Does Themify – WooCommerce Product Filter have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Themify – WooCommerce Product Filter compatible with WordPress 6.7.5?

According to WordPress.org data, Themify – WooCommerce Product Filter 1.5.4 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Themify – WooCommerce Product Filter compatible with PHP 7.2+?

Themify – WooCommerce Product Filter requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Themify – WooCommerce Product Filter updated?

Themify – WooCommerce Product Filter was last updated on Feb 27, 2025. Frequent updates are generally a positive security signal.

What is Themify – WooCommerce Product Filter's security score?

Themify – WooCommerce Product Filter has a WP-Safety security score of 86/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Themify – WooCommerce Product Filter Security & Risk Analysis

wordpress.org/plugins/themify-wc-product-filter

This plugin helps shoppers quickly find products in your WooCommerce shop by filtering through price, categories, attributes, tags, and more.

20K active installs v1.5.4 PHP 7.2+ WP 5.0+ Updated Feb 27, 2025

product-filterproduct-searchproduct-sortwoocommerce-product-filterwoocommerce-product-search

A · Safe

CVEs total6

Unpatched0

Last CVESep 23, 2024

Plugin page Download

Safety Verdict

Is Themify – WooCommerce Product Filter Safe to Use in 2026?

Generally Safe

Score 86/100

Themify – WooCommerce Product Filter has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

6 known CVEsLast CVE: Sep 23, 2024Updated 1yr ago

Risk Assessment

The "themify-wc-product-filter" plugin version 1.5.4 presents a mixed security posture. While it demonstrates good practices by not making external HTTP requests and using nonces for most AJAX handlers, there are notable areas of concern. The presence of 10 AJAX handlers, with 2 lacking authentication checks, significantly expands the attack surface and introduces potential for unauthorized actions if these handlers are exploitable. Furthermore, the low percentage of properly escaped output (22%) is a critical weakness, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. Taint analysis also revealed 5 flows with unsanitized paths, although none were classified as critical or high severity, these still represent potential avenues for exploitation.

The plugin's vulnerability history is a major red flag. With 6 known CVEs, including one critical and five medium severity, the plugin has a history of significant security flaws. The fact that all past CVEs are currently patched is a positive sign, but the sheer number and severity of past vulnerabilities suggest a pattern of insecure coding practices that require ongoing vigilance. The common vulnerability types (SQL Injection, XSS, CSRF) align with the concerns identified in the static analysis, particularly the output escaping issues.

In conclusion, while the plugin has addressed past vulnerabilities, the current version exhibits significant risk due to unprotected AJAX endpoints and pervasive output escaping deficiencies, which are prime candidates for XSS attacks. The historical vulnerability record further underscores the need for careful scrutiny and potential avoidance of this plugin until its security posture demonstrably improves.

Key Concerns

AJAX handlers without auth checks
Low percentage of properly escaped output
Taint flows with unsanitized paths
High number of CVEs in history (1 critical, 5 medium)
Bundled library (Select2) - potential for unpatched vulnerabilities

Vulnerabilities

6 published

Themify – WooCommerce Product Filter Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

5 CVEs in 2024

2024

Patched Has unpatched

Severity Breakdown

Critical

Medium

6 total CVEs

CVE-2024-44046medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themify – WooCommerce Product Filter <= 1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 23, 2024 Patched in 1.5.2 (10d)

CVE-2024-6027critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Themify - WooCommerce Product Filter <= 1.4.9 - Unauthenticated SQL Injection via conditions Parameter

Jun 20, 2024 Patched in 1.5.0 (1d)

CVE-2024-2278medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themify – WooCommerce Product Filter <= 1.4.3 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 11, 2024 Patched in 1.4.4 (746d)

CVE-2024-2263medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themify – WooCommerce Product Filter <= 1.4.3 - Reflected Cross-Site Scripting

Mar 11, 2024 Patched in 1.4.4 (45d)

CVE-2024-2262medium · 4.3Cross-Site Request Forgery (CSRF)

Themify – WooCommerce Product Filter <= 1.4.3 - Cross-Site Request Forgery

Mar 11, 2024 Patched in 1.4.4 (45d)

