WP-Safety

Ultimate Product Catalog Security & Risk Analysis

wordpress.org/plugins/ultimate-product-catalogue

Add a product catalog to your site with blocks or shortcodes. Works with WooCommerce or standalone. Flexible and customizable, works with any theme.

5K active installs v5.3.12 PHP + WP + Updated Feb 24, 2026
catalogcatalogueproductproduct-catalogwoocommerce
87
A · Safe
CVEs total12
Unpatched0
Last CVEApr 10, 2024
Plugin page Download
Safety Verdict

Is Ultimate Product Catalog Safe to Use in 2026?

Generally Safe

Score 87/100

Ultimate Product Catalog has a strong security track record. Known vulnerabilities have been patched promptly.

12 known CVEsLast CVE: Apr 10, 2024Updated 1mo ago
Risk Assessment

The "ultimate-product-catalogue" plugin v5.3.12 exhibits a mixed security posture. On the positive side, the static analysis reveals a relatively robust implementation with a significant majority of SQL queries using prepared statements and output properly escaped. Furthermore, all identified AJAX handlers, REST API routes, and cron events are protected by either nonce or capability checks, which is a strong indicator of good security practices in its current state of analysis.

However, significant concerns arise from the plugin's vulnerability history. A substantial number of past CVEs, including a notable number of critical and high-severity vulnerabilities like SQL Injection, Cross-Site Scripting, and Missing Authorization, suggest a pattern of past security weaknesses. The presence of 3 flows with unsanitized paths in the taint analysis, while not flagged as critical or high, warrants careful investigation as these can be precursors to vulnerabilities. The plugin also has a large number of AJAX handlers, and while they are currently protected, any oversight in future updates could expose them.

In conclusion, while the current version of "ultimate-product-catalogue" appears to have addressed many common security pitfalls by implementing checks on its entry points and using prepared statements for SQL, its past security record is a significant red flag. Users should exercise caution, prioritize keeping the plugin updated to the latest version, and be aware that past vulnerabilities in common categories like XSS and SQL Injection have historically been present.

Key Concerns

  • History of 12 CVEs, including critical and high
  • 3 flows with unsanitized paths in taint analysis
  • 21 AJAX handlers present in attack surface
Vulnerabilities
12

Ultimate Product Catalog Security Vulnerabilities

CVEs by Year

1 CVE in 2014
2014
3 CVEs in 2015
2015
1 CVE in 2016
2016
4 CVEs in 2017
2017
1 CVE in 2022
2022
1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Critical
3
High
3
Medium
6

12 total CVEs

CVE-2024-31921medium · 4.3Cross-Site Request Forgery (CSRF)

Ultimate Product Catalogue <= 5.2.15 - Cross-Site Request Forgery via reset_settings()

Apr 10, 2024 Patched in 5.2.16 (7d)
CVE-2023-2711medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Product Catalog <= 5.2.5 - Authenticated(Administrator+) Stored Cross-Site Scripting

Jun 5, 2023 Patched in 5.2.6 (232d)
CVE-2021-24993medium · 6.5Cross-Site Request Forgery (CSRF)

Ultimate Product Catalog – WordPress Catalog Plugin <= 5.0.25 - Cross-Site Request Forgery

Jan 6, 2022 Patched in 5.0.26 (747d)
WF-edcc23e0-075a-47e6-979d-7e75eed4337d-ultimate-product-cataloguehigh · 8.8Missing Authorization

Ultimate Product Catalog <= 4.2.21 - Authorization Bypass and Cross-Site Request Forgery

Oct 3, 2017 Patched in 4.2.22 (2303d)
CVE-2017-12199critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Ultimate Product Catalog <= 4.2.22 - SQL Injection

Aug 1, 2017 Patched in 4.2.23 (2366d)
CVE-2017-12200medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Ultimate Product Catalog <= 4.2.11 - Cross-Site Scripting

Aug 1, 2017 Patched in 4.2.12 (2366d)
WF-cb4e3b3c-20f4-4591-af0a-539b405d675e-ultimate-product-cataloguemedium · 5.4Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Ultimate Product Catalog < 4.2.3 - Authenticated SQL Injection

