RomanCart Ecommerce Security & Risk Analysis

wordpress.org/plugins/romancart-ecommerce

Add Buy Buttons, Widgets or an entire Storefront to your pages and sell products, tickets and digital downloads in minutes.

20 active installs v2.0.8 PHP + WP 1.0.2+ Updated Dec 3, 2025
buy-buttonsecommerce-pluginromancartsell-downloadsshopping-cart
78
B · Generally Safe
CVEs total1
Unpatched1
Last CVEJun 8, 2026
Safety Verdict

Is RomanCart Ecommerce Safe to Use in 2026?

Mostly Safe

Score 78/100

RomanCart Ecommerce is generally safe to use. 1 past CVE were resolved.

1 known CVE 1 unpatched Last CVE: Jun 8, 2026Updated 7mo ago
Risk Assessment

The plugin 'romancart-ecommerce' v2.0.8 exhibits a strong security posture based on the provided static analysis. The absence of dangerous functions, raw SQL queries, unescaped output, and file operations is highly commendable. Furthermore, the presence of nonce and capability checks indicates good development practices for securing entry points.

The taint analysis reveals no critical or high-severity flows with unsanitized paths, suggesting that user-supplied data is handled securely and does not pose an immediate risk of injection attacks. The plugin's vulnerability history is also clean, with no recorded CVEs, which implies a stable and potentially well-maintained codebase.

While the static analysis shows excellent adherence to security best practices, the total entry points being 4 shortcodes is a notable aspect. Although they are reported as unprotected (0 without auth checks), it's essential to ensure that the implementation within these shortcodes truly enforces appropriate authorization and sanitization. The overall security is good, but the limited attack surface without specific authorization checks on shortcodes warrants careful consideration and verification during dynamic testing.

Key Concerns

  • Shortcodes without explicit auth checks
Vulnerabilities
1 published

RomanCart Ecommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-8880medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

RomanCart Ecommerce <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

Jun 8, 2026Unpatched
Version History

RomanCart Ecommerce Release Timeline

v2.0.8Current1 CVE
v2.0.71 CVE
v2.0.61 CVE
v2.0.51 CVE
v2.0.41 CVE
v2.0.31 CVE
v2.0.21 CVE
v2.0.11 CVE
v2.01 CVE
v1.01 CVE
Code Analysis
Analyzed Mar 16, 2026

RomanCart Ecommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
0
10 escaped
Nonce Checks
1
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

100% escaped10 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

2 flows
romancart_adminpage (romancart_ecommerce.php:36)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

RomanCart Ecommerce Attack Surface

Entry Points4
Unprotected0

Shortcodes 4

[romancart_storefront] romancart_ecommerce.php:136
[romancart_button] romancart_ecommerce.php:165
[romancart_link] romancart_ecommerce.php:194
[romancart_widget] romancart_ecommerce.php:214
WordPress Hooks 2
actionadmin_menuromancart_ecommerce.php:31
actionwp_enqueue_scriptsromancart_ecommerce.php:227
Maintenance & Trust

RomanCart Ecommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedDec 3, 2025
PHP min version
Downloads5K

Community Trust

Rating100/100
Number of ratings1
Active installs20
Developer Profile

RomanCart Ecommerce Developer Profile

romancartsupport

1 plugin · 20 total installs

79
trust score
Avg Security Score
78/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect RomanCart Ecommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/romancart-ecommerce/css/rc-style.css
Script Paths
https://remote.romancart.com/display.asp
Version Parameters
romancart-ecommerce/css/rc-style.css?ver=

HTML / DOM Fingerprints

CSS Classes
ROC_SettingsFormROC_cartROC_catnavROC_displayROC_loading_image
Data Attributes
id="ROC_cart"id="ROC_catnav"id="ROC_display"id="ROC_loading_image"name="ROC_SettingsForm"
Shortcode Output
[romancart_button][romancart_link][romancart_storefront][romancart_widget]
FAQ

Frequently Asked Questions about RomanCart Ecommerce