WP-Safety

Search, Filters & Merchandising for WooCommerce Security & Risk Analysis

wordpress.org/plugins/instantsearch-for-woocommerce

Maximize your store sales with this easy-to-install plugin. Give shoppers a well-designed advanced search bar with live search suggestions.

200 active installs v3.0.68 PHP 7.0+ WP 3.3+ Updated Dec 9, 2025
merchandisingproduct-searchrelevancesearch-filterswoocommerce-search
98
A · Safe
CVEs total2
Unpatched0
Last CVEDec 5, 2025
Plugin page Download
Safety Verdict

Is Search, Filters & Merchandising for WooCommerce Safe to Use in 2026?

Generally Safe

Score 98/100

Search, Filters & Merchandising for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Dec 5, 2025Updated 5mo ago
Risk Assessment

The "instantsearch-for-woocommerce" v3.0.68 plugin exhibits a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and a reasonable percentage of output escaping, several areas raise concerns. The presence of three unprotected AJAX handlers significantly expands the attack surface, potentially allowing unauthorized actions if these endpoints are exploitable. The vulnerability history, with two known medium severity CVEs in the past, including one related to missing authorization, is a recurring pattern that warrants attention, even though none are currently unpatched.

The static analysis reveals a relatively small attack surface in terms of REST API routes and shortcodes, but the unprotected AJAX endpoints are a notable weakness. The taint analysis did not uncover any critical or high-severity unsanitized flows, which is a positive sign. However, the 68% output escaping rate means that nearly a third of outputs are not properly escaped, leaving room for potential Cross-Site Scripting (XSS) vulnerabilities, especially given the past mention of XSS as a common vulnerability type.

Overall, the plugin has strengths in its SQL handling and lack of critical taint flows. However, the unprotected AJAX endpoints and the historical pattern of missing authorization and XSS vulnerabilities, coupled with incomplete output escaping, indicate a need for continued vigilance and security review. Users should be aware that while no critical vulnerabilities are currently identified, the plugin's architecture presents opportunities for attackers if proper security measures are not implemented at the application or server level.

Key Concerns

  • 3 unprotected AJAX handlers
  • 32% of outputs not properly escaped
  • 2 medium severity CVEs in history
  • 1 missing nonce check
Vulnerabilities
2 published

Search, Filters & Merchandising for WooCommerce Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-12091medium · 4.3Missing Authorization

Search, Filters & Merchandising for WooCommerce <= 3.0.67 - Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation

Dec 5, 2025 Patched in 3.0.68 (4d)
CVE-2025-32181medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Search, Filters & Merchandising for WooCommerce <= 3.0.58 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 4, 2025 Patched in 3.0.59 (43d)
Version History

Search, Filters & Merchandising for WooCommerce Release Timeline

v3.0.68Current
v3.0.671 CVE
CVE-2025-12091
v3.0.661 CVE
CVE-2025-12091
v3.0.651 CVE
CVE-2025-12091
v3.0.641 CVE
CVE-2025-12091
v3.0.631 CVE
CVE-2025-12091
v3.0.621 CVE
CVE-2025-12091
v3.0.611 CVE
CVE-2025-12091
v3.0.601 CVE
CVE-2025-12091
v3.0.591 CVE
CVE-2025-12091
v3.0.582 CVEs
CVE-2025-32181 CVE-2025-12091
v3.0.572 CVEs
CVE-2025-32181 CVE-2025-12091
v3.0.562 CVEs
CVE-2025-32181 CVE-2025-12091
v3.0.552 CVEs
CVE-2025-32181 CVE-2025-12091
v3.0.542 CVEs
CVE-2025-32181 CVE-2025-12091
v3.0.532 CVEs
CVE-2025-32181 CVE-2025-12091
v3.0.522 CVEs
CVE-2025-32181 CVE-2025-12091
v3.0.512 CVEs
CVE-2025-32181 CVE-2025-12091
v3.0.502 CVEs
CVE-2025-32181 CVE-2025-12091
v3.0.492 CVEs
CVE-2025-32181 CVE-2025-12091
Code Analysis
Analyzed Mar 16, 2026

Search, Filters & Merchandising for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
2 prepared
Unescaped Output
44
93 escaped
Nonce Checks
1
Capability Checks
3
File Operations
8
External Requests
16
Bundled Libraries
0

SQL Query Safety

100% prepared2 total queries

Output Escaping

68% escaped137 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
save_email (public\wcis_plugin.php:1074)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Search, Filters & Merchandising for WooCommerce Attack Surface

Entry Points6
Unprotected3

AJAX Handlers 4

authwp_ajax_woocommerce_remove_variationspublic\wcis_plugin.php:123
authwp_ajax_wcis_dismiss_just_createdpublic\wcis_plugin.php:191
authwp_ajax_wcis_dismiss_alertpublic\wcis_plugin.php:192
authwp_ajax_wcis_dismiss_notificationpublic\wcis_plugin.php:193

