WP-Safety

Verge3D Publishing and E-Commerce Security & Risk Analysis

wordpress.org/plugins/verge3d

Verge3D application publising and e-commerce plugin for WordPress.

500 active installs v4.11.0 PHP 7.0+ WP 5.0+ Updated Nov 18, 2025
3d3dwebecommerceverge3dwebgl
94
A · Safe
CVEs total6
Unpatched0
Last CVEJun 5, 2025
Plugin page Download
Safety Verdict

Is Verge3D Publishing and E-Commerce Safe to Use in 2026?

Generally Safe

Score 94/100

Verge3D Publishing and E-Commerce has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: Jun 5, 2025Updated 4mo ago
Risk Assessment

The Verge3D plugin v4.11.0 presents a mixed security posture. While it demonstrates strengths such as 100% use of prepared statements for SQL queries and a high percentage of properly escaped output, significant concerns remain. The plugin has a substantial attack surface with 17 entry points, of which 10 lack authentication or capability checks, including 4 AJAX handlers and all 6 REST API routes. This widespread lack of authorization is a critical weakness. Furthermore, taint analysis reveals one critical severity flow with unsanitized paths, indicating a potential for severe vulnerabilities like Remote Code Execution if not properly handled. The vulnerability history is also concerning, with 6 known CVEs, including one high-severity vulnerability, indicating a pattern of past security issues. Although there are currently no unpatched vulnerabilities, the historical types of vulnerabilities (Missing Authorization, CSRF, XSS, Unrestricted Upload) align with the observed weaknesses in the static analysis.

Key Concerns

  • 4 AJAX handlers without auth checks
  • 6 REST API routes without permission callbacks
  • 1 critical severity taint flow
  • 11 flows with unsanitized paths
  • 1 high severity known CVE
  • 5 medium severity known CVEs
  • 4 dangerous functions used
Vulnerabilities
6

Verge3D Publishing and E-Commerce Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
5 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
5

6 total CVEs

CVE-2025-49268medium · 5.3Missing Authorization

Verge3D <= 4.9.4 - Missing Authorization

Jun 5, 2025 Patched in 4.9.5 (6d)
CVE-2025-48241medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Verge3D <= 4.9.3 - Reflected Cross-Site Scripting

May 29, 2025 Patched in 4.9.4 (2d)
CVE-2025-39443medium · 4.3Cross-Site Request Forgery (CSRF)

Verge3D <= 4.9.0 - Cross-Site Request Forgery

Apr 17, 2025 Patched in 4.9.3 (5d)
CVE-2025-30833medium · 4.3Cross-Site Request Forgery (CSRF)

Verge3D <= 4.8.2 - Cross-Site Request Forgery

Mar 27, 2025 Patched in 4.8.3 (7d)
CVE-2025-22709medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Verge3D <= 4.8.0 - Reflected Cross-Site Scripting

Jan 15, 2025 Patched in 4.8.1 (8d)
CVE-2023-51421high · 8.8Unrestricted Upload of File with Dangerous Type

Verge3D <= 4.5.2 - Authenticated(Subscriber+) Arbitrary File Upload

Dec 27, 2023 Patched in 4.5.3 (94d)
Code Analysis
Analyzed Mar 16, 2026

Verge3D Publishing and E-Commerce Code Analysis

Dangerous Functions
4
Raw SQL Queries
0
0 prepared
Unescaped Output
46
371 escaped
Nonce Checks
16
Capability Checks
7
File Operations
31
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

systemsystem($command, $return_var);order.php:394
passthrupassthru($command, $return_var);order.php:401
execexec($command, $output , $return_var);order.php:407
shell_exec$output = shell_exec($command);order.php:412

Output Escaping

89% escaped417 total outputs
Data Flows
11 unsanitized

Data Flow Analysis

15 flows11 with unsanitized paths
v3d_app_menu (app.php:12)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
10 unprotected

Verge3D Publishing and E-Commerce Attack Surface

Entry Points17
Unprotected10

AJAX Handlers 9

authwp_ajax_v3d_upload_app_fileapp.php:621
authwp_ajax_v3d_cleanup_appapp.php:701
authwp_ajax_v3d_ajax_fetch_order_itemsorder.php:1707
authwp_ajax_v3d_ajax_fetch_product_infoorder.php:1715
authwp_ajax_v3d_ajax_send_pdforder.php:1734
authwp_ajax_v3d_payment_donepayment.php:86
noprivwp_ajax_v3d_payment_donepayment.php:87
authwp_ajax_v3d_woo_get_product_infowoo_product.php:397
noprivwp_ajax_v3d_woo_get_product_infowoo_product.php:398

