WP-Safety

Shopper – Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays Security & Risk Analysis

wordpress.org/plugins/shopper

The ultimate affiliate plugin: manage links, 25K+ brand partnerships, high converting displays, link break alerts & more to boost your earnings.

60 active installs v3.2.8 PHP 7.4+ WP 5.4+ Updated Apr 29, 2025
affiliate-link-managementaffiliate-marketingaffiliate-pluginshopper-wordpress-pluginwordpress-affiliate-plugin
98
A · Safe
CVEs total1
Unpatched0
Last CVEMar 31, 2025
Plugin page Download
Safety Verdict

Is Shopper – Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays Safe to Use in 2026?

Generally Safe

Score 98/100

Shopper – Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Mar 31, 2025Updated 11mo ago
Risk Assessment

The "shopper" v3.2.8 plugin presents a mixed security posture, with several positive indicators but significant concerns regarding its attack surface. While the plugin demonstrates good practices in its handling of SQL queries and output escaping, with a high percentage of prepared statements and properly escaped outputs, its vulnerability history and the absence of authentication checks on numerous entry points are substantial weaknesses.

The static analysis reveals a concerningly large attack surface, with all 10 identified REST API routes lacking permission callbacks. This means any user, regardless of their role or privileges, could potentially interact with these endpoints, opening them up to unauthorized access and manipulation. The fact that there are no AJAX handlers or shortcodes, while positive, does little to mitigate the risk posed by the unprotected REST API routes.

The plugin's vulnerability history, specifically a past high-severity SQL injection vulnerability, combined with the large number of unprotected REST API routes, suggests a recurring pattern of insecure handling of user-supplied data. Although the current version shows a high rate of prepared statements, the historical precedent and the lack of authorization checks on REST API routes warrant significant caution. While the plugin excels in its internal code hygiene for SQL and output, the external facing attack surface remains a critical concern.

Key Concerns

  • REST API routes lack permission callbacks
  • All entry points unprotected
  • High severity SQL injection vulnerability historically
Vulnerabilities
1

Shopper – Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2025-31534high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Shopper <= 3.2.5 - Unauthenticated SQL Injection

Mar 31, 2025 Patched in 3.2.6 (26d)
Code Analysis
Analyzed Mar 16, 2026

Shopper – Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays Code Analysis

Dangerous Functions
0
Raw SQL Queries
4
163 prepared
Unescaped Output
7
248 escaped
Nonce Checks
1
Capability Checks
2
File Operations
2
External Requests
4
Bundled Libraries
0

SQL Query Safety

98% prepared167 total queries

Output Escaping

97% escaped255 total outputs
Data Flows
All sanitized

Data Flow Analysis

3 flows
shopper_connection_settings_form (templates\form.php:2)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

Shopper – Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays Attack Surface

Entry Points10
Unprotected10

REST API Routes 10

GET/wp-json/shopper/v1/itemsindex.php:553
GET/wp-json/shopper/v1/search/index.php:605
GET/wp-json/shopper/v1/collectionproducts/index.php:645
GET/wp-json/shopper/v1/get_themesindex.php:672
POST/wp-json/shopper/v1/save_themeindex.php:697
POST/wp-json/shopper/v1/update_themeindex.php:749
POST/wp-json/shopper/v1/delete_themeindex.php:798
GET/wp-json/shopper/v1/global_propsindex.php:828
GET/wp-json/shopper/v1/get_userindex.php:857
GET/wp-json/shopper/v1/get_slug_typeindex.php:879
WordPress Hooks 22
actionadmin_enqueue_scriptsindex.php:58
actionwp_enqueue_scriptsindex.php:81
actionplugins_loadedindex.php:343
filtercron_schedulesindex.php:367
actionshopper_sync_eventindex.php:375
actionadmin_menuindex.php:399
actioninitindex.php:401
actioninitindex.php:442
filtertemplate_includeindex.php:482
filterpre_get_document_titleindex.php:515
filterwpseo_titleindex.php:516
actionenqueue_block_editor_assetsindex.php:550
actionrest_api_initindex.php:552
actionrest_api_initindex.php:604
actionrest_api_initindex.php:644
actionrest_api_initindex.php:671
actionrest_api_initindex.php:696
actionrest_api_initindex.php:748
actionrest_api_initindex.php:797
actionrest_api_initindex.php:827
actionrest_api_initindex.php:856
actionrest_api_initindex.php:878

Scheduled Events 1

shopper_sync_event
Maintenance & Trust

Shopper – Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedApr 29, 2025
PHP min version7.4
Downloads8K

Community Trust

Rating0/100
Number of ratings0
Active installs60
Alternatives

Shopper – Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays Alternatives

AffiliateX – Amazon Affiliate Plugin

AffiliateX – Amazon Affiliate Plugin

affiliatex

A
96

AffiliateX is the best WordPress Amazon Affiliate Plugin. Create professional affiliate websites with customizable WordPress Amazon Affiliate Blocks.

10K 3 CVEs
YITH WooCommerce Affiliates

YITH WooCommerce Affiliates

yith-woocommerce-affiliates

A
99

YITH WooCommerce Affiliates allows you to create affiliate profiles and grant your affiliates earnings each time someone purchases from their link.

7K 1 CVE
Affilia – Affiliate Program & Referral Tracking for WordPress

Affilia – Affiliate Program & Referral Tracking for WordPress

affiliaa-affiliate-program-with-mlm

A
100

Launch a powerful, self-hosted affiliate program for WordPress. Track referrals, manage affiliates, and boost sales for WooCommerce, EDD, and Contact &hellip;

700 No CVEs
Coupon Plugin

Coupon Plugin

coupon-lite

B
70

A powerful coupon plugin for affiliate marketers and bloggers to create responsive and customizable coupon and deal boxes in WordPress.

300 1 unpatched
WC Affiliate – WooCommerce Affiliate Plugin

WC Affiliate – WooCommerce Affiliate Plugin

wc-affiliate

A
95

The most complete WooCommerce affiliate plugin - unlimited affiliates, real-time tracking, flexible commissions. Free to start.

200 4 CVEs
Developer Profile

Shopper – Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays Developer Profile

shopperdotcom

1 plugin · 60 total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
26 days
View full developer profile
Detection Fingerprints

How We Detect Shopper – Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/shopper/assets/js/script.js/wp-content/plugins/shopper/assets/css/plugin.css/wp-content/plugins/shopper/assets/css/jquery-ui.min.css/wp-content/plugins/shopper/src/block_style.css/wp-content/plugins/shopper/src/shopper_block_script.js/wp-content/plugins/shopper/build/index.css
Script Paths
assets/js/script.jsassets/js/script.jssrc/shopper_block_script.js
Version Parameters
shopper/assets/css/plugin.css?spcom_ver=shopper/assets/css/jquery-ui.min.css?spcom_ver=shopper/src/block_style.css?spcom_ver=shopper/build/index.css?spcom_ver=

HTML / DOM Fingerprints

CSS Classes
shopper-dot-com-wp-block-script
FAQ

Frequently Asked Questions about Shopper – Affiliate Link Management, 25000+ Brand Partnerships & Creative Product Displays