WP-Safety

Product Addons for Woocommerce – Product Options with Custom Fields Security & Risk Analysis

wordpress.org/plugins/woo-custom-product-addons

WooCommerce Product Addons Add custom fields to your WooCommerce product page. With an easy-to-use Custom Form Builder.

30K active installs v3.1.2 PHP 7.2+ WP 4.0+ Updated Mar 10, 2026
woocommerce-custom-fieldswoocommerce-custom-price-fieldwoocommerce-product-addonswoocommerce-product-fieldswoocommerce-product-options
97
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is Product Addons for Woocommerce – Product Options with Custom Fields Safe to Use in 2026?

Generally Safe

Score 97/100

Product Addons for Woocommerce – Product Options with Custom Fields has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 17, 2026Updated 28d ago
Risk Assessment

The "woo-custom-product-addons" plugin version 3.1.2 exhibits a mixed security posture. While the attack surface appears to be minimal with no exposed AJAX handlers, REST API routes, shortcodes, or cron events, several code signals raise concerns. Notably, only 46% of output is properly escaped, indicating a potential for Cross-Site Scripting (XSS) vulnerabilities. The presence of two unsanitized paths in the taint analysis, even without critical or high severity, suggests potential weaknesses in input validation. Furthermore, the plugin has a history of high-severity vulnerabilities, specifically related to Code Injection, with a past vulnerability recorded on February 17, 2026. This historical pattern, coupled with the current code signals, suggests that while the attack surface is controlled, the handling of user-supplied data and the potential for code injection remain areas requiring vigilance.

Despite the lack of critical or high severity taint flows in the current version, the historical high-severity Code Injection vulnerability and the low output escaping rate are significant weaknesses. The plugin does perform some capability checks, but the complete absence of nonce checks on AJAX handlers (though there are zero AJAX handlers in this version) and the raw SQL queries are also points of concern. The plugin does not bundle external libraries, which is a positive sign. In conclusion, while the current version presents a reduced direct attack surface, the historical vulnerability and the ongoing issues with output escaping and potential unsanitized paths mean that users should exercise caution and ensure the plugin is kept updated to address any future discovered flaws.

Key Concerns

  • Significant portion of outputs not properly escaped
  • Taint analysis shows unsanitized paths
  • History of high severity code injection vulnerability
  • SQL queries not all using prepared statements
  • No nonce checks on AJAX handlers
Vulnerabilities
1

Product Addons for Woocommerce – Product Options with Custom Fields Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2026-2296high · 7.2Improper Control of Generation of Code ('Code Injection')

Product Addons for Woocommerce – Product Options with Custom Fields <= 3.1.0 - Authenticated (Shop Manager+) Code Injection via Conditional Logic 'operator' Parameter

Feb 17, 2026 Patched in 3.1.1 (1d)
Version History

Product Addons for Woocommerce – Product Options with Custom Fields Release Timeline

v3.1.2Current
v3.1.1
v3.1.01 CVE
CVE-2026-2296
v3.0.191 CVE
CVE-2026-2296
v3.0.181 CVE
CVE-2026-2296
v3.0.161 CVE
CVE-2026-2296
v3.0.151 CVE
CVE-2026-2296
v3.0.141 CVE
CVE-2026-2296
v3.0.131 CVE
CVE-2026-2296
v3.0.111 CVE
CVE-2026-2296
v3.0.101 CVE
CVE-2026-2296
v3.0.91 CVE
CVE-2026-2296
v3.0.81 CVE
CVE-2026-2296
v3.0.61 CVE
CVE-2026-2296
v3.0.51 CVE
CVE-2026-2296
v3.0.41 CVE
CVE-2026-2296
v3.0.31 CVE
CVE-2026-2296
v3.0.21 CVE
CVE-2026-2296
v3.0.11 CVE
CVE-2026-2296
v3.0.01 CVE
CVE-2026-2296
Code Analysis
Analyzed Mar 16, 2026

Product Addons for Woocommerce – Product Options with Custom Fields Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
4 prepared
Unescaped Output
45
38 escaped
Nonce Checks
0
Capability Checks
3
File Operations
2
External Requests
0
Bundled Libraries
0

