WP-Safety

ShopCred – WooCommerce Builder with Products Grid & Carousel Block Security & Risk Analysis

wordpress.org/plugins/shopcred

ShopCred - The Best Gutenberg Blocks Collection for WooCommerce with WooCommerce Builder

50 active installs v1.2.8 PHP + WP 4.7+ Updated Oct 27, 2024
block-editorblocksgutenbergproductswoocommerce
71
B · Generally Safe
CVEs total1
Unpatched1
Last CVEApr 1, 2025
Plugin page Download
Safety Verdict

Is ShopCred – WooCommerce Builder with Products Grid & Carousel Block Safe to Use in 2026?

Mostly Safe

Score 71/100

ShopCred – WooCommerce Builder with Products Grid & Carousel Block is generally safe to use though it hasn't been updated recently. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Apr 1, 2025Updated 1yr ago
Risk Assessment

The shopcred plugin exhibits a mixed security posture. While it avoids dangerous functions and file operations, significant concerns arise from its handling of entry points and data sanitization. A substantial portion of its AJAX handlers (4 out of 10) and one REST API route lack proper authentication or permission checks, creating a large attack surface for unauthorized access or manipulation. The static analysis reveals that 3 SQL queries are not using prepared statements, and a concerning 42% of outputs are not properly escaped, increasing the risk of cross-site scripting (XSS) vulnerabilities. The presence of two unsanitized taint flows, although not classified as critical or high severity in this analysis, warrants attention as they could potentially be exploited. The vulnerability history, including one unpatched medium severity CVE related to XSS, further reinforces these concerns and suggests a pattern of input sanitization weaknesses. Despite a relatively low number of total entry points, the lack of robust security checks on several of them, coupled with the history of XSS, indicates a need for immediate improvement to mitigate potential risks.

Key Concerns

  • Unpatched CVE: 1 medium
  • SQL queries not using prepared statements
  • Low percentage of output escaping
  • AJAX handlers without auth checks
  • REST API routes without permission callbacks
  • Flows with unsanitized paths
Vulnerabilities
1

ShopCred – WooCommerce Builder with Products Grid & Carousel Block Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-31829medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ShopCred <= 1.2.8 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 1, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

ShopCred – WooCommerce Builder with Products Grid & Carousel Block Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
0 prepared
Unescaped Output
235
168 escaped
Nonce Checks
5
Capability Checks
4
File Operations
0
External Requests
2
Bundled Libraries
0

SQL Query Safety

0% prepared3 total queries

Output Escaping

42% escaped403 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

5 flows2 with unsanitized paths
form_action_url (appsero\client\License.php:778)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

ShopCred – WooCommerce Builder with Products Grid & Carousel Block Attack Surface

Entry Points11
Unprotected5

AJAX Handlers 10

authwp_ajax_spc_product_paginationincludes\class-render-blocks.php:71
noprivwp_ajax_spc_product_paginationincludes\class-render-blocks.php:72
authwp_ajax_spc_product_loadmoreincludes\class-render-blocks.php:73
noprivwp_ajax_spc_product_loadmoreincludes\class-render-blocks.php:74
authwp_ajax_spc_filter_post_grid_callbackincludes\class-render-blocks.php:77
noprivwp_ajax_spc_filter_post_grid_callbackincludes\class-render-blocks.php:78
authwp_ajax_custom_filter_post_grid_callbackincludes\class-render-blocks.php:80
noprivwp_ajax_custom_filter_post_grid_callbackincludes\class-render-blocks.php:81
authwp_ajax_spc_quickviewincludes\class-woo-quickview.php:40
noprivwp_ajax_spc_quickviewincludes\class-woo-quickview.php:41

