Does FoxyShop have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is FoxyShop compatible with WordPress 6.7.5?

According to WordPress.org data, FoxyShop 4.9.7 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is FoxyShop compatible with PHP 5.3+?

FoxyShop requires PHP 5.3 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is FoxyShop updated?

FoxyShop was last updated on Mar 10, 2025. Frequent updates are generally a positive security signal.

What is FoxyShop's security score?

FoxyShop has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

FoxyShop Security & Risk Analysis

wordpress.org/plugins/foxyshop

FoxyShop provides a robust shopping cart and inventory management tool for use with FoxyCart's hosted e-commerce solution.

90 active installs v4.9.7 PHP 5.3+ WP 3.1+ Updated Mar 10, 2025

cartfoxycartinventorymanagementshopping

A · Safe

CVEs total1

Unpatched0

Last CVEJun 16, 2022

Plugin page Download

Safety Verdict

Is FoxyShop Safe to Use in 2026?

Generally Safe

Score 92/100

FoxyShop has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Jun 16, 2022Updated 1yr ago

Risk Assessment

The foxyshop plugin, version 4.9.7, presents a mixed security posture. On the positive side, the static analysis indicates a robust implementation of security best practices, with all identified entry points (AJAX handlers, REST API routes, and shortcodes) appearing to have authentication and permission checks. The plugin also demonstrates good output escaping and a healthy number of nonce checks, suggesting a proactive approach to preventing common web vulnerabilities.

However, several areas warrant attention. The presence of the `unserialize` function is a significant concern, as it can be a vector for remote code execution if not handled with extreme care and proper input validation. While the static analysis found no direct vulnerabilities related to this, the taint analysis revealed two high-severity flows and nine flows with unsanitized paths, indicating potential weaknesses in how user-supplied data is processed, especially when it interacts with functions like `unserialize`. Furthermore, the plugin's history includes a medium-severity Cross-Site Scripting (XSS) vulnerability, suggesting that while it has improved, past issues highlight a potential for input sanitization flaws.

Overall, foxyshop has made strides in its security implementation, particularly in regard to authentication and output sanitization. The lack of unpatched CVEs and the absence of critical taint flows are encouraging. Nevertheless, the continued presence of `unserialize` and high-severity unsanitized taint flows represent the most significant risks. These areas require vigilant monitoring and potential refactoring to eliminate these vectors for compromise. The plugin is not inherently insecure, but these specific coding practices and past vulnerability types necessitate a cautious approach.

Key Concerns

Dangerous function: unserialize used
High severity taint flows found
Unsanitized paths in taint flows
Previous medium severity XSS vulnerability
SQL queries: 57% not using prepared statements

Vulnerabilities

1 published

FoxyShop Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2022-1220medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

FoxyShop <= 4.8.1 - Reflected Cross-Site Scripting

Jun 16, 2022 Patched in 4.8.2 (586d)

Version History

FoxyShop Release Timeline

v4.9.7Current

v4.9.6

v4.9.5

v4.9.4

v4.9.3

v4.9.2

v4.9.1

v4.9

v4.8.2

v4.8.11 CVE

v4.81 CVE

v4.7.91 CVE

v4.7.81 CVE

v4.7.71 CVE

v4.7.61 CVE

v4.7.51 CVE

v4.7.41 CVE

v4.7.31 CVE

v4.7.21 CVE

v4.7.11 CVE

Code Analysis

Analyzed Mar 16, 2026

FoxyShop Code Analysis

Dangerous Functions

Raw SQL Queries

6 prepared

Unescaped Output

208

1716 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializeupdate_option('foxyshop_category_sort', unserialize($foxyshop_category_sort));adminfunctions.php:495

unserializeupdate_option('foxyshop_saved_variations', unserialize($foxyshop_saved_variations));adminfunctions.php:499

unserializeif (is_serialized($variations)) update_post_meta($product->ID, '_variations', unserialize($variationadminfunctions.php:583

unserializeif (is_serialized($inventory_levels)) update_post_meta($product->ID, '_inventory_levels', unserializadminfunctions.php:584

unserializeif (is_serialized($meta_value)) update_user_meta($user->user_id, 'foxyshop_subscription', unserializadminfunctions.php:592

unserialize$val = unserialize($meta->meta_value);datafeedfunctions.php:144

unserializeupdate_option("foxyshop_settings", unserialize($decrypted[0]));tools-page.php:28

unserializeupdate_option("foxyshop_category_sort", unserialize($decrypted[1]));tools-page.php:29

unserializeupdate_option("foxyshop_saved_variations", unserialize($decrypted[2]));tools-page.php:30