SQL Query Safety

80% prepared5 total queries

Output Escaping

46% escaped83 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
this_screen (includes\backend\admin.php:276)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Product Addons for Woocommerce – Product Options with Custom Fields Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 64
actionadmin_menuincludes\backend\admin.php:21
actionadmin_enqueue_scriptsincludes\backend\admin.php:33
actionadmin_enqueue_scriptsincludes\backend\admin.php:34
actioncurrent_screenincludes\backend\admin.php:35
actionsave_postincludes\backend\admin.php:37
actionedited_termincludes\backend\admin.php:38
actiondelete_termincludes\backend\admin.php:39
actioncreated_termincludes\backend\admin.php:40
actionadmin_noticesincludes\backend\admin.php:43
actionadmin_footerincludes\backend\admin.php:50
actionadmin_footerincludes\backend\admin.php:51
filterwpml_admin_language_switcher_itemsincludes\backend\admin.php:175
filterrest_request_before_callbacksincludes\backend\api.php:20
actionrest_api_initincludes\backend\api.php:22
filterwcpa_set_default_langincludes\backend\api.php:33
filterwoocommerce_product_data_tabsincludes\backend\product-meta.php:15
actionwoocommerce_product_data_panelsincludes\backend\product-meta.php:16
actionwoocommerce_process_product_metaincludes\backend\product-meta.php:17
filtermanage_product_posts_columnsincludes\backend\product-meta.php:23
actionmanage_product_posts_custom_columnincludes\backend\product-meta.php:24
filterpre_get_postsincludes\form.php:124
filterpre_get_postsincludes\form.php:163
actionwp_enqueue_scriptsincludes\front.php:20
actionwp_enqueue_scriptsincludes\front.php:21
actionadmin_enqueue_scriptsincludes\front.php:22
filterwoocommerce_product_add_to_cart_textincludes\front.php:24
filterwoocommerce_loop_add_to_cart_argsincludes\front.php:25
filterwoocommerce_product_supportsincludes\front.php:26
filterwoocommerce_product_add_to_cart_urlincludes\front.php:27
filterpost_classincludes\front.php:29
filterwc_stripe_hide_payment_request_on_product_pageincludes\front.php:34
filterwcpay_payment_request_is_product_supportedincludes\front.php:36
actionwoocommerce_single_product_summaryincludes\front.php:39
filterwoocommerce_email_format_stringincludes\front.php:43
actionwp_headincludes\front.php:269
actioninitincludes\main.php:43
filterwoocommerce_locate_templateincludes\main.php:44
actionwoocommerce_checkout_create_order_line_itemincludes\order\order.php:20
actionrfqtk_woocommerce_checkout_create_order_line_itemincludes\order\order.php:27
actionwoocommerce_checkout_update_order_metaincludes\order\order.php:35
actionwoocommerce_store_api_checkout_update_order_metaincludes\order\order.php:37
actionwoocommerce_checkout_subscription_createdincludes\order\order.php:41
filterwoocommerce_order_item_display_meta_valueincludes\order\order.php:45
actionwoocommerce_after_order_itemmetaincludes\order\order.php:47
actionwoocommerce_order_item_get_formatted_meta_dataincludes\order\order.php:50
filterwoocommerce_display_item_metaincludes\order\order.php:55
filterwoocommerce_get_item_dataincludes\process\cart.php:20
filterwoocommerce_cart_item_classincludes\process\cart.php:22
filterpllwc_translate_cart_itemincludes\process\cart.php:24
filterwoocommerce_add_cart_item_dataincludes\process\process.php:36
filterwcpa_add_cart_item_dataincludes\process\process.php:37
filterwoocommerce_add_to_cart_validationincludes\process\process.php:38
actionrest_api_initincludes\process\process.php:39
actionwc_ajax_wcpa_ajax_add_to_cartincludes\process\process.php:41
filterwoocommerce_order_again_cart_item_dataincludes\process\process.php:43
filterpllwc_add_cart_item_dataincludes\process\process.php:45
actionwoocommerce_before_single_productincludes\render\render.php:34
actionwoocommerce_before_add_to_cart_formincludes\render\render.php:35
actionwoocommerce_before_add_to_cart_buttonincludes\render\render.php:36
actionwp_footerincludes\render\render.php:41
actionplugins_loadedstart.php:52
actionadmin_noticesstart.php:55
actionadmin_noticesstart.php:57
actionbefore_woocommerce_initstart.php:126
Maintenance & Trust