Jun 27, 2017 Patched in 4.2.3 (2401d)
WF-2cff84a4-9264-4789-997b-bc11a8bac449-ultimate-product-cataloguemedium · 4.3Missing Authorization

Ultimate Product Catalog <= 3.8.1 - Missing Authorization to Plugin Settings Update

Jun 17, 2016 Patched in 3.8.2 (2776d)
WF-21930a4f-2f78-42c5-8ffa-2993333db2fe-ultimate-product-cataloguecritical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Ultimate Product Catalogue < 3.1.3 - SQL Injection

Jun 7, 2015 Patched in 3.1.3 (3152d)
WF-0f2e39b3-c18c-4660-b23d-00790156bc7f-ultimate-product-cataloguehigh · 8.8Unrestricted Upload of File with Dangerous Type

Ultimate Product Catalog < 3.1.3 - Multiple Vulnerabilities

Apr 22, 2015 Patched in 3.1.3 (3198d)
WF-a30863c5-2e94-4952-b360-856394262023-ultimate-product-cataloguecritical · 9.8Unrestricted Upload of File with Dangerous Type

Ultimate Product Catalog < 4.2.22 - Arbitrary File Upload

Apr 22, 2015 Patched in 4.2.22 (3198d)
WF-1419f089-7656-43a1-aeee-c33eef604c84-ultimate-product-cataloguehigh · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Ultimate Product Catalog < 2.1.1 - Authenticated (Admin+) SQL Injection

May 28, 2014 Patched in 2.1.1 (3527d)
Code Analysis
Analyzed Mar 16, 2026

Ultimate Product Catalog Code Analysis

Dangerous Functions
0
Raw SQL Queries
9
36 prepared
Unescaped Output
117
1112 escaped
Nonce Checks
22
Capability Checks
17
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

80% prepared45 total queries

Output Escaping

90% escaped1229 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

9 flows3 with unsanitized paths
save_custom_fields (includes\AdminCustomFields.class.php:221)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Ultimate Product Catalog Attack Surface

Entry Points28
Unprotected0

AJAX Handlers 21

authwp_ajax_ewd_upcp_send_feature_suggestionincludes\AboutUs.class.php:14
authwp_ajax_ewd_upcp_save_serialized_product_pageincludes\AdminProductPage.class.php:20
authwp_ajax_ewd_upcp_record_viewincludes\Ajax.class.php:14
noprivwp_ajax_ewd_upcp_record_viewincludes\Ajax.class.php:15
authwp_ajax_ewd_upcp_update_catalogincludes\Ajax.class.php:17
noprivwp_ajax_ewd_upcp_update_catalogincludes\Ajax.class.php:18
authwp_ajax_ewd_upcp_clear_cartincludes\Ajax.class.php:20
noprivwp_ajax_ewd_upcp_clear_cartincludes\Ajax.class.php:21
authwp_ajax_ewd_upcp_add_to_cartincludes\Ajax.class.php:23
noprivwp_ajax_ewd_upcp_add_to_cartincludes\Ajax.class.php:24
authwp_ajax_ewd_upcp_update_product_orderincludes\CustomPostTypes.class.php:54
authwp_ajax_ewd_upcp_update_category_orderincludes\CustomPostTypes.class.php:66
authwp_ajax_ewd_upcp_update_tag_orderincludes\CustomPostTypes.class.php:67
authwp_ajax_ewd_upcp_welcome_add_categoryincludes\InstallationWalkthrough.class.php:20
authwp_ajax_ewd_upcp_welcome_add_catalogincludes\InstallationWalkthrough.class.php:21
authwp_ajax_ewd_upcp_welcome_set_optionsincludes\InstallationWalkthrough.class.php:22
authwp_ajax_ewd_upcp_welcome_add_productincludes\InstallationWalkthrough.class.php:23
authwp_ajax_ewd_upcp_hide_review_askincludes\ReviewAsk.class.php:16
authwp_ajax_ewd_upcp_send_feedbackincludes\ReviewAsk.class.php:17
authwp_ajax_ewd_upcp_hide_helper_noticeultimate-product-catalogue.php:178
authwp_ajax_ewd_upcp_hide_new_plugin_noticeultimate-product-catalogue.php:179