CVE-2022-1532medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Themify - WooCommerce Product Filter <= 1.3.7 - Reflected Cross-Site Scripting

May 18, 2022 Patched in 1.3.8 (615d)

Version History

Themify – WooCommerce Product Filter Release Timeline

v1.5.4Current

v1.5.3

v1.5.2

v1.5.11 CVE

CVE-2024-44046

v1.5.01 CVE

CVE-2024-44046

v1.4.92 CVEs

CVE-2024-6027 CVE-2024-44046

Code Analysis

Analyzed Mar 16, 2026

Themify – WooCommerce Product Filter Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

292

83 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

50% prepared4 total queries

Output Escaping

22% escaped375 total outputs

Data Flows · Security

5 unsanitized

Data Flow Analysis

12 flows5 with unsanitized paths

pagination (includes\class-wpf-utils.php:413)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Themify – WooCommerce Product Filter Attack Surface

Entry Points12

Unprotected2

AJAX Handlers 10

authwp_ajax_wpf_get_listadmin\class-wpf-admin.php:53

authwp_ajax_wpf_addadmin\class-wpf-admin.php:54

authwp_ajax_wpf_editadmin\class-wpf-admin.php:55

authwp_ajax_wpf_get_taxadmin\class-wpf-admin.php:56

authwp_ajax_wpf_deleteadmin\class-wpf-admin.php:57

authwp_ajax_wpf_ajax_themes_saveadmin\class-wpf-admin.php:58

authwp_ajax_wpf_importadmin\class-wpf-admin.php:59

authwp_ajax_wpf_import_fileadmin\class-wpf-admin.php:60

authwp_ajax_wpf_autocompletepublic\class-wpf-public.php:70

noprivwp_ajax_wpf_autocompletepublic\class-wpf-public.php:71

Shortcodes 2

[tf_product_filter] public\class-wpf-public.php:74

[searchandfilter] public\class-wpf-public.php:77

WordPress Hooks 44

actionadmin_initadmin\class-wpf-admin.php:50

actionadmin_menuadmin\class-wpf-admin.php:51

actionadmin_enqueue_scriptsadmin\class-wpf-admin.php:52

actionthemify_after_demo_importadmin\class-wpf-admin.php:61

actionadmin_initadmin\class-wpf-admin.php:62

filterplugin_row_metaadmin\class-wpf-admin.php:64

filterplugin_action_links_themify-wc-product-filter/themify-wc-product-filter.phpadmin\class-wpf-admin.php:65

actionwidgets_initincludes\class-wpf-widget.php:94

actionplugins_loadedincludes\class-wpf.php:94

actionwp_loadedincludes\class-wpf.php:104

actionplugins_loadedincludes\class-wpf.php:121

filterpremium_woo_products_query_argsincludes\plugin-compat\PremiumAddonsForElementor.php:10

