Does Custom Post Types and Custom Fields creator – WCK have any unpatched vulnerabilities?

No. All known vulnerabilities in Custom Post Types and Custom Fields creator – WCK have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Custom Post Types and Custom Fields creator – WCK compatible with WordPress 6.8.5?

According to WordPress.org data, Custom Post Types and Custom Fields creator – WCK 2.3.8 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

What is Custom Post Types and Custom Fields creator – WCK's security score?

Custom Post Types and Custom Fields creator – WCK has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Custom Post Types and Custom Fields creator – WCK Security & Risk Analysis

wordpress.org/plugins/wck-custom-fields-and-custom-post-types-creator

A must have tool for creating custom fields, custom post types and taxonomies, fast and without any programming knowledge.

10K active installs v2.3.8 PHP + WP 3.1+ Updated Aug 13, 2025

custom-fieldcustom-fieldscustom-post-typecustom-post-typeswordpress-custom-fields

A · Safe

CVEs total1

Unpatched0

Last CVEDec 21, 2022

Download

Safety Verdict

Is Custom Post Types and Custom Fields creator – WCK Safe to Use in 2026?

Generally Safe

Score 100/100

Custom Post Types and Custom Fields creator – WCK has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Dec 21, 2022Updated 7mo ago

Risk Assessment

The plugin "wck-custom-fields-and-custom-post-types-creator" v2.3.8 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices in its use of prepared statements for SQL queries and proper output escaping, with high percentages for both. The presence of nonce and capability checks also indicates an awareness of WordPress security fundamentals. However, a significant concern arises from the presence of two AJAX handlers that lack authentication checks. This creates a direct attack vector for unauthenticated users to interact with potentially sensitive functionality. While no critical or high severity taint flows were identified, the six flows with unsanitized paths are concerning and could be a precursor to vulnerabilities if not carefully managed. The plugin's vulnerability history shows one medium-severity Cross-Site Scripting (XSS) vulnerability, last patched in late 2022, suggesting a past weakness that, while addressed, warrants attention regarding the maintainers' ability to prevent such issues.

Overall, the plugin has strengths in its handling of database operations and output, but the unprotected AJAX endpoints represent a clear and immediate risk. The past XSS vulnerability and unsanitized taint flows, though not currently critical, suggest that diligent security reviews and robust input validation are crucial for this plugin. The absence of critical or high severity issues in the static analysis is reassuring, but the identified weaknesses should not be overlooked, especially concerning the direct exposure of AJAX endpoints.

Key Concerns

Unprotected AJAX handlers
Flows with unsanitized paths detected
Past medium severity XSS vulnerability

Vulnerabilities

Custom Post Types and Custom Fields creator – WCK Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2022-4442medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Custom Post Types and Custom Fields creator <= 2.3.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Dec 21, 2022 Patched in 2.3.3 (398d)

Code Analysis

Analyzed Mar 16, 2026

Custom Post Types and Custom Fields creator – WCK Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

280 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

67% prepared6 total queries

Output Escaping

95% escaped295 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

9 flows6 with unsanitized paths

wck_add_meta (wordpress-creation-kit-api\wordpress-creation-kit.php:878)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Custom Post Types and Custom Fields creator – WCK Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_wck_generate_slugwck-cfc.php:933

authwp_ajax_wck_sync_translationwordpress-creation-kit-api\wordpress-creation-kit.php:129

