Does Sydney Toolbox have any unpatched vulnerabilities?

No. All known vulnerabilities in Sydney Toolbox have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Sydney Toolbox compatible with WordPress 6.7.5?

According to WordPress.org data, Sydney Toolbox 1.36 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is Sydney Toolbox updated?

Sydney Toolbox was last updated on Dec 17, 2024. Frequent updates are generally a positive security signal.

What is Sydney Toolbox's security score?

Sydney Toolbox has a WP-Safety security score of 89/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Sydney Toolbox Security & Risk Analysis

wordpress.org/plugins/sydney-toolbox

Registers custom post types and custom fields for the Sydney theme

60K active installs v1.36 PHP + WP 4.0+ Updated Dec 17, 2024

custom-fieldscustom-post-typessydney

A · Safe

CVEs total5

Unpatched0

Last CVEMay 13, 2024

Plugin page Download

Safety Verdict

Is Sydney Toolbox Safe to Use in 2026?

Generally Safe

Score 89/100

Sydney Toolbox has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: May 13, 2024Updated 1yr ago

Risk Assessment

The sydney-toolbox plugin v1.36 exhibits a generally positive security posture based on static code analysis, with no identified critical or high-severity taint flows and a high percentage of properly escaped output. The lack of direct entry points like AJAX handlers, REST API routes, or shortcodes, coupled with a strong adherence to using prepared statements for SQL queries, indicates a robust development approach. The presence of numerous nonce and capability checks further suggests an awareness of common security practices.

However, the plugin's vulnerability history is a significant concern. It has a notable track record of 5 medium-severity CVEs, predominantly Cross-Site Scripting (XSS) vulnerabilities. While there are currently no unpatched vulnerabilities, the recurring nature of XSS issues, even at a medium severity, indicates a potential weakness in input sanitization or output encoding within specific code paths that may not have been fully captured by the static analysis or have been introduced in past versions. The most recent vulnerability, dated May 2024, reinforces this concern. Therefore, despite a clean static analysis for this specific version, the historical pattern of XSS vulnerabilities warrants caution and suggests a need for ongoing vigilance and potentially more thorough historical security audits.

In conclusion, while sydney-toolbox v1.36 demonstrates good coding practices in its static analysis results, the past prevalence of medium-severity XSS vulnerabilities cannot be overlooked. The plugin's strengths lie in its minimal attack surface and secure data handling mechanisms. The primary weakness stems from its historical vulnerability pattern, specifically XSS, which suggests a potential for similar issues to re-emerge if development or auditing processes are not sufficiently rigorous. This combination of good current analysis and concerning history leads to a moderate risk assessment.

Key Concerns

Multiple medium-severity CVEs in history
Recurring XSS vulnerability type

Vulnerabilities

Sydney Toolbox Security Vulnerabilities

CVEs by Year

5 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2024-4473medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sydney Toolbox <= 1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting via aThemes: Portfolio Widget

May 13, 2024 Patched in 1.32 (1d)

CVE-2024-4036medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sydney Toolbox <= 1.30 - Authenticated (Contributor+) Stored Cross-Site Scripting

May 1, 2024 Patched in 1.31 (2d)

CVE-2024-3208medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sydney Toolbox <= 1.28 - Authenticated (Contributor+) Stored Cross-Site Scripting via Filterable Gallery

Apr 5, 2024 Patched in 1.29 (5d)

CVE-2024-2936medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sydney Toolbox <= 1.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via _id

Mar 28, 2024 Patched in 1.27 (1d)

CVE-2024-1447medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Sydney Toolbox <= 1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 14, 2024 Patched in 1.26 (7d)

Code Analysis

Analyzed Mar 16, 2026

Sydney Toolbox Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

293 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

94% escaped312 total outputs

Data Flows

All sanitized

Data Flow Analysis

7 flows

<clients-metabox> (inc\metaboxes\clients-metabox.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Sydney Toolbox Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 59

filterpt-ocdi/import_filesdemo-content\setup.php:37

actionpt-ocdi/after_importdemo-content\setup.php:64

filterpt-ocdi/disable_pt_brandingdemo-content\setup.php:69

actioncustomize_registerinc\customizer\portfolio.php:105

actionelementor/widget/athemes-portfolio-ext/skins_initinc\elementor\skins\block-portfolio-classic-skin.php:130

actionelementor/widget/athemes-portfolio-ext/skins_initinc\elementor\skins\block-portfolio-metro-skin.php:177

actionelementor/widget/athemes-portfolio-ext/skins_initinc\elementor\skins\block-portfolio-overlap-skin.php:130

actionelementor/widget/athemes-testimonials/skins_initinc\elementor\skins\block-testimonials-skin.php:60

