Does Sell Downloads have any unpatched vulnerabilities?

No. All known vulnerabilities in Sell Downloads have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Sell Downloads compatible with WordPress 6.9.4?

According to WordPress.org data, Sell Downloads 1.2.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Sell Downloads updated?

Sell Downloads was last updated on Jan 15, 2026. Frequent updates are generally a positive security signal.

What is Sell Downloads's security score?

Sell Downloads has a WP-Safety security score of 93/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Sell Downloads Security & Risk Analysis

wordpress.org/plugins/sell-downloads

Sell Downloads is an WordPress eCommerce for selling downloadable files: audio, video, documents, pictures all that may be published in Internet.

100 active installs v1.2.0 PHP + WP 3.5.0+ Updated Jan 15, 2026

ecommercesalessell-downloadsshopstore

A · Safe

CVEs total3

Unpatched0

Last CVEDec 30, 2025

Plugin page Download

Safety Verdict

Is Sell Downloads Safe to Use in 2026?

Generally Safe

Score 93/100

Sell Downloads has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Dec 30, 2025Updated 2mo ago

Risk Assessment

The "sell-downloads" v1.2.0 plugin exhibits a mixed security posture. On one hand, it demonstrates good practices such as a low number of unprotected entry points and a high percentage of SQL queries using prepared statements, alongside a good rate of output escaping. The presence of nonce and capability checks further bolsters its defenses against common web attacks.

However, the static analysis reveals several areas of concern. Six out of thirteen analyzed taint flows involve unsanitized paths, with two flagged as high severity. This indicates a significant risk of path traversal vulnerabilities, which could allow attackers to access or manipulate files outside of the intended directory. The plugin's history of vulnerabilities, particularly high severity ones including missing authorization, improper input validation, and path traversal, reinforces these concerns. The fact that these vulnerabilities are in the past is positive, but the recurring nature of path traversal issues warrants caution.

In conclusion, while the plugin employs several strong security mechanisms, the high number of unsanitized path taint flows and its historical vulnerability patterns suggest that it is not entirely free of risk. Users should remain vigilant, especially regarding the handling of file paths. The current lack of unpatched vulnerabilities is a positive sign, but the identified code signals and historical trends point to potential weaknesses that require careful monitoring.

Key Concerns

High severity taint flows with unsanitized paths
Multiple past high severity vulnerabilities
Past medium severity vulnerabilities
Taint flows with unsanitized paths
File operations present
External HTTP requests present

Vulnerabilities

Sell Downloads Security Vulnerabilities

CVEs by Year

1 CVE in 2014

2014

1 CVE in 2015

2015

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2025-68850medium · 5.3Missing Authorization

Sell Downloads <= 1.1.12 - Missing Authorization

Dec 30, 2025 Patched in 1.2.0 (29d)

CVE-2015-9348high · 7.5Improper Input Validation

Sell Downloads <= 1.0.7 - Improper Input Validation

Jul 10, 2015 Patched in 1.0.8 (3119d)

CVE-2014-9511high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Sell Downloads <= 1.0.1 - Arbitrary File Read

Dec 29, 2014 Patched in 1.0.2 (3312d)

Code Analysis

Analyzed Mar 16, 2026

Sell Downloads Code Analysis

Dangerous Functions

Raw SQL Queries

52 prepared

Unescaped Output

314 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

88% prepared59 total queries

Output Escaping

80% escaped391 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

13 flows6 with unsanitized paths

sd_download_file (sd-core\sd-functions.php:600)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Sell Downloads Attack Surface

Entry Points5

Unprotected0

AJAX Handlers 1

authwp_ajax_cp_feedbackfeedback\cp-feedback.php:26

Shortcodes 4

[sell_downloads] sell-downloads.php:262

[sell_downloads_product] sell-downloads.php:263

[sell_downloads] sell-downloads.php:409

[sell_downloads_product] sell-downloads.php:410

WordPress Hooks 45

actionadmin_bar_menubanner.php:107

actionadmin_enqueue_scriptsfeedback\cp-feedback.php:25

actionadmin_footerfeedback\cp-feedback.php:37

actionsd_show_settingssd-addons\affiliateroyale.addon.php:11

actionsd_save_settingssd-addons\affiliateroyale.addon.php:12

actionsd_paypal_form_html_before_submitsd-addons\affiliateroyale.addon.php:16

actionsd_paypal_ipn_receivedsd-addons\affiliateroyale.addon.php:17

actioninitsd-page-builder\sd-page-builders.php:22

actionafter_setup_themesd-page-builder\sd-page-builders.php:23

actionenqueue_block_editor_assetssd-page-builder\sd-page-builders.php:31

actionelementor/widgets/registersd-page-builder\sd-page-builders.php:34

actionelementor/elements/categories_registeredsd-page-builder\sd-page-builders.php:35

filtersiteorigin_widgets_widget_folderssd-page-builder\sd-page-builders.php:49

filtersiteorigin_panels_widget_dialog_tabssd-page-builder\sd-page-builders.php:50