Shortcodes 2

[isp_search_box] instantsearch-for-woocommerce.php:47
[wcis_serp_results] instantsearch-for-woocommerce.php:48
WordPress Hooks 70
filterblock_categories_allblocks\wcis_blocks.php:16
actioninitblocks\wcis_blocks.php:43
filterscript_loader_tagpublic\upsell_widgets.php:232
actioninitpublic\wcis_plugin.php:96
filterrequestpublic\wcis_plugin.php:101
filterpage_rewrite_rulespublic\wcis_plugin.php:105
actionpermalink_structure_changedpublic\wcis_plugin.php:109
actionwpmu_new_blogpublic\wcis_plugin.php:112
actionadmin_post_nopriv_schedule_ids_updatepublic\wcis_plugin.php:113
actionwoocommerce_product_quick_edit_savepublic\wcis_plugin.php:117
actionwoocommerce_save_product_variationpublic\wcis_plugin.php:118
actionsave_postpublic\wcis_plugin.php:119
actionwclsi_update_productpublic\wcis_plugin.php:120
actionwoocommerce_product_import_inserted_product_objectpublic\wcis_plugin.php:121
actiontrashed_postpublic\wcis_plugin.php:122
actionbefore_delete_postpublic\wcis_plugin.php:124
actionwoocommerce_rest_insert_product_objectpublic\wcis_plugin.php:125
actionwoocommerce_rest_delete_product_objectpublic\wcis_plugin.php:126
actionwoocommerce_order_status_on-holdpublic\wcis_plugin.php:131
actionwoocommerce_order_status_processingpublic\wcis_plugin.php:132
actionwoocommerce_order_status_pendingpublic\wcis_plugin.php:133
actionwoocommerce_add_to_cartpublic\wcis_plugin.php:136
actionwoocommerce_checkout_order_processedpublic\wcis_plugin.php:137
actionwoocommerce_cart_item_removedpublic\wcis_plugin.php:138
actionedit_product_catpublic\wcis_plugin.php:140
actioncreate_product_catpublic\wcis_plugin.php:141
actiondelete_product_catpublic\wcis_plugin.php:142
actionwoocommerce_admin_csspublic\wcis_plugin.php:149
actionwp_enqueue_scriptspublic\wcis_plugin.php:150
filterscript_loader_tagpublic\wcis_plugin.php:152
actionparse_requestpublic\wcis_plugin.php:154
filterquery_varspublic\wcis_plugin.php:155
actioninstantsearchplus_cron_request_eventpublic\wcis_plugin.php:158
actioninstantsearchplus_cron_request_event_backuppublic\wcis_plugin.php:159
actioninstantsearchplus_cron_check_alerstpublic\wcis_plugin.php:160
actioninstantsearchplus_send_logging_recordpublic\wcis_plugin.php:161
actioninstantsearchplus_send_all_categoriespublic\wcis_plugin.php:163
actioninstantsearchplus_send_batches_if_unreachablepublic\wcis_plugin.php:164
filterposts_searchpublic\wcis_plugin.php:167
actionpre_get_postspublic\wcis_plugin.php:168
filterpost_limitspublic\wcis_plugin.php:169
filterthe_postspublic\wcis_plugin.php:170
filterthe_titlepublic\wcis_plugin.php:172
filterthe_contentpublic\wcis_plugin.php:173
filterthe_excerptpublic\wcis_plugin.php:174
filterthe_tagspublic\wcis_plugin.php:175
actionadmin_noticespublic\wcis_plugin.php:178
actionadmin_initpublic\wcis_plugin.php:179
actionadmin_menupublic\wcis_plugin.php:181
actionadmin_headpublic\wcis_plugin.php:182
filterwoocommerce_integrationspublic\wcis_plugin.php:185
actionwidgets_initpublic\wcis_plugin.php:188
actionwoocommerce_scheduled_salespublic\wcis_plugin.php:190
filterwc_get_templatepublic\wcis_plugin.php:197
filtertemplate_includepublic\wcis_plugin.php:198
filterrocket_minify_excluded_external_jspublic\wcis_plugin.php:202
filterrocket_exclude_defer_jspublic\wcis_plugin.php:203
actionbefore_woocommerce_initpublic\wcis_plugin.php:206
actionadmin_post_wcis_save_emailpublic\wcis_plugin.php:207
actionadmin_footerpublic\wcis_plugin.php:210
actionwp_footerpublic\wcis_plugin.php:212
actionadmin_noticespublic\wcis_plugin.php:1107
actionpre_get_postspublic\wcis_plugin.php:2983
actionpre_get_postspublic\wcis_plugin.php:3079
actionpre_get_postspublic\wcis_plugin.php:3109
filterwoocommerce_product_get_regular_pricepublic\wcis_plugin.php:3142
filterwoocommerce_product_get_sale_pricepublic\wcis_plugin.php:3145
actionpre_get_postspublic\wcis_plugin.php:3835
filterwoocommerce_product_get_regular_pricepublic\wcis_plugin.php:3982
filterwoocommerce_product_get_sale_pricepublic\wcis_plugin.php:3985