Shortcodes 7

[product-catalog] includes\template-functions.php:49
[product-catalogue] includes\template-functions.php:50
[insert-products] includes\template-functions.php:91
[upcp-popular-products] includes\template-functions.php:113
[upcp-recent-products] includes\template-functions.php:135
[upcp-random-products] includes\template-functions.php:157
[upcp-search] includes\template-functions.php:184
WordPress Hooks 100
actionadmin_menuincludes\AboutUs.class.php:16
actionadmin_menuincludes\AdminCustomFields.class.php:15
actionadmin_menuincludes\AdminProductPage.class.php:15
actionadmin_enqueue_scriptsincludes\AdminProductPage.class.php:18
actioninitincludes\Blocks.class.php:14
filterblock_categories_allincludes\Blocks.class.php:16
actioncurrent_screenincludes\Blocks.class.php:153
actionadmin_initincludes\CustomPostTypes.class.php:17
actioninitincludes\CustomPostTypes.class.php:18
actionadd_meta_boxesincludes\CustomPostTypes.class.php:21
actionsave_postincludes\CustomPostTypes.class.php:22
actionsave_postincludes\CustomPostTypes.class.php:23
actionsave_postincludes\CustomPostTypes.class.php:24
actionpost_edit_form_tagincludes\CustomPostTypes.class.php:25
actionadded_post_metaincludes\CustomPostTypes.class.php:26
actionupdate_post_metaincludes\CustomPostTypes.class.php:27
filtermanage_upcp_catalog_posts_columnsincludes\CustomPostTypes.class.php:30
actionmanage_upcp_catalog_posts_custom_columnincludes\CustomPostTypes.class.php:31
filtermanage_edit-upcp-product-category_columnsincludes\CustomPostTypes.class.php:34
actionmanage_upcp-product-category_custom_columnincludes\CustomPostTypes.class.php:35
filtermanage_edit-upcp-product-tag_columnsincludes\CustomPostTypes.class.php:38
actionmanage_upcp-product-tag_custom_columnincludes\CustomPostTypes.class.php:39
filtermanage_upcp_product_posts_columnsincludes\CustomPostTypes.class.php:42
actionmanage_upcp_product_posts_custom_columnincludes\CustomPostTypes.class.php:43
filtermanage_edit-upcp_product_sortable_columnsincludes\CustomPostTypes.class.php:44
filterrequestincludes\CustomPostTypes.class.php:45
actionquick_edit_custom_boxincludes\CustomPostTypes.class.php:49
actionsave_postincludes\CustomPostTypes.class.php:50
actionpre_get_postsincludes\CustomPostTypes.class.php:53
actionterms_clausesincludes\CustomPostTypes.class.php:65
filterbulk_actions-edit-upcp_productincludes\CustomPostTypes.class.php:70
filterhandle_bulk_actions-edit-upcp_productincludes\CustomPostTypes.class.php:71
actionadmin_bar_menuincludes\CustomPostTypes.class.php:74
actionadmin_menuincludes\Dashboard.class.php:16
actioncurrent_screenincludes\DeactivationSurvey.class.php:13
actionadmin_enqueue_scriptsincludes\DeactivationSurvey.class.php:18
actionadmin_footerincludes\DeactivationSurvey.class.php:19
actionadmin_footer-edit.phpincludes\Export.class.php:21
actionadmin_menuincludes\Export.class.php:23
actionadmin_footer-edit.phpincludes\Import.class.php:18
actionadmin_initincludes\Import.class.php:20
actionadmin_noticesincludes\Import.class.php:116
actionadmin_noticesincludes\Import.class.php:388
