WP-Safety

Mysterx – Mystery Boxes for WooCommerce Security & Risk Analysis

wordpress.org/plugins/mysterx-mystery-boxes-for-woocommerce

WooCommerce addon that implements custom product type "Mystery box" which enables you to offer and sell loot boxes - similar to those found …

0 active installs v1.0.0 PHP + WP 6.2+ Updated Apr 15, 2026
loot-boxmarketingmystery-boxprize-boxwoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Mysterx – Mystery Boxes for WooCommerce Safe to Use in 2026?

Generally Safe

Score 100/100

Mysterx – Mystery Boxes for WooCommerce has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The plugin "mysterx-mystery-boxes-for-woocommerce" v1.0.0 exhibits a mixed security posture. While it demonstrates good practices in critical areas like SQL query handling (100% prepared statements) and output escaping (98%), there are significant concerns regarding its attack surface and taint analysis. The presence of one unprotected AJAX handler is a primary risk, as it can be triggered without proper authentication. This is exacerbated by two taint flows identified as having unsanitized paths with high severity, indicating potential vulnerabilities that could be exploited through user-supplied input. The plugin's vulnerability history is clean, with zero known CVEs, which is a positive indicator of its past security. However, the current code analysis reveals potential weaknesses that could lead to future vulnerabilities. Overall, the plugin has strong internal code hygiene for SQL and output, but the unprotected entry point and high-severity taint flows represent immediate security risks that require attention.

Key Concerns

  • Unprotected AJAX handler
  • High severity unsanitized taint flow (2)
  • Bundled outdated library (Freemius v1.0)
Vulnerabilities
None known

Mysterx – Mystery Boxes for WooCommerce Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Mysterx – Mystery Boxes for WooCommerce Release Timeline

v1.0.0Current
Code Analysis
Analyzed Apr 16, 2026

Mysterx – Mystery Boxes for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
48 prepared
Unescaped Output
4
247 escaped
Nonce Checks
2
Capability Checks
2
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Freemius1.0

SQL Query Safety

100% prepared48 total queries

Output Escaping

98% escaped251 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
wc_open_box_ajax (public/class-mysterx-public.php:332)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Mysterx – Mystery Boxes for WooCommerce Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_wc_open_boxincludes/class-mysterx.php:221
WordPress Hooks 57
actionadmin_menuadmin/class-mysterx-settings.php:30
actionadmin_initadmin/class-mysterx-settings.php:31
actionadmin_enqueue_scriptsadmin/class-mysterx-settings.php:32
actionwoocommerce_order_status_reward_notificationadmin/emails/class-mysterx-email-new-reward.php:43
actionwoocommerce_email_footeradmin/emails/class-mysterx-email-new-reward.php:44
actioninitincludes/class-mysterx.php:165
actionwc_order_statusesincludes/class-mysterx.php:166
actionadmin_enqueue_scriptsincludes/class-mysterx.php:168
actionadmin_enqueue_scriptsincludes/class-mysterx.php:169
filterwoocommerce_product_classincludes/class-mysterx.php:170
actionproduct_type_selectorincludes/class-mysterx.php:172
filterwoocommerce_product_data_tabsincludes/class-mysterx.php:173
actionwoocommerce_product_data_panelsincludes/class-mysterx.php:174
actionwoocommerce_process_product_metaincludes/class-mysterx.php:176
actionwoocommerce_order_status_processingincludes/class-mysterx.php:177
actionwoocommerce_order_status_completedincludes/class-mysterx.php:178
actionwoocommerce_order_status_cancelledincludes/class-mysterx.php:179
actionwoocommerce_order_status_refundedincludes/class-mysterx.php:180
actionwoocommerce_order_status_cancelledincludes/class-mysterx.php:181
actionwoocommerce_order_status_failedincludes/class-mysterx.php:182
actionadmin_menuincludes/class-mysterx.php:184
filterparent_fileincludes/class-mysterx.php:185
filtersubmenu_fileincludes/class-mysterx.php:186
filterget_edit_post_linkincludes/class-mysterx.php:187
filterwoocommerce_product_get_virtualincludes/class-mysterx.php:189
filterwoocommerce_product_get_downloadableincludes/class-mysterx.php:190
actioncurrent_screenincludes/class-mysterx.php:192
filterget_edit_post_linkincludes/class-mysterx.php:193
filterwoocommerce_payment_complete_reduce_order_stock_statusesincludes/class-mysterx.php:194
filterwoocommerce_email_classesincludes/class-mysterx.php:196
actionwoocommerce_order_status_rewardincludes/class-mysterx.php:197
actionwp_enqueue_scriptsincludes/class-mysterx.php:211
actionwp_enqueue_scriptsincludes/class-mysterx.php:212
filterwoocommerce_locate_templateincludes/class-mysterx.php:214
filterinitincludes/class-mysterx.php:216
filterwoocommerce_account_menu_itemsincludes/class-mysterx.php:217
filterwoocommerce_account_mysterx-wins_endpointincludes/class-mysterx.php:218
filterwoocommerce_account_mysterx_endpointincludes/class-mysterx.php:219
filterwoocommerce_loop_add_to_cart_argsincludes/class-mysterx.php:220
filterwoocommerce_product_add_to_cart_urlincludes/class-mysterx.php:222
filterwoocommerce_is_purchasableincludes/class-mysterx.php:223
filterwoocommerce_loop_add_to_cart_linkincludes/class-mysterx.php:224
filterwoocommerce_loop_product_linkincludes/class-mysterx.php:225
actioninitincludes/class-mysterx.php:227
actionwoocommerce_after_shop_loop_itemincludes/class-mysterx.php:228
actionwoocommerce_single_product_summaryincludes/class-mysterx.php:229
actionwoocommerce_after_shop_loop_itemincludes/class-mysterx.php:230
actionwoocommerce_shop_loop_item_titleincludes/class-mysterx.php:232
actionwoocommerce_mysterx_add_to_cartincludes/class-mysterx.php:233
actionwoocommerce_single_product_summaryincludes/class-mysterx.php:234
actionwp_footerincludes/class-mysterx.php:235
actionwp_footerincludes/class-mysterx.php:236
filteris_show_go_pro_menumysterx.php:79
filtermenu_go_pro_labelmysterx.php:80
actionwoocommerce_initmysterx.php:126
actionbefore_woocommerce_initmysterx.php:127
actionwoocommerce_product_is_visiblepublic/class-mysterx-shortcode.php:739
Maintenance & Trust

