SpecFit-Virtual Try On Woocommerce Security & Risk Analysis

wordpress.org/plugins/try-on-for-woocommerce

Vitual EyeWear Try-On SpecFit allows customers to virtually try eye wears products on their face before buying it.

60 active installs v8.0.3 PHP 5.6.40+ WP 5.3+ Updated Dec 7, 2025
try-onvirtual-eye-wearvirtual-mirror
99
A · Safe
CVEs total1
Unpatched0
Last CVEJun 18, 2025
Safety Verdict

Is SpecFit-Virtual Try On Woocommerce Safe to Use in 2026?

Generally Safe

Score 99/100

SpecFit-Virtual Try On Woocommerce has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Jun 18, 2025Updated 7mo ago
Risk Assessment

The "try-on-for-woocommerce" plugin v8.0.3 presents a significant security risk due to its large, unprotected attack surface and a history of vulnerabilities. While the plugin demonstrates good practices in SQL query handling and a moderate level of output escaping, the presence of 14 unprotected AJAX handlers is a major concern. This, combined with a concerning number of unsanitized path taint flows, suggests potential pathways for attackers to inject malicious code or manipulate plugin functionality. The existence of a currently unpatched medium severity vulnerability, specifically Cross-site Scripting, further exacerbates the risk. This pattern of a known vulnerability, even if older, indicates a need for diligent patching and code review.

Key Concerns

  • 14 unprotected AJAX handlers
  • 6 unsanitized path taint flows
  • 1 currently unpatched medium CVE
  • 73% output escaping (implies 27% unescaped)
Vulnerabilities
1 published

SpecFit-Virtual Try On Woocommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-23973medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SpecFit-Virtual Try On Woocommerce <= 10.0.21 - Reflected Cross-Site Scripting

Jun 18, 2025 Patched in 10.0.22 (366d)
Version History

SpecFit-Virtual Try On Woocommerce Release Timeline

v8.0.3Current1 CVE
v8.0.21 CVE
v8.0.11 CVE
v8.0.01 CVE
v7.0.61 CVE
v7.0.51 CVE
v7.0.41 CVE
v7.0.31 CVE
v7.0.21 CVE
v7.0.11 CVE
v6.0.451 CVE
v6.0.441 CVE
v6.0.431 CVE
v6.0.421 CVE
v6.0.411 CVE
v6.0.41 CVE
v6.0.31 CVE
v6.0.21 CVE
v6.0.11 CVE
v6.0.01 CVE
Code Analysis
Analyzed Mar 16, 2026

SpecFit-Virtual Try On Woocommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
58
157 escaped
Nonce Checks
2
Capability Checks
0
File Operations
2
External Requests
2
Bundled Libraries
0

Output Escaping

73% escaped215 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

7 flows6 with unsanitized paths
render_meta_box_content_specfit_platinum (admin\class-eyewear_virtual_try_on_wordpress-admin.php:205)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
14 unprotected