Product Addons for Woocommerce – Product Options with Custom Fields Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version7.2
Downloads1.5M

Community Trust

Rating98/100
Number of ratings466
Active installs30K
Alternatives

Product Addons for Woocommerce – Product Options with Custom Fields Alternatives

YITH WooCommerce Product Add-Ons

YITH WooCommerce Product Add-Ons

yith-woocommerce-product-add-ons

A
96

Increase average order value by letting your customers purchase additional options on your products.

20K 7 CVEs
Custom Product Type for WooCommerce – Add-Ons, Data, Options, Layouts, Booking & Appointments

Custom Product Type for WooCommerce – Add-Ons, Data, Options, Layouts, Booking & Appointments

custom-product-type-for-woocommerce

A
100

Create WooCommerce Add-Ons, Data, Options, Booking, Layouts, and Appointments as custom product types. Revolutionize store's possibilities!

70 No CVEs
Extra Product Data for WooCommerce

Extra Product Data for WooCommerce

extra-product-data-for-woocommerce

A
100

A WooCommerce plugin that collects additional user data for products and displays it in the order summary.

0 No CVEs
PPOM – Product Addons & Custom Fields for WooCommerce

PPOM – Product Addons & Custom Fields for WooCommerce

woocommerce-product-addon

B
80

Easily add a range of custom fields to WooCommerce products, from text boxes to date selectors, allowing customers to personalize their orders.

20K 11 CVEs
Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor

Flexible Product Fields (WooCommerce Product Addons) – WooCommerce Product Page Editor

flexible-product-fields

A
100

Add extra product options on your WooCommerce product page. Product addons for all product variations. 20 free product addons.

10K No CVEs
Developer Profile

Product Addons for Woocommerce – Product Options with Custom Fields Developer Profile

acowebs

14 plugins · 74K total installs

92
trust score
Avg Security Score
97/100
Avg Patch Time
14 days
View full developer profile
Detection Fingerprints

How We Detect Product Addons for Woocommerce – Product Options with Custom Fields

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/woo-custom-product-addons/assets/css/backend.css/wp-content/plugins/woo-custom-product-addons/assets/css/frontend.css/wp-content/plugins/woo-custom-product-addons/assets/js/backend.js/wp-content/plugins/woo-custom-product-addons/assets/js/frontend.js/wp-content/plugins/woo-custom-product-addons/assets/js/menu.js/wp-content/plugins/woo-custom-product-addons/assets/js/wcpa-add-to-cart.js
Script Paths
https://acowebs.com/wp-content/plugins/woo-custom-product-addons/assets/js/backend.jshttps://acowebs.com/wp-content/plugins/woo-custom-product-addons/assets/js/frontend.jshttps://acowebs.com/wp-content/plugins/woo-custom-product-addons/assets/js/menu.js
Version Parameters
woo-custom-product-addons/assets/css/backend.css?ver=woo-custom-product-addons/assets/css/frontend.css?ver=woo-custom-product-addons/assets/js/backend.js?ver=woo-custom-product-addons/assets/js/frontend.js?ver=woo-custom-product-addons/assets/js/menu.js?ver=woo-custom-product-addons/assets/js/wcpa-add-to-cart.js?ver=

HTML / DOM Fingerprints

CSS Classes
wcpa-aco-survey-form-wrapwcpa-aco-survey-form
Data Attributes
data-wcpa-iddata-product-id
JS Globals
wcpa_all_paramswcpa_plugin_url
FAQ

Frequently Asked Questions about Product Addons for Woocommerce – Product Options with Custom Fields