Mysterx – Mystery Boxes for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 15, 2026
PHP min version
Downloads0

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Mysterx – Mystery Boxes for WooCommerce Alternatives

MailPoet – Newsletters, Email Marketing, and Automation

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

A
98

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs
Pinterest for WooCommerce

Pinterest for WooCommerce

pinterest-for-woocommerce

A
100

Get your products in front of Pinterest users searching for ideas and things to buy. Connect your WooCommerce store to make your catalog browsable.

300K No CVEs
Klaviyo

Klaviyo

klaviyo

A
99

Klaviyo for WooCommerce

100K 2 CVEs
Email Marketing for WooCommerce by Omnisend

Email Marketing for WooCommerce by Omnisend

omnisend-connect

A
95

Email Marketing, Newsletter, Email Automation, Forms, Pop Up, SMS, Abandoned Cart made easy for WordPress & WooCommerce by Omnisend

50K 3 CVEs
MailerLite – WooCommerce integration

MailerLite – WooCommerce integration

woo-mailerlite

A
93

Powerful e-commerce email marketing tools that are easy to use. Grow your store with automated emails, pop-ups, product blocks, sales tracking + more.

30K 4 CVEs
Developer Profile

Mysterx – Mystery Boxes for WooCommerce Developer Profile

wpgenie2

10 plugins · 3K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Mysterx – Mystery Boxes for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mysterx-mystery-boxes-for-woocommerce/admin/css/mysterx-admin.css/wp-content/plugins/mysterx-mystery-boxes-for-woocommerce/admin/js/mysterx-admin.js/wp-content/plugins/mysterx-mystery-boxes-for-woocommerce/public/css/mysterx-public.css/wp-content/plugins/mysterx-mystery-boxes-for-woocommerce/public/js/mysterx-public.js/wp-content/plugins/mysterx-mystery-boxes-for-woocommerce/vendor/freemius/freemius-sdk/start.php
Script Paths
/wp-content/plugins/mysterx-mystery-boxes-for-woocommerce/admin/js/mysterx-admin.js/wp-content/plugins/mysterx-mystery-boxes-for-woocommerce/public/js/mysterx-public.js
Version Parameters
mysterx-mystery-boxes-for-woocommerce/admin/css/mysterx-admin.css?ver=mysterx-mystery-boxes-for-woocommerce/admin/js/mysterx-admin.js?ver=mysterx-mystery-boxes-for-woocommerce/public/css/mysterx-public.css?ver=mysterx-mystery-boxes-for-woocommerce/public/js/mysterx-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
mysterx-admin-wrapmysterx-product-wrap
HTML Comments
<!-- Start of Mysterx Mystery Boxes for WooCommerce --><!-- End of Mysterx Mystery Boxes for WooCommerce -->
Data Attributes
data-mysterx-product-id
JS Globals
MYSTERX_ADMINmysterx_public_params
REST Endpoints
/wp-json/mysterx/v1/get_products/wp-json/mysterx/v1/open_box
Shortcode Output
[mysterx_box]
FAQ

Frequently Asked Questions about Mysterx – Mystery Boxes for WooCommerce