WP-Safety

Tools Engine – AIO Custom Fields Security & Risk Analysis

wordpress.org/plugins/tools-engine

Simple and powerful tool to create custom fields for any post type in WordPress.

0 active installs v1.1 PHP 5.2.4+ WP 5.0+ Updated Dec 29, 2022
custom-fieldsfieldstools
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Tools Engine – AIO Custom Fields Safe to Use in 2026?

Generally Safe

Score 85/100

Tools Engine – AIO Custom Fields has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago
Risk Assessment

The "tools-engine" v1.1 plugin exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by using prepared statements for all SQL queries and has a history devoid of known vulnerabilities, suggesting a commitment to security. However, significant concerns arise from its attack surface. A notable portion of its AJAX handlers (7 out of 46) and one REST API route lack proper authentication and permission checks, creating potential entry points for unauthorized actions. The presence of the `unserialize` function is also a cause for concern, as it can be a vector for remote code execution if not handled with extreme care and proper sanitization, although the static analysis did not report any specific exploitable flows. The bundled jQuery library is significantly outdated, posing a risk if any vulnerabilities are present in that specific version and are exploited by attackers.

Key Concerns

  • Unprotected AJAX handlers
  • Unprotected REST API route
  • Dangerous function (unserialize)
  • Outdated bundled library (jQuery)
Vulnerabilities
None known

Tools Engine – AIO Custom Fields Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Tools Engine – AIO Custom Fields Release Timeline

v1.1Current
v1.0.3
v1.0.2
v1.0.1
v1.0
v0.1
Code Analysis
Analyzed Apr 16, 2026

Tools Engine – AIO Custom Fields Code Analysis

Dangerous Functions
12
Raw SQL Queries
0
162 prepared
Unescaped Output
130
229 escaped
Nonce Checks
40
Capability Checks
20
File Operations
0
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$post_content = unserialize($fields['post_content']);controller/fields/layoutFields/class-smack-field-clone.php:52
unserialize$post_content = unserialize($fields['post_content']);controller/fields/layoutFields/class-smack-field-clone.php:125
unserialize$sub_group->post_content = unserialize($sub_group->post_content);controller/groups/field-group-functions.php:60
unserialize$child->post_content = unserialize($child->post_content);controller/groups/field-group-functions.php:69
unserialize$child->post_content = unserialize($child->post_content);controller/groups/field-group-functions.php:93
unserialize$field_group->post_content = unserialize($field_group->post_content);controller/groups/field-group-functions.php:121
unserialize$post_content = unserialize($post_content);controller/groups/field-group-functions.php:930
unserialize$content_array = unserialize($post->post_content);controller/views/post-view.php:1076
unserialize$get_content_details = unserialize($get_content);smack-theme-code.php:46
unserialize$get_content_details = unserialize($get_content);smack-theme-code.php:58
unserialize$get_content = unserialize($get_postcontent);smack-theme-functions.php:198
unserialize$res->post_content = unserialize($res->post_content);tools-engine.php:57