REST API Routes 6

POST/wp-json/verge3d/v1/upload_filefile_storage.php:131
GET/wp-json/verge3d/v1/get_file/(?P<id>\w+)file_storage.php:137
POST/wp-json/verge3d/v1/place_orderorder.php:1682
POST/wp-json/verge3d/v2/place_orderorder.php:1687
GET/wp-json/verge3d/v1/get_product_info/(?P<sku>.+)product.php:457
POST/wp-json/verge3d/v1/send_formsend_form.php:126

Shortcodes 2

[verge3d] app.php:551
[verge3d_order] order.php:1624
WordPress Hooks 29
filteradmin_footer_textapp.php:19
actioninitapp.php:553
actionadmin_enqueue_scriptsapp.php:618
actioninitdownload_file.php:27
filterrest_pre_serve_requestfile_storage.php:94
actionrest_api_initfile_storage.php:128
filteradmin_footer_textorder.php:32
actioninitorder.php:1626
actionrest_api_initorder.php:1680
actionadmin_enqueue_scriptsorder.php:1756
filteradmin_footer_textproduct.php:14
actionrest_api_initproduct.php:455
actionrest_api_initsend_form.php:124
actioninitverge3d.php:141
actionadmin_menuverge3d.php:193
filteradmin_footer_textverge3d.php:199
actionadmin_initverge3d.php:891
actionwp_enqueue_scriptsverge3d.php:1431
actionadmin_enqueue_scriptsverge3d.php:1436
actionadmin_enqueue_scriptsverge3d.php:1446
actionelementor/widgets/registerverge3d.php:1452
actionwp_enqueue_scriptswoo_product.php:16
filterwoocommerce_composite_script_dependencieswoo_product.php:27
actionplugins_loadedwoo_product.php:29
filterwoocommerce_product_data_tabswoo_product.php:44
actionwoocommerce_product_data_panelswoo_product.php:109
actionwoocommerce_process_product_metawoo_product.php:126
filterwoocommerce_single_product_image_thumbnail_htmlwoo_product.php:167
actionwoocommerce_product_thumbnailswoo_product.php:200
Maintenance & Trust

Verge3D Publishing and E-Commerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 18, 2025
PHP min version7.0
Downloads26K

Community Trust

Rating80/100
Number of ratings4
Active installs500
Alternatives

Verge3D Publishing and E-Commerce Alternatives

ThreeWP

ThreeWP

threewp

A
100

Easily integrate Three.js with WordPress to create and display 3D models and animations.

200 No CVEs
CubeLaunch

CubeLaunch

cubelaunch

A
100

Embed interactive, rotatable, pinch and zoom 3D cubes or pyramids with custom faces via Gutenberg blocks, shortcodes, or a site-wide Coming Soon page.

10 No CVEs
rooom 3D Product Viewer

rooom 3D Product Viewer

rooom-3d-product-viewer

A
100

The rooom extension is a powerful tool that allows you to integrate the rooom 3D Product Viewer quickly & easily into your product pages.

10 No CVEs
WalkTheWeb

WalkTheWeb

walktheweb

A
100

WalkTheWeb provides a Metaverse 3D Store front-end for your WooCommerce store in less than 5 minutes, to give you more Internet traffic and sales!

10 No CVEs
Step Kit OS

Step Kit OS

step-kit-os

A
100

A powerful WooCommerce plugin that enables 3D product customization and strengthens the connection with customers.

0 No CVEs
Developer Profile

Verge3D Publishing and E-Commerce Developer Profile

Soft8Soft LLC

1 plugin · 500 total installs

90
trust score
Avg Security Score
94/100
Avg Patch Time
20 days
View full developer profile
Detection Fingerprints

How We Detect Verge3D Publishing and E-Commerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/verge3d/admin/css/admin.css/wp-content/plugins/verge3d/admin/js/admin.js/wp-content/plugins/verge3d/public/css/verge3d.css/wp-content/plugins/verge3d/public/js/verge3d.js
Script Paths
/wp-content/plugins/verge3d/admin/js/admin.js/wp-content/plugins/verge3d/public/js/verge3d.js
Version Parameters
verge3d/admin/css/admin.css?ver=verge3d/admin/js/admin.js?ver=verge3d/public/css/verge3d.css?ver=verge3d/public/js/verge3d.js?ver=

HTML / DOM Fingerprints

CSS Classes
verge3d-containerverge3d-controlsverge3d-preloader
HTML Comments
<!-- Verge3D Application Start --><!-- Verge3D Application End --><!-- Verge3D Shortcode -->
Data Attributes
data-v3d-appdata-v3d-config
JS Globals
v3d_plugins_urlv3d_app_dataVerge3D
REST Endpoints
/wp-json/verge3d/v1/app/wp-json/verge3d/v1/order/wp-json/verge3d/v1/product
Shortcode Output
[verge3d_app][verge3d_product]
FAQ

Frequently Asked Questions about Verge3D Publishing and E-Commerce