SQL Query Safety

43% prepared14 total queries

Output Escaping

89% escaped1924 total outputs

Data Flows · Security

9 unsanitized

Data Flow Analysis

25 flows9 with unsanitized paths

foxyshop_customer_management (customers.php:10)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

FoxyShop Attack Surface

Entry Points13

Unprotected0

AJAX Handlers 9

authwp_ajax_foxyshop_display_list_ajax_actionadminajax.php:6

authwp_ajax_foxyshop_attribute_manageadminajax.php:56

authwp_ajax_foxyshop_ajax_get_category_listadminajax.php:86

authwp_ajax_foxyshop_ajax_get_category_list_selectadminajax.php:95

authwp_ajax_foxyshop_ajax_get_downloadable_listadminajax.php:104

authwp_ajax_foxyshop_set_google_authadminajax.php:121

authwp_ajax_foxyshop_product_ajax_actionadminajax.php:158

authwp_ajax_save_inventory_valuesinventory.php:7

authwp_ajax_foxyshop_order_history_dashboard_actionwidgetcode.php:297

Shortcodes 4

[productcategory] shortcodesettings.php:28

[showproduct] shortcodesettings.php:47

[product] shortcodesettings.php:75

[productlink] shortcodesettings.php:101

WordPress Hooks 121

filtersafe_style_cssadminfunctions.php:116

actionadmin_noticesadminfunctions.php:200

actionadmin_noticesadminfunctions.php:209

actioninitadminfunctions.php:612

actionadmin_print_footer_scriptsbulkeditor.php:352

actioncfbe_before_metaboxbulkeditor.php:355

actioncfbe_save_fieldsbulkeditor.php:497

actionadmin_menucategorysorting.php:6

actionadmin_print_footer_scriptscategorysorting.php:156

actionadmin_menucustomers.php:5

actionadmin_print_footer_scriptscustomers.php:277

actioninitcustomposttype.php:8

actionafter_setup_themecustomposttype.php:98

filtermanage_edit-foxyshop_product_columnscustomposttype.php:110

actionmanage_posts_custom_columncustomposttype.php:127

actionrestrict_manage_postscustomposttype.php:205

filterpost_updated_messagescustomposttype.php:240

actionadmin_initcustomposttype.php:264

actionadmin_print_scriptscustomposttype.php:316

actionsave_postcustomposttype.php:326

actionadmin_print_footer_scriptscustomposttype.php:1067

actionadmin_menucustomsorting.php:6

actionsave_postcustomsorting.php:11

actionadmin_print_footer_scriptscustomsorting.php:216

actioninitfoxyshop.php:79

actionadmin_enqueue_scriptsfoxyshop.php:87

actionwp_enqueue_scriptsfoxyshop.php:91

actioninitfoxyshop.php:93

filterplugin_action_linksfoxyshop.php:148

actionadmin_initgoogleproductfeed.php:10

actionadmin_menugoogleproductfeed.php:296

actionadmin_initgoogleproductfeed.php:297

actionadmin_noticesgoogleproductfeed.php:316

actionadmin_print_footer_scriptsgoogleproductfeed.php:409

actionadmin_initgoogleproductfeed.php:733

filterscript_loader_taghelperfunctions.php:41

filterposts_orderbyhelperfunctions.php:1354

filterposts_orderbyhelperfunctions.php:1428

actionadmin_initinventory.php:16

actionadmin_menuinventory.php:45

actionadmin_print_footer_scriptsinventory.php:276

actionadmin_initorders.php:5

actionadmin_initorders.php:23

actionadmin_initorders.php:28

actionadmin_initorders.php:30

actionadmin_initorders.php:32

actionadmin_menuorders.php:96

actionadmin_print_footer_scriptsorders.php:703

actionadmin_initproductfeed.php:9

actionadmin_menuproductfeed.php:239

actionadmin_initproductfeed.php:240

actionadmin_print_footer_scriptsproductfeed.php:342

actionadmin_initproductfeed.php:655

actionadmin_initsettings-page.php:6

actionadmin_menusettings-page.php:135

actionadmin_print_footer_scriptssettings-page.php:758