Bundled Libraries

jQuery1.12.4

SQL Query Safety

100% prepared162 total queries

Output Escaping

64% escaped359 total outputs
Attack Surface
8 unprotected

Tools Engine – AIO Custom Fields Attack Surface

Entry Points48
Unprotected8

AJAX Handlers 46

authwp_ajax_smack_get_oembed_linkcontroller/fields/advancedFields/class-smack-field-oembed.php:20
authwp_ajax_smack_clone_fieldcontroller/fields/layoutFields/class-smack-field-clone.php:20
authwp_ajax_saveFieldscontroller/groups/field-group-functions.php:219
authwp_ajax_sendIdActioncontroller/groups/field-group-functions.php:220
authwp_ajax_smack_group_add_fieldscontroller/groups/field-group-functions.php:221
authwp_ajax_smack_add_groupscontroller/groups/field-group-functions.php:222
authwp_ajax_smack_delete_fieldcontroller/groups/field-group-functions.php:223
authwp_ajax_ultimate_group_fieldcontroller/groups/field-group-functions.php:224
authwp_ajax_createCustomTaxonomycontroller/groups/field-group-functions.php:225
authwp_ajax_UpdatePostContentcontroller/groups/field-group-functions.php:226
authwp_ajax_smack_delete_sub_fieldcontroller/groups/field-group-functions.php:227
authwp_ajax_postToolsParamsRulecontroller/groups/field-group-functions.php:230
authwp_ajax_importToolsParamscontroller/groups/field-group-functions.php:231
authwp_ajax_getFieldTypescontroller/groups/field-type-functions.php:46
authwp_ajax_getLocationTypescontroller/groups/locations.php:45
authwp_ajax_getPostTemplateRulecontroller/groups/locations.php:46
authwp_ajax_getPostTypeRulecontroller/groups/locations.php:47
authwp_ajax_getPostStatusRulecontroller/groups/locations.php:48
authwp_ajax_getallPostscontroller/groups/locations.php:49
authwp_ajax_getPostFormatRulecontroller/groups/locations.php:50
authwp_ajax_getPostCategoryRulecontroller/groups/locations.php:51
authwp_ajax_getPageTypeRulecontroller/groups/locations.php:52
authwp_ajax_getPagescontroller/groups/locations.php:53
authwp_ajax_getparentPagescontroller/groups/locations.php:54
authwp_ajax_getCurrentUserRolecontroller/groups/locations.php:55
authwp_ajax_getCurrentUserscontroller/groups/locations.php:56
authwp_ajax_getUserFormcontroller/groups/locations.php:57
authwp_ajax_getUserRolecontroller/groups/locations.php:58
authwp_ajax_getPostTaxonomycontroller/groups/locations.php:59
authwp_ajax_getTaxonomycontroller/groups/locations.php:60
authwp_ajax_getWidgetcontroller/groups/locations.php:61
authwp_ajax_getMenucontroller/groups/locations.php:62
authwp_ajax_getMenuItemcontroller/groups/locations.php:63
authwp_ajax_getCommentcontroller/groups/locations.php:64
authwp_ajax_getAttachmentRulescontroller/groups/locations.php:65
authwp_ajax_getPageTemplatecontroller/groups/locations.php:66
authwp_ajax_getAllFieldNamescontroller/groups/locations.php:67
authwp_ajax_basicRulePosttypecontroller/groups/locations.php:70
authwp_ajax_basicRuleUsercontroller/groups/locations.php:71
authwp_ajax_basicRuleTaxonomycontroller/groups/locations.php:72
authwp_ajax_getToolsParamsRulecontroller/groups/locations.php:75
authwp_ajax_smack_posttype_based_filtercontroller/views/post-view.php:30
authwp_ajax_smack_taxo_based_filtercontroller/views/post-view.php:31
authwp_ajax_removeFieldValuecontroller/views/post-view.php:32
authwp_ajax_getPostTaxonomiescontroller/views/smack-fieldtype.php:40
authwp_ajax_smack_duplicatetools-engine.php:98

