to secure coding practices, with all SQL queries using prepared statements, all output properly escaped, and no file operations or external HTTP requests detected. The presence of numerous nonce and capability checks further indicates a focus on authorization and preventing unauthorized actions. The attack surface, while present with two AJAX handlers, is reported as fully protected, which is a significant positive. Taint analysis revealing no unsanitized paths is also a very good sign, suggesting the plugin is resilient against common injection vulnerabilities.

However, the plugin's vulnerability history presents a notable concern. Two medium-severity CVEs have been recorded, one of which was identified relatively recently. While currently unpatched CVEs are zero, the existence of past vulnerabilities, particularly those related to Cross-site Scripting and Missing Authorization, suggests a pattern of weaknesses that have required remediation. This history, even with recent fixes, warrants a cautious approach. The overall conclusion is that while the current version's static analysis is robust, the historical precedent of vulnerabilities necessitates ongoing vigilance and prompt application of any future security updates to mitigate the risk of recurring issues.

Key Concerns

Past medium severity CVEs
History of XSS and Missing Authorization

Vulnerabilities

Smart Custom Fields Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-22308medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Smart Custom Fields <= 5.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 6, 2025 Patched in 5.0.1 (145d)

CVE-2024-1995medium · 4.3Missing Authorization

Smart Custom Fields <= 4.2.2 - Missing Authorization to Authenticated (Subscriber+) Post Content Disclosure

Mar 19, 2024 Patched in 5.0.0 (1d)

Code Analysis

Analyzed Mar 16, 2026

Smart Custom Fields Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

424 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

jQuery

SQL Query Safety

100% prepared4 total queries

Output Escaping

100% escaped426 total outputs

Attack Surface

Smart Custom Fields Attack Surface

Entry Points2

Unprotected0

AJAX Handlers 2

authwp_ajax_smart-cf-relational-posts-searchclasses\fields\class.field-related-posts.php:20

authwp_ajax_smart-cf-relational-terms-searchclasses\fields\class.field-related-terms.php:20

WordPress Hooks 37

actionrest_api_initclasses\class.rest-api.php:24

actionadmin_enqueue_scriptsclasses\controller\class.controller-base.php:24

actionadd_meta_boxesclasses\controller\class.editor.php:18

actionsave_postclasses\controller\class.editor.php:19

actionshow_user_profileclasses\controller\class.profile.php:18

actionedit_user_profileclasses\controller\class.profile.php:19

actionpersonal_options_updateclasses\controller\class.profile.php:20

actionedit_user_profile_updateclasses\controller\class.profile.php:21

actionadmin_enqueue_scriptsclasses\controller\class.settings.php:24

actionadmin_headclasses\controller\class.settings.php:25

actionsave_postclasses\controller\class.settings.php:26

actionadd_meta_boxesclasses\controller\class.settings.php:27

actionedited_termsclasses\controller\class.taxonomy.php:25

actiondelete_termclasses\controller\class.taxonomy.php:26

filtersmart-cf-validate-get-valueclasses\fields\class.field-boolean.php:19

actionadmin_enqueue_scriptsclasses\fields\class.field-related-posts.php:19

filtersmart-cf-validate-get-valueclasses\fields\class.field-related-posts.php:21

actionadmin_enqueue_scriptsclasses\fields\class.field-related-terms.php:19

filtersmart-cf-validate-get-valueclasses\fields\class.field-related-terms.php:21

filtersmart-cf-validate-get-valueclasses\fields\class.field-wysiwyg.php:23

actionafter_wp_tiny_mceclasses\fields\class.field-wysiwyg.php:48

actionadmin_footerclasses\fields\class.field-wysiwyg.php:68

actiondelete_termclasses\models\class.ajax.php:18

actionadmin_menuclasses\models\class.options-page.php:74

filterwp_save_post_revision_check_for_changesclasses\models\class.revisions.php:23

filter_wp_post_revision_fieldsclasses\models\class.revisions.php:29

filterget_post_metadataclasses\models\class.revisions.php:30

actionedit_form_after_titleclasses\models\class.revisions.php:31

actionwp_restore_post_revisionclasses\models\class.revisions.php:32

actionwp_insert_postclasses\models\class.revisions.php:33

actionadmin_enqueue_scriptsclasses\models\class.yoast-seo-analysis.php:17

actionplugins_loadedsmart-custom-fields.php:44

actioninitsmart-custom-fields.php:65

actioninitsmart-custom-fields.php:66

actioninitsmart-custom-fields.php:67

actionadmin_menusmart-custom-fields.php:68

actioncurrent_screensmart-custom-fields.php:69

Maintenance & Trust

Smart Custom Fields Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedDec 11, 2025

