Does Selling Commander for WooCommerce – connector plugin have any unpatched vulnerabilities?

Yes — Selling Commander for WooCommerce – connector plugin currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Selling Commander for WooCommerce – connector plugin compatible with WordPress 6.1.10?

According to WordPress.org data, Selling Commander for WooCommerce – connector plugin 1.2.46 has been tested up to WordPress 6.1.10. Check the plugin's changelog for the latest compatibility information.

Selling Commander for WooCommerce – connector plugin Security & Risk Analysis

wordpress.org/plugins/selling-commander-connector

Selling Commander for WooCommerce - connector plugin

60 active installs v1.2.46 PHP + WP 5.0+ Updated Oct 16, 2024

excelexportimportwoowoocommerce

C · Use Caution

CVEs total1

Unpatched1

Last CVEJun 19, 2025

Plugin page Download

Safety Verdict

Is Selling Commander for WooCommerce – connector plugin Safe to Use in 2026?

Use With Caution

Score 64/100

Selling Commander for WooCommerce – connector plugin has 1 unpatched vulnerability. Evaluate alternatives or apply available mitigations.

1 known CVE 1 unpatched Last CVE: Jun 19, 2025Updated 1yr ago

Risk Assessment

The "selling-commander-connector" plugin v1.2.46 presents a mixed security posture. While it demonstrates good practices in its use of prepared statements for SQL queries (95%) and avoids bundled libraries, significant concerns arise from its unprotected entry points and lack of robust security checks. The presence of dangerous functions like 'unserialize' combined with a substantial number of AJAX handlers that lack authentication checks creates a direct attack vector for potential unauthorized actions or data manipulation.

The static analysis reveals a concerning lack of nonce checks (0) and only a limited number of capability checks (3) across its numerous entry points. This, coupled with only 41% of output being properly escaped, suggests potential for cross-site scripting (XSS) vulnerabilities and privilege escalation. The absence of any identified taint flows in this analysis, while seemingly positive, could also be an indicator of insufficient or incomplete taint analysis coverage for this specific plugin version.

The vulnerability history is a significant red flag. The plugin has a known critical unpatched CVE related to Incorrect Privilege Assignment. This critical vulnerability, combined with previous issues, indicates a pattern of security weaknesses that have not been adequately addressed, suggesting a lack of ongoing security maintenance. While the plugin has strengths in its SQL handling, the critical unpatched vulnerability and unprotected entry points, particularly AJAX handlers, make it a high-risk component.

Key Concerns

Unpatched critical CVE
AJAX handlers without auth checks
Missing nonce checks
Low output escaping rate
Dangerous function: unserialize
Limited capability checks

Vulnerabilities

Selling Commander for WooCommerce – connector plugin Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Critical

1 total CVE

CVE-2025-60243critical · 9.8Incorrect Privilege Assignment

Selling Commander for WooCommerce <= 1.2.46 - Unauthenticated Privilege Escalation

Jun 19, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Selling Commander for WooCommerce – connector plugin Code Analysis

Dangerous Functions

Raw SQL Queries

79 prepared

Unescaped Output

109

77 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$result[$user_meta->user_id]->role = implode(",",array_keys(unserialize($user_meta->meta_value)));sellingcommander.php:3089

unserialize$result[$media_meta->post_id]->media_details = unserialize($media_meta->meta_value);sellingcommander.php:3262

