Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor Security & Risk Analysis

wordpress.org/plugins/flexible-product-fields

Add extra product options on your WooCommerce product page. Product addons for all product variations. 20 free product addons.

10K active installs v2.14.1 PHP 7.4+ WP 6.4+ Updated Mar 4, 2026

woocommerce-custom-fieldswoocommerce-custom-productwoocommerce-customize-productwoocommerce-product-addonswoocommerce-product-options

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor Safe to Use in 2026?

Generally Safe

Score 100/100

Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago

Risk Assessment

The "flexible-product-fields" plugin v2.14.1 exhibits a generally good security posture based on the static analysis. A significant majority of SQL queries use prepared statements, and the output escaping rate is also high. The plugin also demonstrates good practices with numerous capability checks and a reasonable number of nonce checks, which are crucial for preventing many common attacks. Furthermore, the absence of known CVEs and a clean vulnerability history suggest a mature and well-maintained codebase.

However, the static analysis does reveal some areas of concern. The presence of dangerous functions like `unserialize`, `proc_open`, and `shell_exec` warrants caution, as these can be exploited if user-supplied data is not strictly validated before being passed to them. Although the taint analysis did not identify critical or high severity flows, there are "flows with unsanitized paths" which, combined with the dangerous functions, could potentially lead to vulnerabilities if exploited. The attack surface, while small and seemingly protected, could still be a vector if any future authentication bypasses are discovered.

In conclusion, the plugin is in a reasonably secure state with a solid track record and good implementation of security features. The primary risks lie in the potential misuse of dangerous functions due to unsanitized input. Developers should prioritize thorough sanitization of all data passed to `unserialize`, `proc_open`, and `shell_exec` to mitigate these risks effectively. The overall risk is considered moderate, with opportunities for improvement in input sanitization.

Key Concerns

Dangerous functions found (unserialize, proc_open, shell_exec)
Flows with unsanitized paths found
Low percentage of SQL queries using prepared statements (71%)
Output escaping below 100% (81%)

Vulnerabilities

None known

Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor Code Analysis

Dangerous Functions

Raw SQL Queries

5 prepared

Unescaped Output

367 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$fields = unserialize( $row->meta_value );classes\fpf-product-fields.php:152

proc_open$this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);vendor_prefixed\monolog\monolog\src\Monolog\Handler\ProcessHandler.php:104

shell_exec$branches = shell_exec('git branch -v --no-abbrev');vendor_prefixed\monolog\monolog\src\Monolog\Processor\GitProcessor.php:60

shell_exec$result = explode(' ', trim((string) shell_exec('hg id -nb')));vendor_prefixed\monolog\monolog\src\Monolog\Processor\MercurialProcessor.php:59

SQL Query Safety

71% prepared7 total queries

Output Escaping

81% escaped451 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths

handle_ajax_request (vendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\RequestSenderService.php:61)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor Attack Surface

Entry Points4

Unprotected0

AJAX Handlers 1

authwp_ajax_wpdesk_notice_dismissvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:42

REST API Routes 3

GET/wp-json/flexible_product_fields/v1/products/classes\fpf-product-fields.php:214

GET/wp-json/flexible_product_fields/v1/categories/classes\fpf-product-fields.php:225

GET/wp-json/flexible_product_fields/v1/tags/classes\fpf-product-fields.php:236

WordPress Hooks 81

filterwoocommerce_product_add_to_cart_textclasses\fpf-add-to-cart-filters.php:36

filterwoocommerce_add_to_cart_urlclasses\fpf-add-to-cart-filters.php:37

filterwoocommerce_product_add_to_cart_urlclasses\fpf-add-to-cart-filters.php:38

filterwoocommerce_product_loop_startclasses\fpf-add-to-cart-filters.php:39

filterwoocommerce_product_loop_endclasses\fpf-add-to-cart-filters.php:40

actionplugins_loadedclasses\fpf-cart.php:74

filterwoocommerce_add_to_cart_handlerclasses\fpf-cart.php:81

filterwoocommerce_get_cart_item_from_sessionclasses\fpf-cart.php:82

filterwoocommerce_get_item_dataclasses\fpf-cart.php:83

actionwoocommerce_new_order_itemclasses\fpf-cart.php:84

actionwlfmc_add_to_list_handlerclasses\fpf-cart.php:86

filterwlfmc_third_party_item_priceclasses\fpf-cart.php:87

filterwlfmc_add_to_cart_handlerclasses\fpf-cart.php:88

filterwoocommerce_add_cart_itemclasses\fpf-cart.php:100

filterwoocommerce_add_cart_item_dataclasses\fpf-cart.php:101

actionwoocommerce_cart_calculate_feesclasses\fpf-cart.php:554

actionplugins_loadedclasses\fpf-order.php:17

filterwoocommerce_order_item_display_meta_valueclasses\fpf-order.php:22

actioninitclasses\fpf-plugin.php:296

actionadmin_initclasses\fpf-plugin.php:297

actioninitclasses\fpf-post-type.php:30

actionadd_meta_boxesclasses\fpf-post-type.php:31

filtermanage_edit-fpf_fields_columnsclasses\fpf-post-type.php:33

actionmanage_fpf_fields_posts_custom_columnclasses\fpf-post-type.php:34

filterpost_row_actionsclasses\fpf-post-type.php:36

filterbulk_actions-edit-fpf_fieldsclasses\fpf-post-type.php:38

actionadmin_menuclasses\fpf-post-type.php:40

actionrest_api_initclasses\fpf-product-fields.php:21

actionwoocommerce_before_add_to_cart_buttonclasses\fpf-product.php:78

actionwoocommerce_after_add_to_cart_buttonclasses\fpf-product.php:79

filterwoocommerce_product_supportsclasses\fpf-product.php:81

filterwpdesk_tracker_dataclasses\tracker.php:17

filterwpdesk_tracker_notice_screensclasses\tracker.php:18

filterplugin_action_links_flexible-product-fields/flexible-product-fields.phpclasses\tracker.php:20