REST API Routes 1

GET/wp-json/tools-engine/fields/mydatatools-engine.php:65

Shortcodes 1

[toolsengine] tools-engine.php:100
WordPress Hooks 49
actioninitadmin-functions.php:85
actioninitadmin-functions.php:86
actionadmin_menuadmin-functions.php:87
actioncurrent_screenadmin-functions.php:88
actionadmin_enqueue_scriptsadmin-functions.php:89
actionwp_default_scriptsadmin-functions.php:90
actionadmin_print_footer_scriptsadmin-functions.php:94
filtermanage_edit-tools-engine_columnsadmin-functions.php:99
actionmanage_tools-engine_posts_custom_columnadmin-functions.php:100
actionadmin_enqueue_scriptscontroller/views/form-attachment.php:38
filterattachment_fields_to_editcontroller/views/form-attachment.php:39
filterattachment_fields_to_savecontroller/views/form-attachment.php:40
actionadmin_enqueue_scriptscontroller/views/form-comment.php:38
actionedit_commentcontroller/views/form-comment.php:40
actioncomment_postcontroller/views/form-comment.php:41
actionadd_meta_boxes_commentcontroller/views/form-comment.php:60
actionadmin_enqueue_scriptscontroller/views/form-menu.php:38
actionwp_update_nav_menucontroller/views/form-menu.php:39
actionwp_nav_menu_item_custom_fieldscontroller/views/form-menu.php:41
actionadmin_footercontroller/views/form-menu.php:57
actionadmin_enqueue_scriptscontroller/views/form-taxonomy.php:37
actioncreate_termcontroller/views/form-taxonomy.php:38
actionedit_termcontroller/views/form-taxonomy.php:39
actionadmin_enqueue_scriptscontroller/views/form-user.php:35
actionlogin_form_registercontroller/views/form-user.php:36
actionshow_user_profilecontroller/views/form-user.php:39
actionedit_user_profilecontroller/views/form-user.php:40
actionuser_new_formcontroller/views/form-user.php:41
actionregister_formcontroller/views/form-user.php:42
actionuser_registercontroller/views/form-user.php:45
actionprofile_updatecontroller/views/form-user.php:46
actionadmin_enqueue_scriptscontroller/views/form-widget.php:38
actionin_widget_formcontroller/views/form-widget.php:39
filterwidget_update_callbackcontroller/views/form-widget.php:40
actionload-post.phpcontroller/views/post-view.php:59
actionload-post-new.phpcontroller/views/post-view.php:60
actionsave_postcontroller/views/post-view.php:61
actionuntrash_postcontroller/views/post-view.php:62
actionadd_meta_boxescontroller/views/post-view.php:75
filterpost_updated_messagescontroller/views/post-view.php:1096
actionsave_postcontroller/views/post-view.php:1111
actiondeleted_postcontroller/views/smack-fieldtype.php:37
actiontrashed_postcontroller/views/smack-fieldtype.php:38
actionuntrashed_postcontroller/views/smack-fieldtype.php:39
actionrest_api_inittools-engine.php:64
actionadmin_enqueue_scriptstools-engine.php:85
actionenqueue_block_editor_assetstools-engine.php:87
actionplugins_loadedtools-engine.php:89
filterpage_row_actionstools-engine.php:97
Maintenance & Trust

Tools Engine – AIO Custom Fields Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10
Last updatedDec 29, 2022
PHP min version5.2.4
Downloads7K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Tools Engine – AIO Custom Fields Alternatives

PostMeta Viewer – Custom Fields Inspector

PostMeta Viewer – Custom Fields Inspector

postmeta-viewer

A
100

A powerful debugging tool for WordPress developers to inspect and analyze post meta (custom fields) across posts, pages, and custom post types.

30 No CVEs
MB Toolset Migration

MB Toolset Migration

mb-toolset-migration

A
100

Migrate custom fields from Toolset to Meta Box.

10 No CVEs
Advanced Custom Fields (ACF®)

Advanced Custom Fields (ACF®)

advanced-custom-fields

A
92

ACF helps customize WordPress with powerful, professional and intuitive fields. Proudly powering over 2 million sites, WordPress developers love ACF.

2.0M 10 CVEs
Meta Box

Meta Box

meta-box

A
89

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K 7 CVEs
Checkout Field Editor (Checkout Manager) for WooCommerce

Checkout Field Editor (Checkout Manager) for WooCommerce

woo-checkout-field-editor-pro

A
93

Checkout Field Editor (Checkout Manager) for WooCommerce – The best WooCommerce checkout manager plugin to manage WooCommerce checkout fields.

500K 3 CVEs
Developer Profile

Tools Engine – AIO Custom Fields Developer Profile

Smackcoders Inc.,

23 plugins · 40K total installs

71
trust score
Avg Security Score
88/100
Avg Patch Time
946 days
View full developer profile
Detection Fingerprints

How We Detect Tools Engine – AIO Custom Fields

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/tools-engine/app/blocks/tools-engine-block.js

HTML / DOM Fingerprints

JS Globals
smack_tools_engine_object
REST Endpoints
/wp-json/tools-engine/fields/mydata
Shortcode Output
[toolsengine
FAQ

Frequently Asked Questions about Tools Engine – AIO Custom Fields