SQL Query Safety

95% prepared83 total queries

Output Escaping

41% escaped186 total outputs

Attack Surface

4 unprotected

Selling Commander for WooCommerce – connector plugin Attack Surface

Entry Points23

Unprotected4

AJAX Handlers 4

authwp_ajax_sellingcommander_localsellingcommander.php:655

noprivwp_ajax_sellingcommander_localsellingcommander.php:656

authwp_ajax_sellingcommander-endpointsellingcommander.php:658

noprivwp_ajax_sellingcommander-endpointsellingcommander.php:659

REST API Routes 19

GET/wp-json/sc/v1/infosellingcommander.php:821

GET/wp-json/sc/v1/taxonomy_termssellingcommander.php:827

GET/wp-json/sc/v1/subscriptions_and_orderssellingcommander.php:833

GET/wp-json/sc/v1/products_readoutsellingcommander.php:839

GET/wp-json/sc/v1/media_readoutsellingcommander.php:845

GET/wp-json/sc/v1/customers_readoutsellingcommander.php:851

GET/wp-json/sc/v1/taxonomy_readoutsellingcommander.php:857

POST/wp-json/sc/v1/querysellingcommander.php:863

POST/wp-json/sc/v1/cache_deletesellingcommander.php:872

POST/wp-json/sc/v1/queriessellingcommander.php:881

POST/wp-json/sc/v1/fssellingcommander.php:890

POST/wp-json/sc/v1/media_importsellingcommander.php:899

POST/wp-json/sc/v1/media_deletesellingcommander.php:908

POST/wp-json/sc/v1/media_updatesellingcommander.php:917

GET/wp-json/sc/v1/media_readsellingcommander.php:926

GET/wp-json/sc/v1/customers_readsellingcommander.php:935

POST/wp-json/sc/v1/save_forward_settingssellingcommander.php:944

POST/wp-json/sc/v1/clear_cachesellingcommander.php:953

POST/wp-json/sc/v1/update_pluginsellingcommander.php:962

WordPress Hooks 15

actionbefore_woocommerce_initsellingcommander.php:426

actionwp_loadedsellingcommander.php:504

actionadmin_menusellingcommander.php:633

actionadmin_initsellingcommander.php:639

actioninitsellingcommander.php:642

filterdetermine_current_usersellingcommander.php:644

filterwoocommerce_rest_is_request_to_rest_apisellingcommander.php:645

filterrest_pre_serve_requestsellingcommander.php:649

actionrest_api_initsellingcommander.php:650

filterrest_authentication_errorssellingcommander.php:651

filterwoocommerce_rest_check_permissionssellingcommander.php:652

actionsave_post_productsellingcommander.php:674

actionbefore_delete_postsellingcommander.php:676

actionwoocommerce_emailsellingcommander.php:819

filterrest_request_after_callbackssellingcommander.php:1019

Maintenance & Trust

Selling Commander for WooCommerce – connector plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.1.10

Last updatedOct 16, 2024

PHP min version

Downloads2K

Community Trust

Rating0/100

Number of ratings0

Active installs60

Alternatives

Selling Commander for WooCommerce – connector plugin Alternatives

Product Import Export for WooCommerce – Import Export Product CSV Suite

product-import-export-for-woo

Easily import/export WooCommerce products (simple, grouped, external/affiliate) via CSV. Transfer product data, including images, reviews, categories, …

90K 7 CVEs

Order Export & Order Import for WooCommerce

order-import-export-for-woocommerce

The best order export import plugin for WooCommerce. Easily import and export WooCommerce orders and WooCommerce coupons using CSV.

60K 7 CVEs

WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress

wp-ultimate-csv-importer

Effortlessly import, export, and migrate your WordPress data with WP Ultimate CSV Importer. This all-in-one solution supports CSV, XML, and Excel file …

20K 26 CVEs

Store Exporter – Export WooCommerce Products, Orders, Subscriptions, Customers

woocommerce-exporter

Export WooCommerce products, orders, customers, categories, tags, subscriptions & more into formatted files like CSV, XML, Excel 2007, XLS, XLSX.

7K 9 CVEs

Import WooCommerce Suite

import-woocommerce

100

Use the WooCommerce Import Suite to import Products, Orders, Coupons, Customers, and Reviews with ease. Requires the WP Ultimate CSV Importer Free plu …

4K 1 CVE

Developer Profile

Selling Commander for WooCommerce – connector plugin Developer Profile

Holest Engineering

2 plugins · 560 total installs

trust score

Avg Security Score

41/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Selling Commander for WooCommerce – connector plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/selling-commander-connector/sellingcommander.php

Version Parameters

selling-commander-connector/sellingcommander.php?ver=

HTML / DOM Fingerprints

HTML Comments

Copyright (c) holest.com

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR
IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

FAQ