WordPress Hooks 133

actionadmin_noticesinc\class_notices.php:27

actionadmin_initinc\class_notices.php:28

actionadmin_initinc\class_notices.php:74

actionadmin_initinc\class_notices.php:75

actionadmin_initinc\class_notices.php:280

actionadmin_enqueue_scriptswck-cfc.php:5

actioninitwck-cfc.php:24

filteradmin_body_classwck-cfc.php:60

filterpost_row_actionswck-cfc.php:76

actioninitwck-cfc.php:87

actionwck_before_add_form_wck_cfc_args_element_0wck-cfc.php:205

filterwck_update_container_class_wck_cfc_fieldswck-cfc.php:211

filterwck_element_class_wck_cfc_fieldswck-cfc.php:217

actionwck_refresh_list_wck_cfcwck-cfc.php:225

actionadmin_initwck-cfc.php:231

filterwck_required_test_wck_cfc_args_meta-namewck-cfc.php:408

filterwck_required_test_wck_cfc_fields_field-slugwck-cfc.php:409

filterwck_required_message_wck_cfc_args_meta-namewck-cfc.php:467

filterwck_required_message_wck_cfc_fields_field-slugwck-cfc.php:468

filterwck_required_test_wck_cfc_fields_field-titlewck-cfc.php:545

filterwck_required_message_wck_cfc_fields_field-titlewck-cfc.php:556

actionwck_before_add_metawck-cfc.php:565

actionwck_before_update_metawck-cfc.php:586

actionwck_before_update_metawck-cfc.php:621

filtermanage_wck-meta-box_posts_columnswck-cfc.php:667

filtermanage_edit-wck-meta-box_sortable_columnswck-cfc.php:682

filterrequestwck-cfc.php:692

actionmanage_wck-meta-box_posts_custom_columnwck-cfc.php:719

actionadd_meta_boxeswck-cfc.php:748

actionadd_meta_boxeswck-cfc.php:765

actioncurrent_screenwck-cfc.php:785

filterpost_updated_messageswck-cfc.php:842

filterwck_field_typeswck-cfc.php:852

filterwck_before_test_requiredwck-cfc.php:862

filterwck_displayed_value_wck_cfc_fields_field-slugwck-cfc.php:892

filterwck_cfc_filter_edit_form_value_wck_cfc_fields_field-slugwck-cfc.php:893

filterwck_field_before_descriptionwck-cfc.php:924

actionadmin_menuwck-cfc.php:1033

actionadmin_initwck-cfc.php:1076

actioninitwck-cfc.php:1192

actionwp_insert_postwck-cfc.php:1214

actionbefore_delete_postwck-cfc.php:1215

filterget_post_metadatawck-cfc.php:1243

filteris_protected_metawck-cfc.php:1314

actioninitwck-cptc.php:3

actionadmin_enqueue_scriptswck-cptc.php:19

actioninitwck-cptc.php:28

actioninitwck-cptc.php:135

actioninitwck-cptc.php:241

actionwck_before_add_form_wck_cptc_element_7wck-cptc.php:248

actionwck_after_add_form_wck_cptc_element_27wck-cptc.php:254

actionwck_before_add_form_wck_cptc_element_28wck-cptc.php:260

actionwck_after_add_form_wck_cptc_element_38wck-cptc.php:266

filterwck_before_update_form_wck_cptc_element_7wck-cptc.php:272

filterwck_after_update_form_wck_cptc_element_27wck-cptc.php:279

filterwck_before_update_form_wck_cptc_element_28wck-cptc.php:286

filterwck_after_update_form_wck_cptc_element_38wck-cptc.php:293

filterwck_before_listed_wck_cptc_element_7wck-cptc.php:301

filterwck_after_listed_wck_cptc_element_27wck-cptc.php:308

filterwck_before_listed_wck_cptc_element_28wck-cptc.php:315

filterwck_after_listed_wck_cptc_element_38wck-cptc.php:322

actionwck_refresh_list_wck_cptcwck-cptc.php:329

actionwck_refresh_entry_wck_cptcwck-cptc.php:330

actionadd_meta_boxeswck-cptc.php:337

actionadd_meta_boxeswck-cptc.php:354

actionload-wck_page_cptc-pagewck-cptc.php:373

actioninitwck-cptc.php:405

actionwck_before_update_metawck-cptc.php:427

filterwck_required_test_wck_cptc_post-typewck-cptc.php:450

filterwck_required_message_wck_cptc_post-typewck-cptc.php:471

actioninitwck-ctc.php:5

actioninitwck-ctc.php:20

actioninitwck-ctc.php:109

filterposts_clauseswck-ctc.php:206

filterwck_required_test_wck_ctc_taxonomywck-ctc.php:231

filterwck_required_message_wck_ctc_taxonomywck-ctc.php:252

actioninitwck-ctc.php:283

actionwck_refresh_list_wck_ctcwck-ctc.php:290

actionwck_refresh_entry_wck_ctcwck-ctc.php:291

actionwck_before_add_form_wck_ctc_element_5wck-ctc.php:297

actionwck_after_add_form_wck_ctc_element_20wck-ctc.php:303

actionwck_before_add_form_wck_ctc_element_21wck-ctc.php:309

actionwck_after_add_form_wck_ctc_element_29wck-ctc.php:315

filterwck_before_update_form_wck_ctc_element_5wck-ctc.php:321

filterwck_after_update_form_wck_ctc_element_20wck-ctc.php:328

filterwck_before_update_form_wck_ctc_element_21wck-ctc.php:335

filterwck_after_update_form_wck_ctc_element_29wck-ctc.php:342

filterwck_before_listed_wck_ctc_element_5wck-ctc.php:350

