WP-Safety

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light Security & Risk Analysis

wordpress.org/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light

Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light

500 active installs v2.4.37 PHP + WP 3.6+ Updated Oct 16, 2024
csvexcelexportimportwoo
18
F · Critical Risk
CVEs total5
Unpatched5
Last CVEJun 3, 2025
Plugin page Download
Safety Verdict

Is Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light Safe to Use in 2026?

Critical Risk — Avoid

Score 18/100

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light is critically unsafe with 5 known CVEs, 5 still unpatched. Avoid in production.

5 known CVEs 5 unpatched Last CVE: Jun 3, 2025Updated 1yr ago
Risk Assessment

The plugin "excel-like-price-change-for-woocommerce-and-wp-e-commerce-light" v2.4.37 exhibits significant security concerns, primarily due to its historical vulnerability profile and certain insecure coding practices revealed in the static analysis. With a history of 5 known CVEs, all of which remain unpatched and include 3 critical and 2 high severity vulnerabilities, the plugin has a well-documented pattern of critical security flaws. These past issues span SQL Injection, Path Traversal, Code Injection, Incorrect Privilege Assignment, and PHP Remote File Inclusion, suggesting systemic weaknesses in input validation and access control.

The static analysis reveals an attack surface of 24 entry points, with 5 AJAX handlers lacking authentication checks, presenting an immediate risk of unauthorized execution. While the plugin uses prepared statements for 83% of its SQL queries and has a decent number of capability checks (13), the presence of the `unserialize` function is a red flag, especially given the historical code injection vulnerabilities. Furthermore, only 53% of output is properly escaped, increasing the risk of cross-site scripting (XSS) attacks, and one taint flow with an unsanitized path indicates potential path traversal issues.

Overall, the plugin's security posture is poor. The substantial number of unpatched critical and high severity vulnerabilities, coupled with the identified insecure coding practices like unprotected AJAX endpoints and the use of `unserialize`, create a high-risk environment for WordPress sites. While the use of prepared statements and some capability checks are positive indicators, they are overshadowed by the persistent and severe historical vulnerabilities and the immediate risks identified in the static analysis.

Key Concerns

  • Unpatched critical CVEs (3)
  • Unpatched high CVEs (2)
  • AJAX handlers without auth checks (5)
  • Dangerous function: unserialize
  • Taint flow with unsanitized paths (1)
  • Output escaping (53% proper)
  • Nonce checks (4)
Vulnerabilities
5

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light Security Vulnerabilities

CVEs by Year

5 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Critical
3
High
2

5 total CVEs

CVE-2025-48122high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Unauthenticated SQL Injection

Jun 3, 2025Unpatched
CVE-2025-48124high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Unauthenticated Arbitrary File Download

May 30, 2025Unpatched
CVE-2025-48123critical · 9.8Improper Control of Generation of Code ('Code Injection')

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Unauthenticated Remote Code Execution

May 21, 2025Unpatched
CVE-2025-48129critical · 9.8Incorrect Privilege Assignment

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Unauthenticated Privilege Escalation

May 20, 2025Unpatched
CVE-2025-39378critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Unauthenticated Local File Inclusion

Apr 21, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light Code Analysis

Dangerous Functions
3
Raw SQL Queries
21
102 prepared
Unescaped Output
411
461 escaped
Nonce Checks
4
Capability Checks
13
File Operations
50
External Requests
1
Bundled Libraries
1

Dangerous Functions Found

unserialize$result[$user_meta->user_id]->role = implode(",",array_keys(unserialize($user_meta->meta_value)));sellingcommander.php:3063
unserialize$result[$media_meta->post_id]->media_details = unserialize($media_meta->meta_value);sellingcommander.php:3236
unserialize$pr_meta = unserialize($pr_meta);shops\wpsc.php:1082

Bundled Libraries

jQuery

SQL Query Safety

83% prepared123 total queries

Output Escaping

53% escaped872 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
<wooc> (shops\wooc.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light Attack Surface

Entry Points24
Unprotected5

AJAX Handlers 5

authwp_ajax_pelm_price_frame_displayexcel-like-price-change-for-woocommerce-and-wp-e-commerce-light.php:260
authwp_ajax_sellingcommander_localsellingcommander.php:629
noprivwp_ajax_sellingcommander_localsellingcommander.php:630
authwp_ajax_sellingcommander-endpointsellingcommander.php:632
noprivwp_ajax_sellingcommander-endpointsellingcommander.php:633