actionload-post.phpinc\metaboxes\clients-metabox.php:18

actionload-post-new.phpinc\metaboxes\clients-metabox.php:19

actionadd_meta_boxesinc\metaboxes\clients-metabox.php:25

actionsave_postinc\metaboxes\clients-metabox.php:26

actionload-post.phpinc\metaboxes\employees-metabox.php:18

actionload-post-new.phpinc\metaboxes\employees-metabox.php:19

actionadd_meta_boxesinc\metaboxes\employees-metabox.php:25

actionsave_postinc\metaboxes\employees-metabox.php:26

actionload-post.phpinc\metaboxes\projects-metabox.php:18

actionload-post-new.phpinc\metaboxes\projects-metabox.php:19

actionadd_meta_boxesinc\metaboxes\projects-metabox.php:25

actionsave_postinc\metaboxes\projects-metabox.php:26

actionload-post.phpinc\metaboxes\services-metabox.php:18

actionload-post-new.phpinc\metaboxes\services-metabox.php:19

actionadd_meta_boxesinc\metaboxes\services-metabox.php:25

actionsave_postinc\metaboxes\services-metabox.php:26

actionload-post.phpinc\metaboxes\singles-metabox.php:22

actionload-post-new.phpinc\metaboxes\singles-metabox.php:23

actionadd_meta_boxesinc\metaboxes\singles-metabox.php:29

actionsave_postinc\metaboxes\singles-metabox.php:30

actionadmin_enqueue_scriptsinc\metaboxes\singles-metabox.php:31

actionload-post.phpinc\metaboxes\testimonials-metabox.php:18

actionload-post-new.phpinc\metaboxes\testimonials-metabox.php:19

actionadd_meta_boxesinc\metaboxes\testimonials-metabox.php:25

actionsave_postinc\metaboxes\testimonials-metabox.php:26

actionload-post.phpinc\metaboxes\timeline-metabox.php:18

actionload-post-new.phpinc\metaboxes\timeline-metabox.php:19

actionadd_meta_boxesinc\metaboxes\timeline-metabox.php:25

actionsave_postinc\metaboxes\timeline-metabox.php:26

actionadmin_enqueue_scriptsinc\metaboxes\timeline-metabox.php:27

actioninitinc\post-type-clients.php:69

actioninitinc\post-type-employees.php:69

actioninitinc\post-type-projects.php:69

actioninitinc\post-type-services.php:69

actioninitinc\post-type-sydney-projects.php:78

actioninitinc\post-type-sydney-projects.php:129

actioninitinc\post-type-testimonials.php:69

actioninitinc\post-type-timeline.php:74

actioninitsydney-toolbox.php:41

actionplugins_loadedsydney-toolbox.php:42

actionadmin_noticessydney-toolbox.php:43

actionwpsydney-toolbox.php:45

actionwp_headsydney-toolbox.php:48

filterget_the_archive_titlesydney-toolbox.php:51

filterpost_classsydney-toolbox.php:52

actionelementor/widgets/registersydney-toolbox.php:55

actionelementor/initsydney-toolbox.php:56

actionelementor/initsydney-toolbox.php:57

actionelementor/frontend/after_register_stylessydney-toolbox.php:58

actioninitsydney-toolbox.php:59

filtersydney_content_area_classsydney-toolbox.php:243

Maintenance & Trust

Sydney Toolbox Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedDec 17, 2024

PHP min version

Downloads2.5M

Community Trust

Rating46/100

Number of ratings15

Active installs60K

Alternatives

Sydney Toolbox Alternatives

Athemes Toolbox

athemes-toolbox

Registers custom post types and custom fields for the aThemes theme

3K No CVEs

Meta Box

meta-box

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K 6 CVEs

Pods – Custom Content Types and Fields

pods

Pods is a framework for creating, managing, and deploying customized content types and fields for any project.

100K 14 CVEs

Custom Post Types and Custom Fields creator – WCK

wck-custom-fields-and-custom-post-types-creator

100

A must have tool for creating custom fields, custom post types and taxonomies, fast and without any programming knowledge.

10K 1 CVE

CubeWP Framework

cubewp-framework

CubeWP is an end-to-end dynamic content framework for WordPress to help you shrink time and cut cost of development up to 90%.

4K 1 unpatched

Developer Profile

Sydney Toolbox Developer Profile

Syed Balkhi

94 plugins · 23.5M total installs

trust score

Avg Security Score

91/100

Avg Patch Time

795 days

View full developer profile

Detection Fingerprints

How We Detect Sydney Toolbox

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/sydney-toolbox/css/styles.min.css/wp-content/plugins/sydney-toolbox/js/main.js/wp-content/plugins/sydney-toolbox/js/main-legacy.js

Script Paths

/wp-content/plugins/sydney-toolbox/js/main.js/wp-content/plugins/sydney-toolbox/js/main-legacy.js

Version Parameters

sydney-toolbox/css/styles.min.css?ver=sydney-toolbox/js/main.js?ver=sydney-toolbox/js/main-legacy.js?ver=

HTML / DOM Fingerprints

CSS Classes

sydney-svg-iconteam-itemteam-socialsingle-sydney-projectsblock-portfolio-overlap-skinblock-portfolio-classic-skinblock-portfolio-metro-skinblock-testimonials-skin

HTML Comments

<!-- Sydney Toolbox requires PHP 5.4. Please contact your host to upgrade your PHP. The plugin was <strong>not</strong> activated. -->

Data Attributes

data-elementor-iddata-elementor-typedata-elementor-device-mode

FAQ