actionadmin_menuincludes\InstallationWalkthrough.class.php:14
actionadmin_headincludes\InstallationWalkthrough.class.php:15
actionadmin_initincludes\InstallationWalkthrough.class.php:16
actionadmin_headincludes\InstallationWalkthrough.class.php:18
actioninitincludes\Patterns.class.php:18
actioninitincludes\Patterns.class.php:19
actionadmin_noticesincludes\ReviewAsk.class.php:14
actionadmin_enqueue_scriptsincludes\ReviewAsk.class.php:19
actioninitincludes\SEO.class.php:14
filterwpseo_canonicalincludes\SEO.class.php:29
filterwpseo_metadescincludes\SEO.class.php:31
filterwpseo_opengraph_descincludes\SEO.class.php:32
filterwpseo_titleincludes\SEO.class.php:34
filterwpseo_opengraph_titleincludes\SEO.class.php:35
actioninitincludes\Settings.class.php:29
actioninitincludes\Settings.class.php:31
actioninitincludes\Settings.class.php:33
actioninitincludes\Settings.class.php:37
actioninitincludes\Settings.class.php:42
actioninitincludes\template-functions.php:210
actionshutdownincludes\template-functions.php:211
actioninitincludes\template-functions.php:214
actionwidgets_initincludes\Widgets.class.php:7
actionwidgets_initincludes\Widgets.class.php:8
actionwidgets_initincludes\Widgets.class.php:9
actionwidgets_initincludes\Widgets.class.php:10
actionwidgets_initincludes\Widgets.class.php:11
actionplugins_loadedincludes\WooCommerce.class.php:20
actioninitincludes\WooCommerce.class.php:24
actionadmin_noticesincludes\WooCommerce.class.php:41
actionwoocommerce_cart_emptiedincludes\WooCommerce.class.php:44
actionwoocommerce_before_single_productincludes\WooCommerce.class.php:46
actionedited_product_catincludes\WooCommerce.class.php:48
actionedited_product_tagincludes\WooCommerce.class.php:49
actionwoocommerce_attribute_addedincludes\WooCommerce.class.php:51
actionwoocommerce_attribute_updatedincludes\WooCommerce.class.php:52
actionwoocommerce_update_productincludes\WooCommerce.class.php:54
actionewd_upcp_custom_fields_updatedincludes\WooCommerce.class.php:59
actionewd_upcp_product_savedincludes\WooCommerce.class.php:61
filterinitultimate-product-catalogue.php:153
filterquery_varsultimate-product-catalogue.php:154
filterthe_contentultimate-product-catalogue.php:156
actionwp_footerultimate-product-catalogue.php:157
actioninitultimate-product-catalogue.php:159
actionewd_upcp_run_backwards_compatultimate-product-catalogue.php:160
actionplugins_loadedultimate-product-catalogue.php:162
actionadmin_noticesultimate-product-catalogue.php:164
actionadmin_noticesultimate-product-catalogue.php:165
actionadmin_noticesultimate-product-catalogue.php:166
actionadmin_initultimate-product-catalogue.php:168
actionadmin_enqueue_scriptsultimate-product-catalogue.php:170
actionadmin_enqueue_scriptsultimate-product-catalogue.php:171
actionwp_enqueue_scriptsultimate-product-catalogue.php:172
actionwp_headultimate-product-catalogue.php:173
actionwp_footerultimate-product-catalogue.php:174
filterplugin_action_linksultimate-product-catalogue.php:176
actionbefore_woocommerce_initultimate-product-catalogue.php:181

