Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD Security & Risk Analysis

Powerful A/B testing for WordPress with heatmaps, session replays, and e-commerce tracking for WooCommerce, SureCart, and EDD.

100 active installs v0.0.10 PHP 7.4+ WP 5.8+ Updated Jan 20, 2026

ab-testingconversion-optimizationheatmapssplit-testingwoocommerce

A · Safe

CVEs total1

Unpatched0

Last CVEFeb 7, 2026

Plugin page Download

Safety Verdict

Is Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD Safe to Use in 2026?

Generally Safe

Score 99/100

Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 7, 2026Updated 2mo ago

Risk Assessment

The sigmize plugin v0.0.10 presents a mixed security posture. On the positive side, the plugin demonstrates good practices in several areas, including 100% proper output escaping and the exclusive use of prepared statements for SQL queries. It also includes nonce and capability checks, which are crucial for securing WordPress functionality. The attack surface appears to be minimal, with no discovered AJAX handlers, REST API routes, shortcodes, or cron events exposed without proper authorization.

However, the presence of the `unserialize` function is a significant concern. While the taint analysis shows no critical or high severity flows, the very existence of `unserialize` without explicit sanitization is a potential gateway for deserialization vulnerabilities if untrusted data is passed to it. Furthermore, the plugin has a history of vulnerabilities, specifically a medium-severity Cross-Site Request Forgery (CSRF) identified in the past. This indicates a pattern of introducing security flaws, and the fact that a CVE exists, even if currently unpatched, warrants caution. The plugin's reliance on external HTTP requests (10 of them) also represents an area that could be exploited if these external services are compromised or if the plugin doesn't handle responses securely.

In conclusion, while sigmize v0.0.10 has some well-implemented security features, the identified use of `unserialize` and the historical vulnerability record are notable weaknesses. Developers should prioritize auditing the usage of `unserialize` to ensure it's never exposed to user-controlled data and consider more robust security testing to prevent future vulnerabilities, especially considering the past CSRF issue.

Key Concerns

Use of dangerous unserialize function
Past medium severity CVE exists
External HTTP requests

Vulnerabilities

Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD Security Vulnerabilities

CVEs by Year

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2026-24962medium · 4.3Cross-Site Request Forgery (CSRF)

Sigmize <= 0.0.9 - Cross-Site Request Forgery

Feb 7, 2026 Patched in 0.0.10 (3d)

Code Analysis

Analyzed Mar 16, 2026

Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

43 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$keys = unserialize($decrypted);includes\class-secure-cookie-manager.php:550

Output Escaping

100% escaped43 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<class-auth-manager> (includes\class-auth-manager.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 17

actionadmin_enqueue_scriptsincludes\admin\class-admin-menu.php:51

actionadmin_initincludes\class-auth-manager.php:52

actionadmin_initincludes\class-auth-manager.php:53

actionadmin_menuincludes\class-auth-manager.php:334

actioninitincludes\class-daily-sync-manager.php:54

actionwp_enqueue_scriptsincludes\frontend\class-frontend-manager.php:98

actiontemplate_redirectincludes\frontend\class-traffic-redirector.php:92

actiontemplate_redirectincludes\frontend\class-traffic-redirector.php:95

actionedd_post_add_to_cartincludes\frontend\integrations\class-edd-integration.php:88

actionedd_complete_purchaseincludes\frontend\integrations\class-edd-integration.php:93

actionsurecart/purchase_createdincludes\frontend\integrations\class-surecart-integration.php:84

actionwoocommerce_add_to_cartincludes\frontend\integrations\class-woocommerce-integration.php:89

actionwoocommerce_payment_completeincludes\frontend\integrations\class-woocommerce-integration.php:94

actionwoocommerce_order_status_changedincludes\frontend\integrations\class-woocommerce-integration.php:97

actionadmin_menusigmize.php:170

actionrest_api_initsigmize.php:173

actioninitsigmize.php:176

Maintenance & Trust

Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedJan 20, 2026

PHP min version7.4

Downloads2K

Community Trust

Rating100/100

Number of ratings2

Active installs100

Alternatives

Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD Alternatives

PageTest.ai – AI-Powered A/B and Multivariate Testing for WordPress

pagetest-ai

100

Run AI-powered A/B and multivariate tests on your WordPress site—no coding needed. Optimize conversions by finding your best content.

20 No CVEs

abtestkit – AB testing for WooCommerce

abtestkit

100

Split testing for WooCommerce, compatible with all themes, page builders & caching plugins.

10 No CVEs

Unbounce Landing Pages

unbounce

100

Unbounce is the most powerful standalone landing page builder available.

10K No CVEs

Visual Website Optimizer

visual-web-optimizer

100

VWO is the all-in-one platform that helps you conduct visitor research, build an optimization roadmap, and run continuous experimentation.

5K No CVEs

Personizely — A/B Testing, Personalization, Popups & CRO

personizely

Personizely is a Conversion Optimization Toolkit that helps you boost engagement and sales through A/B testing, website personalization, and popups.

400 1 CVE

Developer Profile

Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD Developer Profile

Brainstorm Force

32 plugins · 8.6M total installs

trust score

Avg Security Score

98/100

Avg Patch Time

196 days

View full developer profile

Detection Fingerprints

How We Detect Sigmize: A/B Testing, Session Recordings, Heatmaps & Revenue Tracking for WooCommerce, SureCart & EDD

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/sigmize/assets/css/sigmize-admin.css/wp-content/plugins/sigmize/assets/js/sigmize-admin.js/wp-content/plugins/sigmize/assets/js/sigmize-dashboard.js/wp-content/plugins/sigmize/assets/js/sigmize-frontend-sdk.js

Script Paths

/wp-content/plugins/sigmize/assets/js/sigmize-frontend-sdk.js

Version Parameters

sigmize/assets/css/sigmize-admin.css?ver=sigmize/assets/js/sigmize-admin.js?ver=sigmize/assets/js/sigmize-dashboard.js?ver=sigmize/assets/js/sigmize-frontend-sdk.js?ver=

HTML / DOM Fingerprints

CSS Classes

sigmize-dashboardsigmize-modal-content

Data Attributes

data-sigmize-id

JS Globals

SigmizeFrontendSDK

REST Endpoints

/wp-json/sigmize/v1/tracking/wp-json/sigmize/v1/optin

Shortcode Output

[sigmize-content][sigmize-modal][sigmize-optin]

FAQ