WP-Safety

Ultimate Fields Security & Risk Analysis

wordpress.org/plugins/ultimate-fields

Easy and powerful custom fields management: Post Meta, Options Pages, Repeaters and many field types!

900 active installs v3.0.2 PHP 5.4+ WP 4.9+ Updated May 15, 2018
custom-fieldsmetapost-metarepeatertheme-options
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Ultimate Fields Safe to Use in 2026?

Generally Safe

Score 85/100

Ultimate Fields has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 8yr ago
Risk Assessment

The plugin "ultimate-fields" v3.0.2 exhibits a generally strong security posture with several good practices in place. All identified entry points (shortcodes) are protected by capability checks, and all SQL queries utilize prepared statements, which significantly reduces the risk of SQL injection vulnerabilities. The absence of known CVEs and a clean vulnerability history further contributes to its positive security assessment. However, there are notable areas for improvement. The presence of the `unserialize` function is a potential concern, as it can be exploited if fed malicious data, especially if the input source is not thoroughly validated. Additionally, a significant portion of output (53%) is not properly escaped, posing a risk for Cross-Site Scripting (XSS) vulnerabilities. A single taint flow with an unsanitized path also warrants attention, although its severity is not explicitly detailed as critical or high.

While the plugin's current vulnerability history is commendable, indicating good maintenance and security awareness, the static analysis reveals potential weaknesses that, if exploited, could lead to security incidents. The responsible use of `unserialize` and rigorous output escaping for all dynamic content are crucial for mitigating these risks. The single unsanitized path in the taint analysis, while not classified as critical, should be investigated and remediated to ensure complete data sanitization. Overall, the plugin is in a good state, but attention to the identified areas of concern will further strengthen its security.

Key Concerns

  • Dangerous function unserialize detected
  • Significant unescaped output (47%)
  • Taint flow with unsanitized path
Vulnerabilities
None known

Ultimate Fields Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Ultimate Fields Release Timeline

v3.0.2Current
v3.0.1
v3.0
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0
Code Analysis
Analyzed Mar 16, 2026

Ultimate Fields Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
10 prepared
Unescaped Output
89
79 escaped
Nonce Checks
9
Capability Checks
1
File Operations
9
External Requests
0
Bundled Libraries
1

Dangerous Functions Found

unserialize$data = unserialize( $row[ 'meta_value' ] );ui\classes\Location\Options_Page.php:415

Bundled Libraries

Select2

SQL Query Safety

100% prepared10 total queries

Output Escaping

47% escaped168 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

5 flows1 with unsanitized paths
notices (ui\classes\Post_Type.php:517)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Ultimate Fields Attack Surface

