WP-Safety

Advanced Product Fields (Product Addons) for WooCommerce Security & Risk Analysis

wordpress.org/plugins/advanced-product-fields-for-woocommerce

Add options (addons) to your WooCommerce products so your customers can personalize their products. Product forms for everyone!

50K active installs v1.6.21 PHP 5.6+ WP 4.5+ Updated Mar 11, 2026
product-addonsproduct-fieldswoocommercewoocommerce-product-addonswoocommerce-product-options
99
A · Safe
CVEs total1
Unpatched0
Last CVEDec 8, 2025
Plugin page Download
Safety Verdict

Is Advanced Product Fields (Product Addons) for WooCommerce Safe to Use in 2026?

Generally Safe

Score 99/100

Advanced Product Fields (Product Addons) for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Dec 8, 2025Updated 23d ago
Risk Assessment

The "advanced-product-fields-for-woocommerce" plugin v1.6.22 presents a mixed security posture. On the positive side, the plugin demonstrates good practices by using prepared statements for all SQL queries, performing a reasonable number of nonce and capability checks, and having no external HTTP requests or file operations. The attack surface is also relatively small with only one AJAX handler, and importantly, zero unprotected entry points. The taint analysis shows no evidence of unsanitized paths, indicating that potentially dangerous data flows are being handled. This suggests a strong effort by the developers to prevent common vulnerabilities like code injection and path traversal.

However, a significant concern arises from the presence of the `unserialize` function, which is a known high-risk function if not handled with extreme care. Although no specific vulnerabilities were flagged in the taint analysis related to this function, its mere presence represents a potential attack vector. The plugin's vulnerability history, while currently showing no unpatched CVEs, includes one medium severity historical vulnerability, which was a Cross-Site Request Forgery (CSRF). This pattern suggests that while critical vulnerabilities might be rare, the plugin has had past issues, and the potential for CSRF or similar vulnerabilities should not be overlooked. The 68% output escaping rate, while not critically low, means that a portion of the plugin's output is not properly escaped, leaving a window for Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is rendered directly.

In conclusion, the plugin has several strong security implementations, particularly around data handling and entry points. However, the use of `unserialize` and the historical medium-severity CSRF vulnerability, combined with incomplete output escaping, represent key areas of concern that warrant careful monitoring and potentially further investigation into how `unserialize` is being used and the nature of past CSRF vulnerabilities.

Key Concerns

  • Dangerous function unserialize used
  • Output escaping not fully implemented (68%)
  • Past medium severity vulnerability (CSRF)
Vulnerabilities
1

Advanced Product Fields (Product Addons) for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-13924medium · 4.3Cross-Site Request Forgery (CSRF)

Advanced Product Fields (Product Addons) for WooCommerce <= 1.6.17 - Cross-Site Request Forgery to Product Field Group Duplication and Publication

Dec 8, 2025 Patched in 1.6.18 (2d)
Code Analysis
Analyzed Mar 16, 2026

Advanced Product Fields (Product Addons) for WooCommerce Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
0 prepared
Unescaped Output
81
176 escaped
Nonce Checks
4
Capability Checks
7
File Operations
0
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$unserialized = is_serialized( $data ) ? unserialize( $data, [ 'allowed_classes' => [ FieldGroup::clincludes\classes\class-field-groups.php:454