filterwck_after_listed_wck_ctc_element_20wck-ctc.php:357

filterwck_before_listed_wck_ctc_element_21wck-ctc.php:364

filterwck_after_listed_wck_ctc_element_29wck-ctc.php:371

actionadd_meta_boxeswck-ctc.php:379

actionadd_meta_boxeswck-ctc.php:396

actionload-wck_page_ctc-pagewck-ctc.php:415

actionwck_before_update_metawck-ctc.php:449

actionadmin_enqueue_scriptswck-free-to-pro.php:3

actioninitwck-free-to-pro.php:12

actioninitwck-free-to-pro.php:27

actionwck_before_meta_boxeswck-free-to-pro.php:48

actionwck_before_meta_boxeswck-free-to-pro.php:114

actionadmin_enqueue_scriptswck-sas.php:5

actioninitwck-sas.php:14

actioninitwck-sas.php:29

actionwck_before_meta_boxeswck-sas.php:117

actionwck_after_meta_boxeswck-sas.php:145

actionadmin_noticeswck-sas.php:228

actionadmin_initwck-sas.php:229

actionadmin_initwck-sas.php:289

filterwck_output_get_field_textareawck-template-api\wck-field-preprocess.php:26

filterwck_output_get_field_checkboxwck-template-api\wck-field-preprocess.php:40

filterwck_output_the_field_checkboxwck-template-api\wck-field-preprocess.php:58

filterwck_output_get_field_uploadwck-template-api\wck-field-preprocess.php:76

filterwck_output_the_field_uploadwck-template-api\wck-field-preprocess.php:131

filterwck_output_get_field_user-selectwck-template-api\wck-field-preprocess.php:158

filterwck_output_the_field_user-selectwck-template-api\wck-field-preprocess.php:192

filterwck_output_get_field_cpt-selectwck-template-api\wck-field-preprocess.php:214

filterwck_output_the_field_cpt-selectwck-template-api\wck-field-preprocess.php:234

actioninitwck.php:41

actioninitwck.php:51

actionadmin_menuwck.php:66

actionadmin_initwck.php:147

actioninitwck.php:222

filteradmin_footer_textwck.php:255

actionadmin_enqueue_scriptswordpress-creation-kit-api\wordpress-creation-kit.php:91

actionadmin_headwordpress-creation-kit-api\wordpress-creation-kit.php:94

actionadd_meta_boxeswordpress-creation-kit-api\wordpress-creation-kit.php:113

actionsave_postwordpress-creation-kit-api\wordpress-creation-kit.php:117

actionwp_insert_postwordpress-creation-kit-api\wordpress-creation-kit.php:120

actionadmin_print_footer_scriptswordpress-creation-kit-api\wordpress-creation-kit.php:122

actionadd_meta_boxeswordpress-creation-kit-api\wordpress-creation-kit.php:126

actionadmin_menuwordpress-creation-kit-api\wordpress-creation-kit.php:1871

actionnetwork_admin_menuwordpress-creation-kit-api\wordpress-creation-kit.php:1875

actionadmin_enqueue_scriptswordpress-creation-kit-api\wordpress-creation-kit.php:1908

Maintenance & Trust

Custom Post Types and Custom Fields creator – WCK Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedAug 13, 2025

PHP min version

Downloads557K

Community Trust

Rating94/100

Number of ratings97

Active installs10K

Alternatives

Custom Post Types and Custom Fields creator – WCK Alternatives

Meta Box

meta-box

Meta Box plugin is a powerful, professional developer toolkit to create custom meta boxes and custom fields for your custom post types in WordPress.

500K 6 CVEs

Pods – Custom Content Types and Fields

pods

Pods is a framework for creating, managing, and deploying customized content types and fields for any project.

100K 14 CVEs

Sydney Toolbox

sydney-toolbox

Registers custom post types and custom fields for the Sydney theme

60K 5 CVEs

CubeWP Framework

cubewp-framework

CubeWP is an end-to-end dynamic content framework for WordPress to help you shrink time and cut cost of development up to 90%.

4K 1 unpatched

Athemes Toolbox

athemes-toolbox

Registers custom post types and custom fields for the aThemes theme

3K No CVEs

Developer Profile

Custom Post Types and Custom Fields creator – WCK Developer Profile

madalin.ungureanu

3 plugins · 14K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

269 days

View full developer profile

Detection Fingerprints

How We Detect Custom Post Types and Custom Fields creator – WCK

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wck-custom-fields-and-custom-post-types-creator/images/wck-menu-item.png

HTML / DOM Fingerprints

CSS Classes

wck_meta_box_title

Data Attributes

data-plugin-slugdata-field-typedata-field-name

JS Globals

wck_settingswck_meta_boxeswck_metabox_args

Shortcode Output

[wck_frontend_form][wck_frontend_edit_form][wck_frontend_display_form]

FAQ