actionadmin_noticessetup-page.php:6

actionadmin_menusetup-page.php:15

actionadmin_initsetup-page.php:16

actionadmin_print_footer_scriptssetup-page.php:180

actionprofile_updatesso.php:6

actionuser_registersso.php:7

actionpassword_resetsso.php:8

filterlogin_messagesso.php:97

actionlogin_headsso.php:98

actionadmin_initsso.php:123

actionshow_user_profilesso.php:125

actionedit_user_profilesso.php:126

actionpersonal_options_updatesso.php:127

actionedit_user_profile_updatesso.php:128

filtersite_urlsso.php:192

actionadmin_menusubscriptions.php:5

actionadmin_print_footer_scriptssubscriptions.php:436

actiontemplate_redirecttemplateredirect.php:6

actionwp_headtemplateredirect.php:73

filterwp_titletemplateredirect.php:74

filterbody_classtemplateredirect.php:75

filtertemplate_includetemplateredirect.php:78

filterwp_titletemplateredirect.php:88

filterbody_classtemplateredirect.php:89

filtertemplate_includetemplateredirect.php:93

filterwp_titletemplateredirect.php:103

filterbody_classtemplateredirect.php:104

filtertemplate_includetemplateredirect.php:107

filterwp_titletemplateredirect.php:118

filterbody_classtemplateredirect.php:119

filtertemplate_includetemplateredirect.php:123

filterwp_titletemplateredirect.php:128

filterbody_classtemplateredirect.php:129

filtertemplate_includetemplateredirect.php:133

filterbody_classtemplateredirect.php:137

filterwp_titletemplateredirect.php:160

filterbody_classtemplateredirect.php:161

actionwp_print_scriptstemplateredirect.php:165

filterwp_titletemplateredirect.php:175

filterbody_classtemplateredirect.php:176

actionwp_print_scriptstemplateredirect.php:180

actionwp_enqueue_scriptsthemefiles\foxyshop-checkout-template-2.php:19

actionwp_headthemefiles\foxyshop-checkout-template-2.php:26

actionwp_headthemefiles\foxyshop-checkout-template-2.php:27

actionwp_headthemefiles\foxyshop-checkout-template-2.php:32

actionwp_enqueue_scriptsthemefiles\foxyshop-checkout-template.php:18

actionwp_footerthemefiles\foxyshop-checkout-template.php:24

actionwp_headthemefiles\foxyshop-checkout-template.php:27

actionwp_headthemefiles\foxyshop-checkout-template.php:28

actionwp_headthemefiles\foxyshop-checkout-template.php:33

actionwp_enqueue_scriptsthemefiles\foxyshop-receipt-template-2.php:19

actionwp_headthemefiles\foxyshop-receipt-template-2.php:26

actionwp_headthemefiles\foxyshop-receipt-template-2.php:27

actionwp_headthemefiles\foxyshop-receipt-template-2.php:32

actionwp_enqueue_scriptsthemefiles\foxyshop-receipt-template.php:18

actionwp_footerthemefiles\foxyshop-receipt-template.php:24

actionwp_headthemefiles\foxyshop-receipt-template.php:27

actionwp_headthemefiles\foxyshop-receipt-template.php:28

actionwp_headthemefiles\foxyshop-receipt-template.php:33

actionadmin_inittools-page.php:5

actionadmin_menutools-page.php:170

actionadmin_print_footer_scriptstools-page.php:887

actionwidgets_initwidgetcode.php:5

actionwp_dashboard_setupwidgetcode.php:296

actionadmin_print_footer_scriptswidgetcode.php:347

Maintenance & Trust

FoxyShop Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMar 10, 2025

PHP min version5.3

Downloads36K

Community Trust

Rating90/100

Number of ratings8

Active installs90

Alternatives

FoxyShop Alternatives

WooCommerce

woocommerce

Everything you need to launch an online store in days and keep it growing for years. From your first sale to millions in revenue, Woo is with you.

