Does Extra Product Options For WooCommerce | Custom Product Addons and Fields have any unpatched vulnerabilities?

No. All known vulnerabilities in Extra Product Options For WooCommerce | Custom Product Addons and Fields have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Extra Product Options For WooCommerce | Custom Product Addons and Fields Security & Risk Analysis

wordpress.org/plugins/woo-extra-product-options

WooCommerce Extra Product Options plugin lets you add product addons (custom products field) of 20 different field types to your product page.

30K active installs v3.3.4 PHP 5.6+ WP 4.9+ Updated Jan 1, 2026

extra-product-optionsproduct-addonsproduct-optionswoocommerce-product-addonswoocommerce-product-fields

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Extra Product Options For WooCommerce | Custom Product Addons and Fields Safe to Use in 2026?

Generally Safe

Score 100/100

Extra Product Options For WooCommerce | Custom Product Addons and Fields has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3mo ago

Risk Assessment

The plugin "woo-extra-product-options" v3.3.4 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and performing a significant number of nonce and capability checks. There is also no history of known vulnerabilities, which suggests a general level of diligence in its development. However, there are notable areas of concern that elevate the risk profile.

The primary risks stem from the attack surface. The plugin exposes four AJAX handlers, with two of them lacking authentication checks. This creates direct entry points for unauthenticated users to interact with the plugin's functionality. Furthermore, the presence of the `unserialize` function, while not immediately exploitable without a specific context or flow, is a known dangerous function that can lead to remote code execution if user-supplied data is passed to it without proper sanitization. The taint analysis, while reporting no critical or high severity flows, does indicate two flows with unsanitized paths, which, combined with the `unserialize` function, warrants further investigation.

In conclusion, while the plugin has a clean vulnerability history and uses prepared statements, the unprotected AJAX handlers and the presence of `unserialize` with unsanitized paths present significant security weaknesses. These factors, when combined, create a moderate to high risk for potential exploitation. The absence of CVEs is a positive indicator, but it does not negate the identified weaknesses in the current version's code.

Key Concerns

Unprotected AJAX handlers
Dangerous function unserialize found
Flows with unsanitized paths
Low percentage of properly escaped output

Vulnerabilities

None known

Extra Product Options For WooCommerce | Custom Product Addons and Fields Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

Extra Product Options For WooCommerce | Custom Product Addons and Fields Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

113

221 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$settings = unserialize($base64_decoded, ['allowed_classes' => false]);admin\class-thwepof-admin-settings-advanced.php:286

Output Escaping

66% escaped334 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths

render_content (admin\class-thwepof-admin-settings-general.php:194)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

2 unprotected

Extra Product Options For WooCommerce | Custom Product Addons and Fields Attack Surface

Entry Points4

Unprotected2

AJAX Handlers 4

authwp_ajax_hide_thwepo_admin_noticeincludes\class-thwepof.php:115

authwp_ajax_thwepo_deactivation_reasonincludes\class-thwepof.php:118

authwp_ajax_thwepof_load_productsincludes\class-thwepof.php:146

noprivwp_ajax_thwepof_load_productsincludes\class-thwepof.php:147

WordPress Hooks 35

filterwoocommerce_attribute_labeladmin\class-thwepof-admin-settings-general.php:28

filterthwepof_load_products_catadmin\class-thwepof-admin-settings-general.php:31

actionadmin_initadmin\class-thwepof-admin-settings.php:39

actionadmin_noticesadmin\class-thwepof-admin-settings.php:40

actionadmin_headadmin\class-thwepof-admin-settings.php:41

filterwoocommerce_order_item_get_formatted_meta_dataincludes\class-thwepof-data.php:30

actionadmin_menuincludes\class-thwepof.php:106

filterwoocommerce_screen_idsincludes\class-thwepof.php:107

actionupgrader_process_completeincludes\class-thwepof.php:109

actionadmin_footerincludes\class-thwepof.php:113

actionadmin_footerincludes\class-thwepof.php:114

actionadmin_footerincludes\class-thwepof.php:116

actionadmin_footer-plugins.phpincludes\class-thwepof.php:117

actionadmin_initincludes\class-thwepof.php:154

actionadmin_enqueue_scriptsincludes\class-thwepof.php:200

actionadmin_menuincludes\themehigh_dashboard\class-themehigh-admin-menu.php:60

actionadmin_menuincludes\themehigh_dashboard\class-themehigh-admin-menu.php:61

actionadmin_footerincludes\themehigh_dashboard\class-themehigh-admin-menu.php:234

actionwp_enqueue_scriptspublic\class-thwepof-public.php:65

filterwoocommerce_loop_add_to_cart_linkpublic\class-thwepof-public.php:68

filterwoocommerce_loop_add_to_cart_linkpublic\class-thwepof-public.php:70

filterwoocommerce_loop_add_to_cart_argspublic\class-thwepof-public.php:72

filterwoocommerce_product_add_to_cart_urlpublic\class-thwepof-public.php:73

filterwoocommerce_product_add_to_cart_textpublic\class-thwepof-public.php:74

filterwoocommerce_add_to_cart_validationpublic\class-thwepof-public.php:80

filterwoocommerce_add_cart_item_datapublic\class-thwepof-public.php:81

filterwoocommerce_get_item_datapublic\class-thwepof-public.php:82

actionwoocommerce_new_order_itempublic\class-thwepof-public.php:85

actionwoocommerce_add_order_item_metapublic\class-thwepof-public.php:87

filterwoocommerce_order_item_get_formatted_meta_datapublic\class-thwepof-public.php:92