filterwpf_min_max_priceincludes\plugin-compat\wooPayments.php:10

filterwpf_filter_by_priceincludes\plugin-compat\wooPayments.php:11

actionwp_enqueue_scriptspublic\class-wpf-public.php:67

actionwp_headpublic\class-wpf-public.php:68

filterwoocommerce_shortcode_products_querypublic\class-wpf-public.php:81

filtershortcode_atts_productspublic\class-wpf-public.php:82

actionpre_get_postspublic\class-wpf-public.php:84

filterwc_get_templatepublic\class-wpf-public.php:85

actionwp_headpublic\class-wpf-public.php:87

filterbody_classpublic\class-wpf-public.php:171

filterwc_get_templatepublic\class-wpf-public.php:174

actionwoocommerce_after_main_contentpublic\class-wpf-public.php:179

filterwc_get_templatepublic\class-wpf-public.php:180

actionwoocommerce_before_main_contentpublic\class-wpf-public.php:186

actionwoocommerce_after_main_contentpublic\class-wpf-public.php:187

filterwc_get_templatepublic\class-wpf-public.php:267

actionwoocommerce_after_shop_looppublic\class-wpf-public.php:269

filterwoocommerce_show_page_titlepublic\class-wpf-public.php:271

filterwoocommerce_page_titlepublic\class-wpf-public.php:273

filterget_meta_sqlpublic\class-wpf-public.php:278

filterpost_classpublic\class-wpf-public.php:281

filterloop_shop_columnspublic\class-wpf-public.php:302

actionloop_endpublic\class-wpf-public.php:392

actionwoocommerce_no_products_foundpublic\class-wpf-public.php:412

filterposts_clausespublic\class-wpf-public.php:706

filterposts_clausespublic\class-wpf-public.php:710

actionwoocommerce_shortcode_before_products_looppublic\class-wpf-public.php:867

actionwoocommerce_shortcode_before_products_looppublic\class-wpf-public.php:868

actionwoocommerce_shortcode_before_products_looppublic\class-wpf-public.php:869

actionwoocommerce_shortcode_after_products_looppublic\class-wpf-public.php:894

actionadmin_noticesthemify-wc-product-filter.php:24

actionbefore_woocommerce_initthemify-wc-product-filter.php:82

Maintenance & Trust

Themify – WooCommerce Product Filter Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedFeb 27, 2025

PHP min version7.2

Downloads779K

Community Trust

Rating70/100

Number of ratings72

Active installs20K

Alternatives

Themify – WooCommerce Product Filter Alternatives

Product Filter Addon for-Woocommerce

product-filter-addon-for-woocommerce

It is a product category search filter plugin. Which is helpful for your product sorting like category, subcategory & nested category, etc.

10 No CVEs

YITH WooCommerce Ajax Product Filter

yith-woocommerce-ajax-navigation

YITH WooCommerce Ajax Product Filter offers you the perfect way to filter all products of your WooCommerce shop.

80K 3 CVEs

Product Filter for WooCommerce by WBW

woo-product-filter

Filter products by categories, attributes, prices, and more. Elementor Compatibility. Shoppers easily find products with WooCommerce Product Filter

60K 9 CVEs

Filter Everything — WordPress & WooCommerce Filters

filter-everything

100

The most flexible filters plugin for WordPress & WooCommerce – filter anything.

50K No CVEs

WCAPF – Ajax Product Filter for WooCommerce

wc-ajax-product-filter

Filter WooCommerce products by category, tag, attribute, price, rating, author, meta fields, and keyword using AJAX.

9K 1 CVE

Developer Profile

Themify – WooCommerce Product Filter Developer Profile

themifyme

10 plugins · 138K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

157 days

View full developer profile

Detection Fingerprints

How We Detect Themify – WooCommerce Product Filter

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/themify-wc-product-filter/assets/css/wpf-frontend.css/wp-content/plugins/themify-wc-product-filter/assets/css/wpf-admin.css/wp-content/plugins/themify-wc-product-filter/assets/js/wpf-frontend.js/wp-content/plugins/themify-wc-product-filter/assets/js/wpf-admin.js/wp-content/plugins/themify-wc-product-filter/assets/js/wpf-select2.js/wp-content/plugins/themify-wc-product-filter/assets/js/wpf-colorpicker.js

Script Paths

assets/js/wpf-frontend.jsassets/js/wpf-admin.jsassets/js/wpf-select2.jsassets/js/wpf-colorpicker.js

Version Parameters

themify-wc-product-filter/assets/css/wpf-frontend.css?ver=themify-wc-product-filter/assets/css/wpf-admin.css?ver=themify-wc-product-filter/assets/js/wpf-frontend.js?ver=themify-wc-product-filter/assets/js/wpf-admin.js?ver=themify-wc-product-filter/assets/js/wpf-select2.js?ver=themify-wc-product-filter/assets/js/wpf-colorpicker.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpf-active-filterwpf-filter-containerwpf-filter-headingwpf-filter-attribute-colorwpf-filter-attribute-imagewpf-range-sliderwpf-filter-titlewpf-custom-field-wrap+2 more

HTML Comments

+2 more

Data Attributes

data-wpf-attributedata-wpf-attribute-iddata-wpf-attribute-typedata-wpf-term-slugdata-wpf-term-iddata-wpf-filter-id+1 more

JS Globals

wpf_datawpf_frontend_paramswpf_admin_params

REST Endpoints

/wp-json/wpf/v1/filters/wp-json/wpf/v1/filter/(?P<id>\d+)

Shortcode Output

[themify_wc_product_filter[themify_woocommerce_product_filter

FAQ