7.0M 43 CVEs

ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution

shopengine

WooCommerce builder for Elementor and Gutenberg. It offers product templates, product sliders, shopping cart, quick view, Woo wishlist, product filter …

100K 4 CVEs

Menu Cart for WooCommerce

woocommerce-menu-bar-cart

100

Automatically displays a shopping cart in your menu bar. Works with WooCommerce and Easy Digital Downloads (EDD)

80K 1 CVE

Ecwid by Lightspeed Ecommerce Shopping Cart

ecwid-shopping-cart

Powerful, easy to use ecommerce shopping cart for WordPress. Sell on Facebook and Instagram. iPhone & Android apps. Superb support.

20K 13 CVEs

Stock Manager for WooCommerce

woocommerce-stock-manager

WooCommerce stock management plugin to manage and edit product stock and their variables from a single dashboard. Stock log, import/export, filters!

20K 4 CVEs

Developer Profile

FoxyShop Developer Profile

sparkweb

2 plugins · 120 total installs

trust score

Avg Security Score

89/100

Avg Patch Time

586 days

View full developer profile

Detection Fingerprints

How We Detect FoxyShop

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/foxyshop/css/foxyshop-admin.css/wp-content/plugins/foxyshop/css/foxyshop-public.css/wp-content/plugins/foxyshop/js/foxyshop-admin.js/wp-content/plugins/foxyshop/js/foxyshop-public.js/wp-content/plugins/foxyshop/js/foxyshop-cart.js/wp-content/plugins/foxyshop/js/foxyshop-checkout.js/wp-content/plugins/foxyshop/js/foxyshop-admin-ajax.js/wp-content/plugins/foxyshop/js/foxyshop-woo.js

Generator Patterns

FoxyShop

Script Paths

/wp-content/plugins/foxyshop/js/foxyshop-public.js/wp-content/plugins/foxyshop/js/foxyshop-cart.js/wp-content/plugins/foxyshop/js/foxyshop-checkout.js

Version Parameters

foxyshop.js?ver=foxyshop-admin.js?ver=foxyshop-cart.js?ver=foxyshop-checkout.js?ver=foxyshop-admin.css?ver=foxyshop-public.css?ver=

HTML / DOM Fingerprints

CSS Classes

foxyshopfoxyshop-widgetfoxyshop-cart-widgetfoxyshop-checkout-formfoxyshop-product-detailsfoxyshop-product-imagefoxyshop-product-titlefoxyshop-product-price+3 more

HTML Comments

+2 more

Data Attributes

data-foxyshop-product-iddata-foxyshop-variant-iddata-foxyshop-product-pricedata-foxyshop-cart-item-iddata-foxyshop-quantitydata-foxyshop-checkout-url+9 more

JS Globals

foxyshop_paramsfoxyshop_cartfoxyshop_checkout

REST Endpoints

/wp-json/foxyshop/v1/products/wp-json/foxyshop/v1/cart/wp-json/foxyshop/v1/checkout

Shortcode Output

[foxyshop_cart][foxyshop_checkout][foxyshop_products][foxyshop_product_details]

FAQ

FoxyShop Security & Risk Analysis

Is FoxyShop Safe to Use in 2026?

Generally Safe

Key Concerns

FoxyShop Security Vulnerabilities

CVEs by Year

Severity Breakdown

FoxyShop Release Timeline

FoxyShop Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

FoxyShop Attack Surface

AJAX Handlers 9

Shortcodes 4

FoxyShop Maintenance & Trust

Maintenance Signals

Community Trust

FoxyShop Alternatives

WooCommerce

ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution

Menu Cart for WooCommerce

Ecwid by Lightspeed Ecommerce Shopping Cart

Stock Manager for WooCommerce

FoxyShop Developer Profile

How We Detect FoxyShop

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about FoxyShop