REST API Routes 1

GET/wp-json/custom/v1/check-shopcred-proshopcred.php:99
WordPress Hooks 75
actionadmin_enqueue_scriptsadmin\class-dashboard-settings.php:58
filtershopcred-dashboard/js-page-configadmin\class-dashboard-settings.php:105
filtershopcred-dashboard/js-page-templatesadmin\class-dashboard-settings.php:107
actionafter_setup_themeadmin\loader.php:57
actionafter_setup_themeadmin\loader.php:58
actionrest_api_initadmin\rest-api\rest-api.php:51
actioninitadmin\setting-pages.php:46
actioninitadmin\setting-pages.php:48
actioninitadmin\shopcred-dashboard\inc\modules\manager.php:70
actionshopcred-dashboard/before-enqueue-assetsadmin\shopcred-dashboard\inc\modules\page-base.php:68
filtershopcred-dashboard/js-page-configadmin\shopcred-dashboard\inc\modules\page-base.php:94
filtershopcred-dashboard/js-page-templatesadmin\shopcred-dashboard\inc\modules\page-base.php:96
actionadmin_menuadmin\shopcred-dashboard\inc\modules\settings\module.php:58
actioninitadmin\shopcred-dashboard\shopcred-dashboard.php:156
actionadmin_menuadmin\shopcred-dashboard\shopcred-dashboard.php:158
actionadmin_enqueue_scriptsadmin\shopcred-dashboard\shopcred-dashboard.php:160
actionadmin_footeradmin\shopcred-dashboard\shopcred-dashboard.php:490
actionadmin_enqueue_scriptsadmin\vue-ui\cherry-x-vue-ui.php:81
actionadmin_footeradmin\vue-ui\cherry-x-vue-ui.php:128
actionadmin_footeradmin\vue-ui\cherry-x-vue-ui.php:161
actionswitch_themeappsero\client\Insights.php:134
actionswitch_themeappsero\client\Insights.php:135
actionadmin_footerappsero\client\Insights.php:147
actionadmin_noticesappsero\client\Insights.php:165
actionadmin_initappsero\client\Insights.php:168
filtercron_schedulesappsero\client\Insights.php:174
actionadmin_menuappsero\client\License.php:222
actionafter_switch_themeappsero\client\License.php:769
actionswitch_themeappsero\client\License.php:770
filterpre_set_site_transient_update_pluginsappsero\client\Updater.php:42
filterplugins_apiappsero\client\Updater.php:43
filterpre_set_site_transient_update_themesappsero\client\Updater.php:52
actionplugins_loadedincludes\base.php:85
actioninitincludes\base.php:88
actioninitincludes\base.php:91
actioninitincludes\base.php:95
actioninitincludes\base.php:97
actioninitincludes\builder\class-builder-admin.php:33
actionadmin_menuincludes\builder\class-builder-admin.php:34
actionplugins_loadedincludes\builder\woo-builder-init.php:81
filtertemplate_includeincludes\builder\woo-builder-init.php:88
actionsave_postincludes\class-enqueue-css.php:45
actionsave_post_wp_blockincludes\class-enqueue-css.php:46
actioninitincludes\class-enqueue-css.php:47
filterwidget_update_callbackincludes\class-enqueue-css.php:48
actioncustomize_save_afterincludes\class-enqueue-css.php:49
actionwp_enqueue_scriptsincludes\class-enqueue-css.php:58
actionwp_headincludes\class-enqueue-css.php:59
actionwp_footerincludes\class-enqueue-css.php:60
actionenqueue_block_editor_assetsincludes\class-enqueue.php:50
actionenqueue_block_assetsincludes\class-enqueue.php:51
actionwp_enqueue_scriptsincludes\class-enqueue.php:53
actionenqueue_block_editor_assetsincludes\class-enqueue.php:54
filterblock_categories_allincludes\class-enqueue.php:55
filtershopcred_do_contentincludes\class-enqueue.php:56
actiontemplate_redirectincludes\class-enqueue.php:57
actionwp_enqueue_scriptsincludes\class-enqueue.php:59
actionadmin_initincludes\class-render-blocks.php:66
actioninitincludes\class-render-blocks.php:69
filterredirect_canonicalincludes\class-render-blocks.php:75
actionrest_api_initincludes\class-rest.php:57
actioninitincludes\class-woo-quickview.php:38
actionwp_footerincludes\class-woo-quickview.php:43
actionwp_enqueue_scriptsincludes\class-woo-quickview.php:44
actionenqueue_block_editor_assetsincludes\class-woo-quickview.php:45
filterbody_classincludes\class-woo-quickview.php:54
actionwp_footerincludes\class-woo-quickview.php:115
actionspc_quickview_contentincludes\templates\tmpl-quick-view.php:55
actionspc_quickview_contentincludes\templates\tmpl-quick-view.php:56
actionspc_quickview_contentincludes\templates\tmpl-quick-view.php:57
actionspc_quickview_contentincludes\templates\tmpl-quick-view.php:58
actionspc_quickview_contentincludes\templates\tmpl-quick-view.php:59
actionspc_quickview_contentincludes\templates\tmpl-quick-view.php:60
actionspc_quickview_contentincludes\templates\tmpl-quick-view.php:61
actionrest_api_initshopcred.php:106
Maintenance & Trust

ShopCred – WooCommerce Builder with Products Grid & Carousel Block Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedOct 27, 2024
PHP min version
Downloads8K

Community Trust

Rating90/100
Number of ratings8
Active installs50
Alternatives

ShopCred – WooCommerce Builder with Products Grid & Carousel Block Alternatives

Choose Your Best Selling Products

Choose Your Best Selling Products

choose-your-best-selling-products

A
100

A WordPress plugin to display top selling products with flexible settings for manual or automated product selection.

20 No CVEs
GTG Product Blocks

GTG Product Blocks

gtg-product-blocks

A
85

This GTG Product Block is one of the most powerful plugin for Gutenberg that is compatible with WooCommerce to display your products on posts and page &hellip;

10 No CVEs
Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns

Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns

essential-blocks

B
83

Gutenberg block editor with AI. 70+ Gutenberg blocks, patterns, WooCommerce blocks, post grid, gallery, menu with Gutenberg block library.

200K 28 CVEs
ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin

ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin

woolentor-addons

B
77

ShopLentor – More than a WooCommerce builder. A complete growth plugin to boost conversions, UX, and sales for your store.

90K 24 CVEs
Greenshift – animation and page builder blocks

Greenshift – animation and page builder blocks

greenshift-animation-and-page-builder-blocks

A
89

More than 20 special blocks for Gutenberg to build complex pages and animations with highest possible web vitals score.

70K 19 CVEs
Developer Profile

ShopCred – WooCommerce Builder with Products Grid & Carousel Block Developer Profile

devscred

2 plugins · 60 total installs

74
trust score
Avg Security Score
71/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect ShopCred – WooCommerce Builder with Products Grid & Carousel Block

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/shopcred/admin/assets/css/admin-notice.css/wp-content/plugins/shopcred/admin/assets/css/admin-style.css/wp-content/plugins/shopcred/admin/assets/js/admin-script.js/wp-content/plugins/shopcred/includes/base.php
Script Paths
/wp-content/plugins/shopcred/admin/assets/js/admin-script.js
Version Parameters
ver=1.2.8

HTML / DOM Fingerprints

CSS Classes
spc-admin-cssspc-notice-css
JS Globals
spc_admin_object
REST Endpoints
/wp-json/custom/v1/check-shopcred-pro
FAQ

Frequently Asked Questions about ShopCred – WooCommerce Builder with Products Grid & Carousel Block