Entry Points2
Unprotected0

Shortcodes 2

[uf] core\api.php:236
[value] core\api.php:237
WordPress Hooks 78
actionadd_meta_boxescore\classes\Controller\Options.php:26
actionuf.options_page.savecore\classes\Controller\Options.php:27
actionadmin_enqueue_scriptscore\classes\Controller\Options.php:28
actionrest_api_initcore\classes\Controller\Options.php:29
actionadd_meta_boxescore\classes\Controller\Post_Type.php:55
actionadd_meta_boxescore\classes\Controller\Post_Type.php:56
actionsave_postcore\classes\Controller\Post_Type.php:57
actionwp_enqueue_scriptscore\classes\Controller\Post_Type.php:58
actionadmin_enqueue_scriptscore\classes\Controller\Post_Type.php:59
actioncurrent_screencore\classes\Controller\Post_Type.php:60
actionsave_postcore\classes\Controller\Post_Type.php:61
action_wp_post_revision_fieldscore\classes\Controller\Post_Type.php:62
actionwp_restore_post_revisioncore\classes\Controller\Post_Type.php:63
filterwp_save_post_revision_check_for_changescore\classes\Controller\Post_Type.php:64
actionedit_form_after_titlecore\classes\Controller\Post_Type.php:65
actionpre_post_updatecore\classes\Controller\Post_Type.php:66
actionpost_updatedcore\classes\Controller\Post_Type.php:67
actionrest_api_initcore\classes\Controller\REST_API.php:19
actionadmin_enqueue_scriptscore\classes\Core.php:71
actionwp_enqueue_scriptscore\classes\Core.php:72
actionlogin_enqueue_scriptscore\classes\Core.php:73
actionadmin_enqueue_scriptscore\classes\Core.php:74
actionwp_enqueue_editorcore\classes\Core.php:75
actionwp_enqueue_scriptscore\classes\Core.php:76
actionlogin_enqueue_scriptscore\classes\Core.php:77
actionafter_setup_themecore\classes\Core.php:78
filteruf.field.classcore\classes\Core.php:79
filteruf.api.the_valuecore\classes\Core.php:82
filterget_post_metadatacore\classes\Datastore\Post_Meta.php:95
actionadmin_footercore\classes\Field\WYSIWYG.php:64
actioncustomize_controls_print_scriptscore\classes\Field\WYSIWYG.php:66
actionwp_footercore\classes\Field\WYSIWYG.php:68
actionuf.register_scriptscore\classes\Helper\JS_L10N.php:41
actionadmin_noticescore\classes\Helper\Missing_Features.php:40
actionpre_get_postscore\classes\Location\Post_Type.php:665
actionadmin_menucore\classes\Options_Page.php:159
actionadmin_menucore\classes\Options_Page.php:160
actionnetwork_admin_menucore\classes\Options_Page.php:161
actionadmin_enqueue_scriptscore\classes\Options_Page.php:162
actionadmin_footercore\classes\Template.php:66
actionwp_footercore\classes\Template.php:68
actionlogin_footercore\classes\Template.php:69
actioncustomize_controls_print_footer_scriptscore\classes\Template.php:72
actionuf.initcore\compat.php:7
actionuf.ajaxui\classes\Field_Editor.php:102
actionadd_meta_boxesui\classes\JSON_Box.php:40
actionuf.enqueue_scriptsui\classes\Migration.php:72
actionadmin_noticesui\classes\Migration.php:73
actioninitui\classes\Migration.php:83
actioninitui\classes\Post_Type.php:46
actionadmin_headui\classes\Post_Type.php:47
actionedit_form_after_editorui\classes\Post_Type.php:48
actionsave_postui\classes\Post_Type.php:49
actionbefore_delete_postui\classes\Post_Type.php:50
actionadmin_enqueue_scriptsui\classes\Post_Type.php:51
filterpage_row_actionsui\classes\Post_Type.php:54
actionadmin_noticesui\classes\Post_Type.php:55
actionadd_meta_boxesui\classes\Post_Type.php:56
actionload-post.phpui\classes\Post_Type.php:57
actionadd_meta_boxesui\classes\Post_Type.php:58
actionadmin_noticesui\classes\Post_Type.php:59
actionuf.ajax.ui_get_containerui\classes\Post_Type.php:60
actionpost_updated_messagesui\classes\Post_Type.php:61
actionadmin_enqueue_scriptsui\classes\Post_Type.php:62
actionadmin_footerui\classes\Post_Type.php:773
actionadmin_menuui\classes\Settings\Page.php:54
actionuf.enqueue_scriptsui\classes\Settings\Page.php:55
filterscreen_options_show_screenui\classes\Settings\Screen_General.php:81
filteruf.options_page.redirect_urlui\classes\Settings\Screen_General.php:82
actionadmin_enqueue_scriptsui\classes\Settings\Screen_Import_Export.php:49
filterscreen_options_show_screenui\classes\Settings\Screen_JSON_Sync.php:42
filteruf.register_uiui\classes\UI.php:58
actionuf.register_scriptsui\classes\UI.php:75
actionuf.ajax.select_ui_optionsui\classes\UI.php:76
filteruf.field.classui\classes\UI.php:77
actionuf.initui\classes\UI.php:91
actioncurrent_screenui\classes\UI.php:94
actionplugins_loadedultimate-fields.php:22
Maintenance & Trust

Ultimate Fields Maintenance & Trust

Maintenance Signals

WordPress version tested4.9.29
Last updatedMay 15, 2018
PHP min version5.4
Downloads15K

Community Trust

Rating100/100
Number of ratings20
Active installs900
Alternatives

Ultimate Fields Alternatives

Advanced Custom Fields (ACF®)

Advanced Custom Fields (ACF®)

advanced-custom-fields

A
92

ACF helps customize WordPress with powerful, professional and intuitive fields. Proudly powering over 2 million sites, WordPress developers love ACF.

2.0M 10 CVEs
WP-Admin Search Post Meta

WP-Admin Search Post Meta

wp-admin-search-meta

A
100

Search WordPress admin posts by custom fields (post meta) directly from the default search.

300 No CVEs
Show Hidden Post Meta

Show Hidden Post Meta

show-hidden-post-meta

A
85

Makes hidden post meta visible on post edit screens

200 No CVEs
Post Meta Manager

Post Meta Manager

post-meta-manager

A
85

A simple utility plugin for changing or deleting post or user meta (custom fields) keys in bulk.

100 No CVEs
Easy Custom Fields

Easy Custom Fields

easy-custom-fields

A
85

This is a set of extendable classes to allow easy handling of custom post fields.

60 No CVEs
Developer Profile

Ultimate Fields Developer Profile

Radoslav Georgiev

2 plugins · 910 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Ultimate Fields

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ultimate-fields/css/bundle.css/wp-content/plugins/ultimate-fields/css/legacy.css/wp-content/plugins/ultimate-fields/js/bundle.js
Script Paths
/wp-content/plugins/ultimate-fields/js/bundle.js
Version Parameters
/wp-content/plugins/ultimate-fields/css/bundle.css?ver=/wp-content/plugins/ultimate-fields/css/legacy.css?ver=/wp-content/plugins/ultimate-fields/js/bundle.js?ver=

HTML / DOM Fingerprints

CSS Classes
uf-containeruf-fielduf-rowuf-col
Data Attributes
data-type="Options"data-uf-fields
JS Globals
UltimateFields
REST Endpoints
/wp-json/ultimate-fields/
FAQ

Frequently Asked Questions about Ultimate Fields