SpecFit-Virtual Try On Woocommerce Attack Surface

Entry Points14
Unprotected14

AJAX Handlers 14

authwp_ajax_addProductColorTryOnadmin\class-eyewear_virtual_try_on_wordpress-admin.php:54
noprivwp_ajax_addProductColorTryOnadmin\class-eyewear_virtual_try_on_wordpress-admin.php:55
authwp_ajax_updateProductColorTryOnadmin\class-eyewear_virtual_try_on_wordpress-admin.php:56
noprivwp_ajax_updateProductColorTryOnadmin\class-eyewear_virtual_try_on_wordpress-admin.php:57
authwp_ajax_deleteProductColorTryOnadmin\class-eyewear_virtual_try_on_wordpress-admin.php:58
noprivwp_ajax_deleteProductColorTryOnadmin\class-eyewear_virtual_try_on_wordpress-admin.php:59
authwp_ajax_save_3d_parametersadmin\class-eyewear_virtual_try_on_wordpress-admin.php:60
authwp_ajax_load_3d_parametersadmin\class-eyewear_virtual_try_on_wordpress-admin.php:61
authwp_ajax_save_default_3d_parametersadmin\class-eyewear_virtual_try_on_wordpress-admin.php:62
authwp_ajax_load_default_3d_parametersadmin\class-eyewear_virtual_try_on_wordpress-admin.php:63
authwp_ajax_specfit_get_related_productspublic\class-eyewear_virtual_try_on_wordpress-public.php:66
noprivwp_ajax_specfit_get_related_productspublic\class-eyewear_virtual_try_on_wordpress-public.php:67
authwp_ajax_woocommerce_ajax_add_to_cartpublic\class-eyewear_virtual_try_on_wordpress-public.php:70
noprivwp_ajax_woocommerce_ajax_add_to_cartpublic\class-eyewear_virtual_try_on_wordpress-public.php:71
WordPress Hooks 13
actionadd_meta_boxesadmin\class-eyewear_virtual_try_on_wordpress-admin.php:156
actionsave_postadmin\class-eyewear_virtual_try_on_wordpress-admin.php:157
actionplugins_loadedincludes\class-eyewear_virtual_try_on_wordpress.php:142
actionadmin_enqueue_scriptsincludes\class-eyewear_virtual_try_on_wordpress.php:157
actionadmin_enqueue_scriptsincludes\class-eyewear_virtual_try_on_wordpress.php:158
actionadmin_menuincludes\class-eyewear_virtual_try_on_wordpress.php:159
actionwp_enqueue_scriptsincludes\class-eyewear_virtual_try_on_wordpress.php:174
actionwp_enqueue_scriptsincludes\class-eyewear_virtual_try_on_wordpress.php:175
actioninitincludes\class-eyewear_virtual_try_on_wordpress.php:176
actionwoocommerce_before_add_to_cart_formpublic\class-eyewear_virtual_try_on_wordpress-public.php:59
actionwoocommerce_after_shop_loop_itempublic\class-eyewear_virtual_try_on_wordpress-public.php:60
actionwp_footerpublic\class-eyewear_virtual_try_on_wordpress-public.php:61
filterscript_loader_tagpublic\class-eyewear_virtual_try_on_wordpress-public.php:63
Maintenance & Trust

SpecFit-Virtual Try On Woocommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedDec 7, 2025
PHP min version5.6.40
Downloads11K

Community Trust

Rating90/100
Number of ratings17
Active installs60
Developer Profile

SpecFit-Virtual Try On Woocommerce Developer Profile

dugudlabs

3 plugins · 90 total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
366 days
View full developer profile
Detection Fingerprints

How We Detect SpecFit-Virtual Try On Woocommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/eyewear_virtual_try_on_wordpress/css/eyewear_virtual_try_on_wordpress-admin.css/wp-content/plugins/eyewear_virtual_try_on_wordpress/js/eyewear_virtual_try_on_wordpress-admin.js/wp-content/plugins/eyewear_virtual_try_on_wordpress/js/load_core_function_specfit.js/wp-content/plugins/eyewear_virtual_try_on_wordpress/js/submitNewtryOnImages.js/wp-content/plugins/eyewear_virtual_try_on_wordpress/js/frame-size-manager.js/wp-content/plugins/eyewear_virtual_try_on_wordpress/js/admin-3d-viewer.js/wp-content/plugins/eyewear_virtual_try_on_wordpress/js/admin-3d-preview.js
Script Paths
https://cdn.jsdelivr.net/npm/three@0.158.0/build/three.min.js
Version Parameters
eyewear_virtual_try_on_wordpress/css/eyewear_virtual_try_on_wordpress-admin.css?ver=eyewear_virtual_try_on_wordpress/js/eyewear_virtual_try_on_wordpress-admin.js?ver=eyewear_virtual_try_on_wordpress/js/load_core_function_specfit.js?ver=eyewear_virtual_try_on_wordpress/js/submitNewtryOnImages.js?ver=eyewear_virtual_try_on_wordpress/js/frame-size-manager.js?ver=eyewear_virtual_try_on_wordpress/js/admin-3d-viewer.js?ver=eyewear_virtual_try_on_wordpress/js/admin-3d-preview.js?ver=

HTML / DOM Fingerprints

CSS Classes
specfit_admin_container
HTML Comments
<!-- Start of SpecFit Admin Settings --><!-- End of SpecFit Admin Settings -->
Data Attributes
data-specfit-product-iddata-specfit-frame-datadata-specfit-texture-url
JS Globals
SpecFitAdminSpecFitViewersubmitNewType_specfit_Ajax
REST Endpoints
/wp-json/specfit/v1/products/wp-json/specfit/v1/colors
Shortcode Output
[specfit_try_on_button][specfit_product_viewer]
FAQ

Frequently Asked Questions about SpecFit-Virtual Try On Woocommerce