Scheduled Events 3

ewd_upcp_run_backwards_compat
ewd_upcp_run_backwards_compat
ewd_upcp_run_backwards_compat
Maintenance & Trust

Ultimate Product Catalog Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 24, 2026
PHP min version
Downloads1.4M

Community Trust

Rating90/100
Number of ratings232
Active installs5K
Alternatives

Ultimate Product Catalog Alternatives

Pinterest for WooCommerce

Pinterest for WooCommerce

pinterest-for-woocommerce

A
100

Get your products in front of Pinterest users searching for ideas and things to buy. Connect your WooCommerce store to make your catalog browsable.

300K No CVEs
Product Catalog Feed by PixelYourSite

Product Catalog Feed by PixelYourSite

product-catalog-feed

B
84

WooCommerce auto-updated XML feeds for Facebook Product Catalogs (Dynamic Product Ads, Facebook Shops, Instagram), Google Merchant, and Pinterest Cata &hellip;

8K 3 CVEs
CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce

CatalogX – Catalog Mode, Enquiry & Quotes for WooCommerce

woocommerce-catalog-enquiry

A
96

WooCommerce Catalog Mode, product enquiry, and request a quote plugin. Hide prices, disable cart, and collect enquiries easily.

6K 5 CVEs
Catalog Booster & Product Catalog Mode for WooCommerce

Catalog Booster & Product Catalog Mode for WooCommerce

catalog-booster-for-woocommerce

A
100

Catalog Booster for WooCommerce lets you modify the standard layout, disable sales, transform e-commerce into simple & beautiful catalog.

1K No CVEs
PDF Catalog for WooCommerce

PDF Catalog for WooCommerce

pdf-catalog-woocommerce

A
99

Generate dynamic PDF catalogs for WooCommerce products. Allow customers to download shop, category, or single product catalogs including images, price &hellip;

1K 1 CVE
Developer Profile

Ultimate Product Catalog Developer Profile

Rustaurius

21 plugins · 66K total installs

72
trust score
Avg Security Score
90/100
Avg Patch Time
716 days
View full developer profile
Detection Fingerprints

How We Detect Ultimate Product Catalog

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ultimate-product-catalogue/assets/css/view.css/wp-content/plugins/ultimate-product-catalogue/assets/css/product-view.css/wp-content/plugins/ultimate-product-catalogue/assets/css/main.css/wp-content/plugins/ultimate-product-catalogue/assets/css/admin.css/wp-content/plugins/ultimate-product-catalogue/assets/css/view-product.css/wp-content/plugins/ultimate-product-catalogue/assets/js/view.js/wp-content/plugins/ultimate-product-catalogue/assets/js/main.js/wp-content/plugins/ultimate-product-catalogue/assets/js/admin.js+3 more
Script Paths
/wp-content/plugins/ultimate-product-catalogue/assets/js/view.js/wp-content/plugins/ultimate-product-catalogue/assets/js/main.js/wp-content/plugins/ultimate-product-catalogue/assets/js/admin.js/wp-content/plugins/ultimate-product-catalogue/assets/js/product-view.js/wp-content/plugins/ultimate-product-catalogue/assets/js/admin-product-page.js/wp-content/plugins/ultimate-product-catalogue/assets/js/blocks.js
Version Parameters
ultimate-product-catalogue/assets/css/view.css?ver=ultimate-product-catalogue/assets/css/product-view.css?ver=ultimate-product-catalogue/assets/css/main.css?ver=ultimate-product-catalogue/assets/css/admin.css?ver=ultimate-product-catalogue/assets/css/view-product.css?ver=ultimate-product-catalogue/assets/js/view.js?ver=ultimate-product-catalogue/assets/js/main.js?ver=ultimate-product-catalogue/assets/js/admin.js?ver=ultimate-product-catalogue/assets/js/product-view.js?ver=ultimate-product-catalogue/assets/js/admin-product-page.js?ver=ultimate-product-catalogue/assets/js/blocks.js?ver=

HTML / DOM Fingerprints

CSS Classes
ewd-upcp-main-gallery-wrapperewd-upcp-product-gallery-titleewd-upcp-product-gallery-descriptionewd-upcp-gallery-search-formewd-upcp-gallery-search-inputewd-upcp-gallery-search-buttonewd-upcp-gallery-filter-dropdownewd-upcp-product-gallery-grid+19 more
HTML Comments
<!-- EWD UPCP - Main Product Gallery Start --><!-- EWD UPCP - Product Gallery End --><!-- EWD UPCP - Single Product View Start --><!-- EWD UPCP - Single Product View End -->+2 more
Data Attributes
data-product-iddata-catalog-iddata-actiondata-ewd-upcp-viewdata-ewd-upcp-product-iddata-ewd-upcp-catalog-id+1 more
JS Globals
ewd_upcp_ajax_urlewd_upcp_php_js_data
REST Endpoints
/wp-json/ewd-upcp/v1/get_products/wp-json/ewd-upcp/v1/get_product_details/wp-json/ewd-upcp/v1/add_to_cart
Shortcode Output
[product-catalog[product-category[single-product
FAQ

Frequently Asked Questions about Ultimate Product Catalog