actioninitsell-downloads.php:73

filterget_post_metadatasell-downloads.php:74

filteroption_sbp_settingssell-downloads.php:83

actionafter_setup_themesell-downloads.php:133

actioninitsell-downloads.php:134

actionadmin_initsell-downloads.php:135

actioncurrent_screensell-downloads.php:136

actionadmin_menusell-downloads.php:139

filterdisplay_post_statessell-downloads.php:152

actioninitsell-downloads.php:164

actionsave_postsell-downloads.php:182

filterget_pagessell-downloads.php:185

filterthe_contentsell-downloads.php:264

filterthe_excerptsell-downloads.php:265

filterget_the_excerptsell-downloads.php:266

actionwp_headsell-downloads.php:267

actionwp_enqueue_scriptssell-downloads.php:271

filterposts_wheresell-downloads.php:276

filterposts_joinsell-downloads.php:277

filterposts_groupbysell-downloads.php:278

actiondelete_postsell-downloads.php:562

actionadmin_enqueue_scriptssell-downloads.php:565

actionmedia_buttonssell-downloads.php:568

filtermanage_sd_product_posts_columnssell-downloads.php:842

actionmanage_sd_product_posts_custom_columnsell-downloads.php:843

actionadmin_menusell-downloads.php:919

actionparent_filesell-downloads.php:999

filterthe_contentsell-downloads.php:2993

actionshutdownsell-downloads.php:3146

actionactivated_pluginsell-downloads.php:3152

actionwpmu_new_blogsell-downloads.php:3153

Maintenance & Trust

Sell Downloads Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 15, 2026

PHP min version

Downloads95K

Community Trust

Rating80/100

Number of ratings21

Active installs100

Alternatives

Sell Downloads Alternatives

WooCommerce

woocommerce

Everything you need to launch an online store in days and keep it growing for years. From your first sale to millions in revenue, Woo is with you.

7.0M 42 CVEs

Ecwid by Lightspeed Ecommerce Shopping Cart

ecwid-shopping-cart

Powerful, easy to use ecommerce shopping cart for WordPress. Sell on Facebook and Instagram. iPhone & Android apps. Superb support.

20K 13 CVEs

Shopping Cart & eCommerce Store

wp-easycart

A FREE WordPress eCommerce & WordPress Shopping Cart plugin that can sell products, subscriptions, downloads, services, donations, and much more o …

4K 21 CVEs

Premium Packages – Sell Digital Products Securely

wpdm-premium-packages

Premium Packages is a free, full-featured WordPress eCommerce plugin to sell digital products easily and securely.

3K 9 CVEs

TriPay Payment Gateway

tripay-payment-gateway

100

TriPay Payment adalah payment gateway indonesia yang menyediakan beragam metode pembayaran seperti virtual account, convenience store, e-wallet, dll

1K 1 CVE

Developer Profile

Sell Downloads Developer Profile

codepeople

34 plugins · 89K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

964 days

View full developer profile

Detection Fingerprints

How We Detect Sell Downloads

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/sell-downloads/sd-core/css/sd-style.css/wp-content/plugins/sell-downloads/sd-core/js/sd-functions.js/wp-content/plugins/sell-downloads/sd-core/js/sd-validation.js/wp-content/plugins/sell-downloads/sd-core/js/sd-product.js/wp-content/plugins/sell-downloads/sd-core/js/sd-upload.js/wp-content/plugins/sell-downloads/sd-core/js/sd-checkout.js/wp-content/plugins/sell-downloads/sd-core/js/sd-shopping-cart.js/wp-content/plugins/sell-downloads/sd-core/js/sd-categories.js+8 more

Script Paths

/wp-content/plugins/sell-downloads/sd-core/js/sd-functions.js/wp-content/plugins/sell-downloads/sd-core/js/sd-validation.js/wp-content/plugins/sell-downloads/sd-core/js/sd-product.js/wp-content/plugins/sell-downloads/sd-core/js/sd-upload.js/wp-content/plugins/sell-downloads/sd-core/js/sd-checkout.js/wp-content/plugins/sell-downloads/sd-core/js/sd-shopping-cart.js+8 more

Version Parameters

sell-downloads/sd-core/css/sd-style.css?ver=sell-downloads/sd-core/js/sd-functions.js?ver=sell-downloads/sd-core/js/sd-validation.js?ver=sell-downloads/sd-core/js/sd-product.js?ver=sell-downloads/sd-core/js/sd-upload.js?ver=sell-downloads/sd-core/js/sd-checkout.js?ver=sell-downloads/sd-core/js/sd-shopping-cart.js?ver=sell-downloads/sd-core/js/sd-categories.js?ver=sell-downloads/sd-core/js/sd-tags.js?ver=sell-downloads/sd-core/js/sd-payment-gateways.js?ver=sell-downloads/sd-core/js/sd-statistics.js?ver=sell-downloads/sd-core/js/sd-coupons.js?ver=sell-downloads/sd-core/js/sd-users.js?ver=sell-downloads/sd-core/js/sd-settings.js?ver=sell-downloads/sd-page-builder/js/sd-page-builders.js?ver=

HTML / DOM Fingerprints

CSS Classes

sd-post-titlesd-pricesd-add-to-cart-buttonsd-product-imagesd-product-descriptionsd-cart-itemsd-cart-totalsd-checkout-form+2 more

HTML Comments

Data Attributes

data-sd-product-iddata-sd-cart-item-iddata-sd-pricedata-sd-currency

JS Globals

SD_UPLOAD_URLSD_CART_AJAX_URLSD_CHECKOUT_AJAX_URLSD_VALIDATION_RULESSD_CURRENCY_SYMBOLSD_PAYPAL_BUTTON_URL+2 more

Shortcode Output

[sell_downloads_products][sell_downloads_categories][sell_downloads_cart][sell_downloads_checkout]

FAQ