actionactivated_pluginclasses\tracker.php:21

actionbefore_woocommerce_initflexible-product-fields.php:73

actioninitsrc\Block\BlockIntegration.php:19

actionenqueue_block_editor_assetssrc\Block\BlockIntegration.php:20

filterrender_block_contextsrc\Block\TemplateBlockContext.php:20

filterflexible_product_fields_field_typessrc\Field\Type\TypeIntegration.php:30

filterflexible_product_fields_field_typessrc\Field\Type\TypeIntegration.php:31

actioninitsrc\Integration\IntegratorIntegration.php:36

actionadmin_menusrc\Marketing\SupportPage.php:41

actionadmin_enqueue_scriptssrc\Marketing\SupportPage.php:42

filteradmin_initsrc\Notice\NoticeIntegration.php:40

filteradmin_noticessrc\Notice\NoticeIntegration.php:53

actionadmin_enqueue_scriptssrc\Notice\NoticeIntegration.php:54

actionadmin_enqueue_scriptssrc\Notice\NoticeIntegration.php:55

filterwoocommerce_before_add_to_cart_buttonsrc\Product\FieldsConfig.php:40

filterflexible_product_fields/short_urlsrc\Service\ShortLinksGenerator.php:24

filterflexible_product_fields_assign_to_optionssrc\Settings\FieldsGroup.php:22

actionflexible_product_fields/save_form_datasrc\Settings\Form\FormIntegration.php:43

actionedit_form_advancedsrc\Settings\Page.php:49

actionadmin_enqueue_scriptssrc\Settings\Page.php:50

actionrest_api_initsrc\Settings\Route\RouteIntegration.php:32

filterflexible_product_fields/field_settings_tabssrc\Settings\Tab\TabIntegration.php:30

actionadmin_initsrc\Tracker\DeactivationTracker.php:36

filterflexible_product_fields/validate_field/v2src\Validation\Rule\RuleIntegration.php:32

actionwp_dashboard_setupvendor_prefixed\wpdesk\ltv-dashboard-widget\src\DashboardWidget.php:102

actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:148

actionwp_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:149

actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:41

actionadmin_noticesvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:144

actionadmin_footervendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:145

filterwp_autoloader_loader_loaders_to_loadvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:45

filterwp_autoloader_loader_loaders_to_createvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:46

actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\Simple\SimplePaidStrategy.php:58

actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:81

actionbefore_woocommerce_initvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:88

actionactivated_pluginvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:102

filterdoing_it_wrong_trigger_errorvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:123

actionadmin_print_styles-plugins.phpvendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\AssetsPrinterService.php:26

actionadmin_print_footer_scripts-plugins.phpvendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\AssetsPrinterService.php:27

actionadmin_print_footer_scripts-plugins.phpvendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\TemplateGeneratorService.php:43

actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-marketing\src\Boxes\Assets.php:16

actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-marketing\src\Boxes\Assets.php:30

actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\Assets.php:28

actionadmin_menuvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:35

actionadmin_initvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:36

actionadmin_noticesvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptOut.php:28

filterplugin_row_metavendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\PluginActionLinks.php:36

Maintenance & Trust

Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 4, 2026

PHP min version7.4

Downloads733K

Community Trust

Rating90/100

Number of ratings105

Active installs10K

Alternatives

Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor Alternatives

Product Addons for Woocommerce – Product Options with Custom Fields

woo-custom-product-addons

WooCommerce Product Addons Add custom fields to your WooCommerce product page. With an easy-to-use Custom Form Builder.

30K 1 CVE

YITH WooCommerce Product Add-Ons

yith-woocommerce-product-add-ons

Increase average order value by letting your customers purchase additional options on your products.

20K 7 CVEs

Extra Product Options for WooCommerce

extra-product-options-for-woocommerce

Add 22+ custom fields to WooCommerce products with nested conditional logic, custom pricing, and advanced display rules.

600 2 CVEs

Custom Product Type for WooCommerce – Add-Ons, Data, Options, Layouts, Booking & Appointments

custom-product-type-for-woocommerce

100

Create WooCommerce Add-Ons, Data, Options, Booking, Layouts, and Appointments as custom product types. Revolutionize store's possibilities!

70 No CVEs

Extra Product Data for WooCommerce

extra-product-data-for-woocommerce

100

A WooCommerce plugin that collects additional user data for products and displays it in the order summary.

0 No CVEs

Developer Profile

Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor Developer Profile

wpdesk

23 plugins · 127K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

135 days

View full developer profile

Detection Fingerprints

How We Detect Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/flexible-product-fields/css/front.css/wp-content/plugins/flexible-product-fields/js/fpf_product.js/wp-content/plugins/flexible-product-fields/css/new-front.css/wp-content/plugins/flexible-product-fields/js/new-front.js

Script Paths

js/fpf_product.jsjs/new-front.js

Version Parameters

flexible-product-fields/css/front.css?ver=flexible-product-fields/js/fpf_product.js?ver=flexible-product-fields/css/new-front.css?ver=flexible-product-fields/js/new-front.js?ver=

HTML / DOM Fingerprints

CSS Classes

fpf_main_sectionfpf-product-fieldsfpf-field-wrapper

HTML Comments

Data Attributes

data-fpf-field-typedata-fpf-field-iddata-fpf-product-id

JS Globals

fpf_product

REST Endpoints

/wp-json/fpf/v1/fields

Shortcode Output

[fpf_product_fields]

FAQ