PHP min version7.4

Downloads334K

Community Trust

Rating98/100

Number of ratings20

Active installs50K

Alternatives

Smart Custom Fields Alternatives

Meta Field Block

display-a-meta-field-as-block

Display a custom field as a block on the frontend. Supports custom fields for posts, terms, and users. Officially supports ACF, Meta Box.

10K 1 CVE

Easy Post Types and Fields

easy-post-types-fields

100

Easy Post Types and Fields makes it quick and easy to add custom post types, custom fields, and taxonomies to your WordPress website.

1K No CVEs

Add Custom Fields to Media

add-custom-fields-to-media

100

Add custom fields to media uploader and access them in template files. Great for copyrights, image meta etc.

80 No CVEs

Custom Field Builder – WordPress custom fields plugin

custom-field-builder

Custom Field Builder is a powerful and lightweight developer plugin to create custom meta boxes and custom fields for WordPress.

10 No CVEs

Custom Meta Field

custom-meta-field

Custom Meta Field

10 No CVEs

Developer Profile

Smart Custom Fields Developer Profile

Takashi Kitajima

11 plugins · 331K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

122 days

View full developer profile

Detection Fingerprints

How We Detect Smart Custom Fields

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/smart-custom-fields/css/styles.css/wp-content/plugins/smart-custom-fields/js/script.js/wp-content/plugins/smart-custom-fields/js/bootstrap.min.js/wp-content/plugins/smart-custom-fields/js/sortable.min.js/wp-content/plugins/smart-custom-fields/js/vue.js/wp-content/plugins/smart-custom-fields/js/vue-resource.min.js/wp-content/plugins/smart-custom-fields/js/field-editor.js/wp-content/plugins/smart-custom-fields/js/admin-menu.js+1 more

Script Paths

/wp-content/plugins/smart-custom-fields/js/script.js/wp-content/plugins/smart-custom-fields/js/bootstrap.min.js/wp-content/plugins/smart-custom-fields/js/sortable.min.js/wp-content/plugins/smart-custom-fields/js/vue.js/wp-content/plugins/smart-custom-fields/js/vue-resource.min.js/wp-content/plugins/smart-custom-fields/js/field-editor.js+2 more

Version Parameters

smart-custom-fields/css/styles.css?ver=smart-custom-fields/js/script.js?ver=smart-custom-fields/js/bootstrap.min.js?ver=smart-custom-fields/js/sortable.min.js?ver=smart-custom-fields/js/vue.js?ver=smart-custom-fields/js/vue-resource.min.js?ver=smart-custom-fields/js/field-editor.js?ver=smart-custom-fields/js/admin-menu.js?ver=smart-custom-fields/js/setting-page.js?ver=

HTML / DOM Fingerprints

CSS Classes

s-cf-editor-wrappers-cf-field-editors-cf-fields-groups-cf-fields-group-headers-cf-fields-group-bodys-cf-fields-cf-field-labels-cf-field-content+11 more

HTML Comments

Data Attributes

data-field-iddata-field-typedata-group-iddata-scf-id

JS Globals

SmartCustomFieldsSCF_ConfigVueVueResource

REST Endpoints

/wp-json/smart-custom-fields/v1

FAQ

Smart Custom Fields Security & Risk Analysis

Is Smart Custom Fields Safe to Use in 2026?

Generally Safe

Key Concerns

Smart Custom Fields Security Vulnerabilities

CVEs by Year

Severity Breakdown

Smart Custom Fields Code Analysis

Bundled Libraries

SQL Query Safety

Output Escaping

Smart Custom Fields Attack Surface

AJAX Handlers 2

Smart Custom Fields Maintenance & Trust

Maintenance Signals

Community Trust

Smart Custom Fields Alternatives

Meta Field Block

Easy Post Types and Fields

Add Custom Fields to Media

Custom Field Builder – WordPress custom fields plugin

Custom Meta Field

Smart Custom Fields Developer Profile

How We Detect Smart Custom Fields

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Smart Custom Fields