Back to Community
Home / Community / PluginCmb2

Is CMB2 Abandoned? Understanding Plugin Support and Compatibility

15 threads Sep 9, 2025 PluginCmb2

Content

Many WordPress users rely on the powerful CMB2 plugin to create custom meta boxes and fields. However, a common point of confusion and concern arises when users notice the plugin's "tested up to" version in the repository is older than the latest WordPress release, or the last update was some time ago. This often triggers warnings from security scanners or hosting providers, leading to the question: Is CMB2 still supported and safe to use?

Why This Message Appears

The "This plugin hasn't been tested with the latest 3 major releases of WordPress" warning is an automated message generated by the WordPress.org plugin repository. It appears when the "Tested up to" version number in the plugin's readme file has not been updated to match a recent major WordPress release. This does not automatically mean the plugin is broken or abandoned; it simply means the author has not manually updated that specific version number.

The Reality of CMB2 Support

Based on discussions in the support forums, the CMB2 team has consistently confirmed that the plugin is still actively supported. Key points from their responses include:

  • Active Maintenance: Support representatives state they are "still actively supporting it" and help resolve conflicts and issues as needed.
  • Ongoing Development: Initial development work for future versions continues on its GitHub repository, where recent commits can be observed.
  • Real-World Compatibility: The team and community members frequently report using the latest version of CMB2 successfully on sites running the newest versions of WordPress (including 6.2) without major issues.
  • PHP 8.1+ Consideration: While the plugin may not be explicitly flagged as tested for PHP 8.1, the team encourages users to report any specific issues found on GitHub so they can be addressed.

Common Solutions and Best Practices

If you are concerned about using CMB2, here are the recommended steps to ensure compatibility and security.

1. Test on a Staging Site

This is the most reliable way to check for conflicts. Before updating WordPress or PHP on your live site, update them on a staging or local copy first. Then, thoroughly test all functionality that uses CMB2 fields. The CMB2 team itself advises this approach, stating, "If ever in doubt, testing things on a staging/local copy is understandable and advisable."

2. Understand the Plugin's Nature

CMB2 is primarily a developer's library. It is often bundled within themes and other plugins. If a feature breaks, the issue is more likely related to how another product (like your theme) is using CMB2, rather than a core problem with CMB2 itself. As seen in the threads, when a theme had an issue with a colorpicker field, the theme author was the one who needed to provide the configuration details to get support.

3. Check for Data Privacy Compliance

A common question is whether CMB2 is GDPR compliant. The plugin itself does not collect any user data. It is a tool for creating UI. However, if you or a theme/plugin developer use it to create frontend forms that collect personal data, you are responsible for ensuring that implementation is compliant with regulations like GDPR or NCA standards.

4. Ignore Generic Security Scanner Warnings (With Caution)

Scanners like Wordfence often flag plugins based solely on the "last updated" date. While these warnings should not be ignored outright, they are a starting point for investigation, not a definitive verdict. The CMB2 team has asked users to provide specific security warnings so they can be investigated, suggesting that many of these alerts are generic false positives.

Conclusion

The evidence from support threads indicates that CMB2 is not abandoned. The core library remains stable and compatible with recent versions of WordPress and PHP. The most common "problem"—the outdated "tested up to" flag—is a documentation issue, not a functional one. The best course of action is to perform due diligence by testing in a safe environment and understanding that the plugin is a tool whose output depends on its implementation.

Related Support Threads Support