REST API Routes 19

GET/wp-json/sc/v1/infosellingcommander.php:795
GET/wp-json/sc/v1/taxonomy_termssellingcommander.php:801
GET/wp-json/sc/v1/subscriptions_and_orderssellingcommander.php:807
GET/wp-json/sc/v1/products_readoutsellingcommander.php:813
GET/wp-json/sc/v1/media_readoutsellingcommander.php:819
GET/wp-json/sc/v1/customers_readoutsellingcommander.php:825
GET/wp-json/sc/v1/taxonomy_readoutsellingcommander.php:831
POST/wp-json/sc/v1/querysellingcommander.php:837
POST/wp-json/sc/v1/cache_deletesellingcommander.php:846
POST/wp-json/sc/v1/queriessellingcommander.php:855
POST/wp-json/sc/v1/fssellingcommander.php:864
POST/wp-json/sc/v1/media_importsellingcommander.php:873
POST/wp-json/sc/v1/media_deletesellingcommander.php:882
POST/wp-json/sc/v1/media_updatesellingcommander.php:891
GET/wp-json/sc/v1/media_readsellingcommander.php:900
GET/wp-json/sc/v1/customers_readsellingcommander.php:909
POST/wp-json/sc/v1/save_forward_settingssellingcommander.php:918
POST/wp-json/sc/v1/clear_cachesellingcommander.php:927
POST/wp-json/sc/v1/update_pluginsellingcommander.php:936
WordPress Hooks 20
actionbefore_woocommerce_initexcel-like-price-change-for-woocommerce-and-wp-e-commerce-light.php:224
actionadmin_menuexcel-like-price-change-for-woocommerce-and-wp-e-commerce-light.php:249
actionwp_loadedexcel-like-price-change-for-woocommerce-and-wp-e-commerce-light.php:257
actionadmin_initexcel-like-price-change-for-woocommerce-and-wp-e-commerce-light.php:269
actionadmin_footerexcel-like-price-change-for-woocommerce-and-wp-e-commerce-light.php:428
actionbefore_woocommerce_initsellingcommander.php:400
actionwp_loadedsellingcommander.php:478
actionadmin_menusellingcommander.php:607
actionadmin_initsellingcommander.php:613
actioninitsellingcommander.php:616
filterdetermine_current_usersellingcommander.php:618
filterwoocommerce_rest_is_request_to_rest_apisellingcommander.php:619
filterrest_pre_serve_requestsellingcommander.php:623
actionrest_api_initsellingcommander.php:624
filterrest_authentication_errorssellingcommander.php:625
filterwoocommerce_rest_check_permissionssellingcommander.php:626
actionsave_post_productsellingcommander.php:648
actionbefore_delete_postsellingcommander.php:650
actionwoocommerce_emailsellingcommander.php:793
filterrest_request_after_callbackssellingcommander.php:993
Maintenance & Trust

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10
Last updatedOct 16, 2024
PHP min version
Downloads51K

Community Trust

Rating82/100
Number of ratings15
Active installs500
Alternatives

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light Alternatives

Product Import Export for WooCommerce – Import Export Product CSV Suite

Product Import Export for WooCommerce – Import Export Product CSV Suite

product-import-export-for-woo

A
94

Easily import/export WooCommerce products (simple, grouped, external/affiliate) via CSV. Transfer product data, including images, reviews, categories, &hellip;

90K 7 CVEs
WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

wp-ultimate-csv-importer

A
88

Effortlessly import, export, and migrate your WordPress data with WP Ultimate CSV Importer. This all-in-one solution supports CSV, XML, and Excel file &hellip;

20K 26 CVEs
Store Exporter – Export WooCommerce Products, Orders, Subscriptions, Customers

Store Exporter – Export WooCommerce Products, Orders, Subscriptions, Customers

woocommerce-exporter

A
89

Export WooCommerce products, orders, customers, categories, tags, subscriptions & more into formatted files like CSV, XML, Excel 2007, XLS, XLSX.

7K 9 CVEs
Import WooCommerce Suite

Import WooCommerce Suite

import-woocommerce

A
100

Use the WooCommerce Import Suite to import Products, Orders, Coupons, Customers, and Reviews with ease. Requires the WP Ultimate CSV Importer Free plu &hellip;

4K 1 CVE
Selling Commander for WooCommerce – connector plugin

Selling Commander for WooCommerce – connector plugin

selling-commander-connector

C
64

Selling Commander for WooCommerce - connector plugin

60 1 unpatched
Developer Profile

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light Developer Profile

Holest Engineering

2 plugins · 560 total installs

53
trust score
Avg Security Score
41/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/price-changer.js/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/css/price-changer.css/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/jquery.handsontable.full.min.js/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/pikaday.js/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/moment.min.js
Script Paths
/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/price-changer.js/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/jquery.handsontable.full.min.js/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/pikaday.js/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/moment.min.js
Version Parameters
/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/price-changer.js?ver=/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/css/price-changer.css?ver=/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/jquery.handsontable.full.min.js?ver=/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/pikaday.js?ver=/wp-content/plugins/excel-like-price-change-for-woocommerce-and-wp-e-commerce-light/js/moment.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
handsontable
HTML Comments
Copyright (c) holest.comTHE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Data Attributes
data-plugin-namedata-plugin-versiondata-plugin-author
JS Globals
window.pelm_ajax_object
FAQ

Frequently Asked Questions about Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light