Plugin inspection:

Types – Custom Fields and Custom Post Types Management

Use with caution

Last revised:

Confidence: Medium
This plugin has been given a short, targeted code review.

Before using this plugin, you should carefully consider these findings. Read more about this recommendation.


  • The plugin is very large at 29k lines
  • Uses eval() and create_function()
  • Uses htmlspecialchars() instead of esc_html()
  • Some SQL is unescaped

Reason for the 'Use with caution' result

The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:

eval() and create_function() are automatic failures unless their arguments are string literals. In the case of wpv_admin_message() it looks very likely that it’s called with unsafe parameters.

Failure criteria

  • Execution of unprepared SQL statements
  • Unsafe generation of PHP code
  • Failure to use available core functionality
  • Very large codebase

Read more about our failure criteria.