This plugin contains a full path disclosure vulnerability: in certain configurations accessing a certain url will reveal the location of the WordPress installation on the server.

Text settings (e.g. Creator) are not escaped when output as meta tags. Fields are sanitised when filled in manually, but not when uploaded in a json settings file, so it’s possible to execute JavaScript through the meta tags. The upload is nonce-protected so this is not realistically exploitable.

Includes the source code of a metaboxes library – including test and configuration files – this does not seem to be unsafe or used unsafely: https://github.com/WebDevStudios/Custom-Metaboxes-and-Fields-for-WordPress

The plugin has been given this recommendation at the tester's discretion:

This plugin contains a full path disclosure vulnerability if display_errors is switched on.