Title: Is Custom Post Fields safe for scripting? Last modified: January 10, 2022 --- # Is Custom Post Fields safe for scripting? * [kingkonglauncher](https://wordpress.org/support/users/kingkonglauncher/) * (@kingkonglauncher) * [4 years, 4 months ago](https://wordpress.org/support/topic/is-custom-post-fields-safe-for-scripting/) * Hi, i don’t know exactly what it’s called but when we go to edit post, we can see under Custom Fields, key and values that users can enter. * My question would be, how much can i trust that these fields can 1. only be seen by me and 2. only be used and modified by me. * Previously i used shortcodes for parsing any file onto my page. This is a huge security risk, since visitors can simply use my shortcode, and get all files in my system. * Now i still need this functionality, so i found custom fields and thought, that i could add key “file_parse” and value “path/to/my/file.html” to parse it this way. am i missing a vulnerability again or is this fully safe to do? Viewing 3 replies - 1 through 3 (of 3 total) * [Jacob Peattie](https://wordpress.org/support/users/jakept/) * (@jakept) * [4 years, 4 months ago](https://wordpress.org/support/topic/is-custom-post-fields-safe-for-scripting/#post-15232775) * There’s not much difference between doing this with custom fields and using a shortcode. If the user has editor access then they can use custom fields to parse any file too. * One thing I don’t quite understand though is that you mention visitors potentially using your shortcode as a risk. This should only be a problem if those visitors have access to edit content on the website. Is that something that’s happening in your website? * Thread Starter [kingkonglauncher](https://wordpress.org/support/users/kingkonglauncher/) * (@kingkonglauncher) * [4 years, 4 months ago](https://wordpress.org/support/topic/is-custom-post-fields-safe-for-scripting/#post-15232812) * The only user that can edit post is myself aka the admin. I have some weird setup where users can indeed inject not code but text to the backend(and incase i have missed something which is very possible then i could accidentally perform do_shortcode on the page which contains user code). Which means that they can potentially trigger shortcodes. * So i simplified the strategy by avoiding all sorts of functional/powerful shortcodes and instead only use shortcodes for displaying simple html etc… * So from my understanding of your writing, as long as i make sure that user roles dont have access to edit posts, we should be safe? - This reply was modified 4 years, 4 months ago by [kingkonglauncher](https://wordpress.org/support/users/kingkonglauncher/). * Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/) * (@bcworkz) * [4 years, 4 months ago](https://wordpress.org/support/topic/is-custom-post-fields-safe-for-scripting/#post-15233290) * Security is multi-faceted and dependent on the implementation. It’s all for naught if a user has more privilege than necessary (insider attack). Themes and plugins in the WP repository have been reviewed by knowledgeable volunteers and is some assurance of secure implementation. It’s still possible for vulnerabilities to slip through, it’s not a guarantee of absolute security. Software from other sources is buyer beware. * Proper security measures are discussed at [https://developer.wordpress.org/plugins/security/](https://developer.wordpress.org/plugins/security/) Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Is Custom Post Fields safe for scripting?’ is closed to new replies. ## Tags * [custom fields](https://wordpress.org/support/topic-tag/custom-fields/) * [php](https://wordpress.org/support/topic-tag/php/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 3 participants * Last reply from: [bcworkz](https://wordpress.org/support/users/bcworkz/) * Last activity: [4 years, 4 months ago](https://wordpress.org/support/topic/is-custom-post-fields-safe-for-scripting/#post-15233290) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics