WP-Safety

Merchium Shopping Cart Security & Risk Analysis

wordpress.org/plugins/merchium

Merchium is a powerful online store right in your WordPress blog. Get started in seconds!

10 active installs v1.0.4 PHP + WP 3.6+ Updated May 20, 2015
ecommercemerchiumshopstorestorefront
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Merchium Shopping Cart Safe to Use in 2026?

Generally Safe

Score 85/100

Merchium Shopping Cart has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 10yr ago
Risk Assessment

The Merchium v1.0.4 plugin exhibits a mixed security posture. While it demonstrates good practices by not utilizing dangerous functions, avoiding raw SQL queries, and having no recorded vulnerabilities, significant concerns arise from its attack surface and output escaping. The presence of three unprotected AJAX handlers represents a considerable risk, as these entry points are susceptible to unauthorized access and manipulation if not properly secured. Furthermore, the very low percentage of properly escaped output (10%) is a critical weakness, suggesting a high probability of cross-site scripting (XSS) vulnerabilities being present. The taint analysis, while indicating no critical or high severity flows, did identify two flows with unsanitized paths, which could potentially be exploited in conjunction with the output escaping issues.

Despite the lack of historical CVEs and a seemingly clean vulnerability record, the static analysis reveals fundamental security shortcomings that could be actively exploited. The combination of easily accessible AJAX endpoints and widespread unescaped output creates a fertile ground for attackers. The absence of nonce checks and capability checks on these AJAX handlers exacerbates this risk. In conclusion, while the plugin avoids certain common pitfalls, the identified vulnerabilities in its attack surface and output sanitization necessitate immediate attention to mitigate the risk of XSS and unauthorized access.

Key Concerns

  • Unprotected AJAX handlers
  • Low output escaping rate
  • Unsanitized paths in taint flows
  • Missing nonce checks
  • Missing capability checks
Vulnerabilities
None known

Merchium Shopping Cart Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Merchium Shopping Cart Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
18
2 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

10% escaped20 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
merchium_ajax_request (php\fn.core.php:293)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Merchium Shopping Cart Attack Surface

Entry Points4
Unprotected3

AJAX Handlers 3

authwp_ajax_merchium_hide_vote_messagemerchium.php:41
authwp_ajax_merchium_formmerchium.php:45
noprivwp_ajax_merchium_formmerchium.php:46

Shortcodes 1

[merchium_store] merchium.php:50
WordPress Hooks 17
actionadmin_menumerchium.php:37
actionadmin_initmerchium.php:38
actionadmin_enqueue_scriptsmerchium.php:39
actionadmin_noticesmerchium.php:40
filterplugin_action_links_merchium_wp/merchium.phpmerchium.php:42
actionpre_update_option_merchium_widget_codemerchium.php:43
actionsm_buildmapmerchium.php:44
actionwp_titlemerchium.php:51
actionwp_headmerchium.php:52
actionwp_enqueue_scriptsmerchium.php:53
actionwpmerchium.php:56
actionplugins_loadedmerchium.php:57
actionwp_titlemerchium.php:58
actionwp_headmerchium.php:59
actionplugins_loadedmerchium.php:64
filteraioseop_titlephp\fn.compatibility.php:52
filteraioseop_descriptionphp\fn.compatibility.php:53
Maintenance & Trust

Merchium Shopping Cart Maintenance & Trust

Maintenance Signals

WordPress version tested4.1.42
Last updatedMay 20, 2015
PHP min version
Downloads2K

Community Trust

Rating0/100
Number of ratings0
Active installs10
Alternatives

Merchium Shopping Cart Alternatives

Онлайн-магазин Мерчиум

Онлайн-магазин Мерчиум

merchiumru

A
85

Полноценный интернет-магазин для вашего блога.

10 No CVEs
Ecwid by Lightspeed Ecommerce Shopping Cart

Ecwid by Lightspeed Ecommerce Shopping Cart

ecwid-shopping-cart

B
83

Powerful, easy to use ecommerce shopping cart for WordPress. Sell on Facebook and Instagram. iPhone & Android apps. Superb support.

20K 13 CVEs
WC Booster

WC Booster

wc-booster

A
92

WC Booster adds custom carts, quick previews, and streamlined checkout to enhance WooCommerce. Boost your eCommerce now!

900 No CVEs
WooCommerce

WooCommerce

woocommerce

A
87

Everything you need to launch an online store in days and keep it growing for years. From your first sale to millions in revenue, Woo is with you.

7.0M 43 CVEs
Storefront Product Sharing

Storefront Product Sharing

storefront-product-sharing

A
85

Add attractive social sharing icons for Facebook, Twitter, Pinterest and Email to your product pages.

5K No CVEs
Developer Profile

Merchium Shopping Cart Developer Profile

merchium

2 plugins · 20 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Merchium Shopping Cart

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/merchium/css/admin.css/wp-content/plugins/merchium/css/admin-3.8.css/wp-content/plugins/merchium/css/frontend.css/wp-content/plugins/merchium/js/admin.js/wp-content/plugins/merchium/js/frontend-fragment.js
Script Paths
/wp-content/plugins/merchium/js/admin.js/wp-content/plugins/merchium/js/frontend-fragment.js
Version Parameters
merchium/css/admin.css?ver=merchium/css/admin-3.8.css?ver=merchium/css/frontend.css?ver=merchium/js/admin.js?ver=merchium/js/frontend-fragment.js?ver=

HTML / DOM Fingerprints

CSS Classes
merchium-store-page
HTML Comments
Merchium code. Please do not remove this line or your Merchium shopping cart will not work properly.Merchium code end
Data Attributes
merchium_store
JS Globals
merchium_opts
Shortcode Output
[merchium_store]
FAQ

Frequently Asked Questions about Merchium Shopping Cart