Scheduled Events 12

instantsearchplus_cron_check_alerst
instantsearchplus_send_all_categories
instantsearchplus_cron_request_event
instantsearchplus_cron_request_event
instantsearchplus_send_batches_if_unreachable
instantsearchplus_cron_request_event
instantsearchplus_cron_request_event
instantsearchplus_cron_request_event
instantsearchplus_cron_request_event
instantsearchplus_send_batches_if_unreachable
instantsearchplus_cron_request_event_backup
instantsearchplus_cron_request_event
Maintenance & Trust

Search, Filters & Merchandising for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedDec 9, 2025
PHP min version7.0
Downloads215K

Community Trust

Rating92/100
Number of ratings169
Active installs200
Alternatives

Search, Filters & Merchandising for WooCommerce Alternatives

Relevanssi – A Better Search

Relevanssi – A Better Search

relevanssi

B
82

Relevanssi replaces the default search with a partial-match search that sorts results by relevance. It also indexes comments and shortcode content.

100K 17 CVEs
Search Hero

Search Hero

search-hero

A
92

Search Hero replaces the default search with a better search that sorts by relevance. Designed for fast performance, and large wordpress sites.

0 No CVEs
FiboSearch – Ajax Search for WooCommerce

FiboSearch – Ajax Search for WooCommerce

ajax-search-for-woocommerce

A
95

The most popular WooCommerce product search plugin. Gives your users a well-designed advanced AJAX search bar with live search suggestions.

100K 4 CVEs
Ajax Search Lite – Live Search & Filter

Ajax Search Lite – Live Search & Filter

ajax-search-lite

A
87

The Best Ajax Live Search and Filter for WordPress. Live suggestions, Custom Post types, Custom fields, Categories, WooCommerce & Elementor support

80K 11 CVEs
Advanced Woo Search – Product Search for WooCommerce

Advanced Woo Search – Product Search for WooCommerce

advanced-woo-search

A
96

Advanced WooCommerce product search plugin. Search inside any product field. Support for both AJAX search and search results page.

70K 5 CVEs
Developer Profile

Search, Filters & Merchandising for WooCommerce Developer Profile

Fast Simon

1 plugin · 200 total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
24 days
View full developer profile
Detection Fingerprints

How We Detect Search, Filters & Merchandising for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/instantsearch-for-woocommerce/public/assets/css/wcis-main.css/wp-content/plugins/instantsearch-for-woocommerce/public/assets/js/wcis-frontend.js/wp-content/plugins/instantsearch-for-woocommerce/widget/assets/css/wcis-widget.css/wp-content/plugins/instantsearch-for-woocommerce/widget/assets/js/wcis-widget.js/wp-content/plugins/instantsearch-for-woocommerce/public/assets/css/instantsearch.css/wp-content/plugins/instantsearch-for-woocommerce/public/assets/js/instantsearch.js/wp-content/plugins/instantsearch-for-woocommerce/blocks/assets/js/wcis-block-frontend.js/wp-content/plugins/instantsearch-for-woocommerce/blocks/assets/css/wcis-block-frontend.css+1 more
Script Paths
https://acp-magento.appspot.com/js/acp-magento.jshttps://static-autocomplete.fastsimon.com/fast-simon-autocomplete-init.umd.js?
Version Parameters
instantsearch-for-woocommerce/public/assets/css/wcis-main.css?ver=instantsearch-for-woocommerce/public/assets/js/wcis-frontend.js?ver=instantsearch-for-woocommerce/widget/assets/css/wcis-widget.css?ver=instantsearch-for-woocommerce/widget/assets/js/wcis-widget.js?ver=instantsearch-for-woocommerce/public/assets/css/instantsearch.css?ver=instantsearch-for-woocommerce/public/assets/js/instantsearch.js?ver=instantsearch-for-woocommerce/blocks/assets/js/wcis-block-frontend.js?ver=instantsearch-for-woocommerce/blocks/assets/css/wcis-block-frontend.css?ver=instantsearch-for-woocommerce/public/assets/js/wcis-product-search.js?ver=

HTML / DOM Fingerprints

CSS Classes
wcis-search-formisp_search_boxwcis_serp_resultsfast_simon_upsell_widgetfs-upsell-containerfs-upsell-productsfs-upsell-product-item
HTML Comments
WCIS: SERP RESULTS SECTIONWCIS: SEARCH BOXWCIS: UPSELL WIDGET
Data Attributes
data-wcis-search-instance-iddata-wcis-serp-instance-iddata-wcis-category-instance-iddata-wcis-upsell-widget-id
JS Globals
WCISCategoryWCISAutocompleteWCISPluginWCISUpsellWidget
Shortcode Output
[isp_search_box][wcis_serp_results][fast_simon_upsell_widget]
FAQ

Frequently Asked Questions about Search, Filters & Merchandising for WooCommerce