Output Escaping

68% escaped257 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
search_woo_products (includes\controllers\class-admin-controller.php:279)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Advanced Product Fields (Product Addons) for WooCommerce Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_wapf_search_productsincludes\controllers\class-admin-controller.php:48
WordPress Hooks 28
actionbefore_woocommerce_initadvanced-product-fields-for-woocommerce.php:62
actioninitclass-wapf.php:54
actionplugins_loadedincludes\classes\class-l10n.php:16
filterpll_get_post_typesincludes\classes\class-l10n.php:19
actionadmin_enqueue_scriptsincludes\controllers\class-admin-controller.php:25
actionadmin_menuincludes\controllers\class-admin-controller.php:26
actioncurrent_screenincludes\controllers\class-admin-controller.php:30
actionadmin_noticesincludes\controllers\class-admin-controller.php:31
filterwoocommerce_settings_tabs_arrayincludes\controllers\class-admin-controller.php:37
actionwoocommerce_settings_tabs_wapf_settingsincludes\controllers\class-admin-controller.php:38
actionwoocommerce_update_options_wapf_settingsincludes\controllers\class-admin-controller.php:39
filterwoocommerce_product_data_tabsincludes\controllers\class-admin-controller.php:42
actionwoocommerce_product_data_panelsincludes\controllers\class-admin-controller.php:43
actionwoocommerce_process_product_meta_simpleincludes\controllers\class-admin-controller.php:44
actionwoocommerce_process_product_meta_variableincludes\controllers\class-admin-controller.php:45
filteradmin_footer_textincludes\controllers\class-admin-controller.php:50
actionwoocommerce_before_add_to_cart_buttonincludes\controllers\class-product-controller.php:29
filterwoocommerce_add_to_cart_validationincludes\controllers\class-product-controller.php:32
actionwoocommerce_before_calculate_totalsincludes\controllers\class-product-controller.php:35
filterwoocommerce_add_cart_item_dataincludes\controllers\class-product-controller.php:38
filterwoocommerce_get_item_dataincludes\controllers\class-product-controller.php:41
actionwoocommerce_checkout_create_order_line_itemincludes\controllers\class-product-controller.php:44
filterwoocommerce_product_add_to_cart_textincludes\controllers\class-product-controller.php:47
filterwoocommerce_product_supportsincludes\controllers\class-product-controller.php:50
filterwoocommerce_product_add_to_cart_urlincludes\controllers\class-product-controller.php:53
filterwoocommerce_order_again_cart_item_dataincludes\controllers\class-product-controller.php:56
actionwp_enqueue_scriptsincludes\controllers\class-public-controller.php:21
filterwc_stripe_hide_payment_request_on_product_pageincludes\controllers\class-public-controller.php:25
Maintenance & Trust

Advanced Product Fields (Product Addons) for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested7.0
Last updatedMar 11, 2026
PHP min version5.6
Downloads1.1M

Community Trust

Rating96/100
Number of ratings277
Active installs50K
Alternatives

Advanced Product Fields (Product Addons) for WooCommerce Alternatives

Product Addons for Woocommerce – Product Options with Custom Fields

Product Addons for Woocommerce – Product Options with Custom Fields

woo-custom-product-addons

A
97

WooCommerce Product Addons Add custom fields to your WooCommerce product page. With an easy-to-use Custom Form Builder.

30K 1 CVE
PPOM – Product Addons & Custom Fields for WooCommerce

PPOM – Product Addons & Custom Fields for WooCommerce

woocommerce-product-addon

B
80

Easily add a range of custom fields to WooCommerce products, from text boxes to date selectors, allowing customers to personalize their orders.

20K 11 CVEs
YITH WooCommerce Product Add-Ons

YITH WooCommerce Product Add-Ons

yith-woocommerce-product-add-ons

A
96

Increase average order value by letting your customers purchase additional options on your products.

20K 7 CVEs
Conditional Logic for Woo Product Add-ons

Conditional Logic for Woo Product Add-ons

conditional-logic-for-woo-product-add-ons

A
100

Show or hide certain fields of the WooCommerce Product Addons based on other fields' values or states (eg, show field X when option Y is selected &hellip;

500 No CVEs
Extra Product Options (Custom Addons) for WooCommerce

Extra Product Options (Custom Addons) for WooCommerce

extra-product-addons-for-woocommerce

A
92

Add custom product options and extra fields using the best WooCommerce Product Addons plugin in minutes. Add Custom Product Options with our drag and &hellip;

100 No CVEs
Developer Profile

Advanced Product Fields (Product Addons) for WooCommerce Developer Profile

Wombat Plugins

4 plugins · 61K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
238 days
View full developer profile
Detection Fingerprints

How We Detect Advanced Product Fields (Product Addons) for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/advanced-product-fields-for-woocommerce/assets/css/admin.min.css/wp-content/plugins/advanced-product-fields-for-woocommerce/assets/js/admin.min.js
Script Paths
/wp-content/plugins/advanced-product-fields-for-woocommerce/assets/js/admin.min.js
Version Parameters
advanced-product-fields-for-woocommerce/assets/css/admin.min.css?ver=advanced-product-fields-for-woocommerce/assets/js/admin.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
wapf-wrapperwapf-field-groupwapf-fieldwapf-backendwapf-admin-section
HTML Comments
<!-- This plugin is free - if you find it useful, please leave a quick ⭐⭐⭐⭐⭐ rating -->
Data Attributes
data-wapf-elementdata-wapf-field-typedata-wapf-group-id
JS Globals
wapf_languagewapf_config
FAQ

Frequently Asked Questions about Advanced Product Fields (Product Addons) for WooCommerce