filterwoocommerce_order_again_cart_item_datapublic\class-thwepof-public.php:94

filterfusion_woo_component_contentpublic\class-thwepof-public.php:122

actionelementor/widget/before_render_contentpublic\class-thwepof-public.php:127

actioninitwoo-extra-product-options.php:34

actionbefore_woocommerce_initwoo-extra-product-options.php:71

Maintenance & Trust

Extra Product Options For WooCommerce | Custom Product Addons and Fields Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 1, 2026

PHP min version5.6

Downloads1.1M

Community Trust

Rating98/100

Number of ratings215

Active installs30K

Alternatives

Extra Product Options For WooCommerce | Custom Product Addons and Fields Alternatives

Product Addons and Product Options With Custom Fields – WowAddons

product-addons

Product addons for WooCommerce is the ultimate plugin that lets you add extra product options, product fields, and WooCommerce product fields.

3K 1 unpatched

Product Addons for Woocommerce – Product Options with Custom Fields

woo-custom-product-addons

WooCommerce Product Addons Add custom fields to your WooCommerce product page. With an easy-to-use Custom Form Builder.

30K 1 CVE

PPOM – Product Addons & Custom Fields for WooCommerce

woocommerce-product-addon

Easily add a range of custom fields to WooCommerce products, from text boxes to date selectors, allowing customers to personalize their orders.

20K 11 CVEs

YITH WooCommerce Product Add-Ons

yith-woocommerce-product-add-ons

Increase average order value by letting your customers purchase additional options on your products.

20K 7 CVEs

YayExtra – WooCommerce Extra Product Options

yayextra

YayExtra – Product Options for WooCommerce lets you add customizable options and extra fields to your products.

1K 3 CVEs

Developer Profile

Extra Product Options For WooCommerce | Custom Product Addons and Fields Developer Profile

ThemeHigh

16 plugins · 579K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

245 days

View full developer profile

Detection Fingerprints

How We Detect Extra Product Options For WooCommerce | Custom Product Addons and Fields

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/woo-extra-product-options/admin/css/thwepof-admin-form-section.css/wp-content/plugins/woo-extra-product-options/admin/css/thwepof-admin-form-field.css/wp-content/plugins/woo-extra-product-options/admin/css/thwepof-admin-settings.css/wp-content/plugins/woo-extra-product-options/admin/css/thwepof-admin-settings-general.css/wp-content/plugins/woo-extra-product-options/admin/css/thwepof-admin-settings-advanced.css/wp-content/plugins/woo-extra-product-options/admin/css/thwepof-admin-settings-pro.css/wp-content/plugins/woo-extra-product-options/admin/js/thwepof-admin-form-section.js/wp-content/plugins/woo-extra-product-options/admin/js/thwepof-admin-form-field.js+11 more

Script Paths

/wp-content/plugins/woo-extra-product-options/admin/js/thwepof-admin-form-section.js/wp-content/plugins/woo-extra-product-options/admin/js/thwepof-admin-form-field.js/wp-content/plugins/woo-extra-product-options/admin/js/thwepof-admin-settings.js/wp-content/plugins/woo-extra-product-options/admin/js/thwepof-admin-settings-general.js/wp-content/plugins/woo-extra-product-options/admin/js/thwepof-admin-settings-advanced.js/wp-content/plugins/woo-extra-product-options/public/js/thwepof-public.js+4 more

Version Parameters

woo-extra-product-options/woo-extra-product-options.php?ver=woo-extra-product-options/admin/css/thwepof-admin-form-section.css?ver=woo-extra-product-options/admin/css/thwepof-admin-form-field.css?ver=woo-extra-product-options/admin/css/thwepof-admin-settings.css?ver=woo-extra-product-options/admin/css/thwepof-admin-settings-general.css?ver=woo-extra-product-options/admin/css/thwepof-admin-settings-advanced.css?ver=woo-extra-product-options/admin/css/thwepof-admin-settings-pro.css?ver=woo-extra-product-options/admin/js/thwepof-admin-form-section.js?ver=woo-extra-product-options/admin/js/thwepof-admin-form-field.js?ver=woo-extra-product-options/admin/js/thwepof-admin-settings.js?ver=woo-extra-product-options/admin/js/thwepof-admin-settings-general.js?ver=woo-extra-product-options/admin/js/thwepof-admin-settings-advanced.js?ver=woo-extra-product-options/public/css/thwepof-public.css?ver=woo-extra-product-options/public/js/thwepof-public.js?ver=woo-extra-product-options/assets/css/datepicker.css?ver=woo-extra-product-options/assets/css/colorpicker.css?ver=woo-extra-product-options/assets/js/datepicker.js?ver=woo-extra-product-options/assets/js/colorpicker.js?ver=woo-extra-product-options/assets/js/thwepof-frontend.js?ver=woo-extra-product-options/assets/js/validation.js?ver=

HTML / DOM Fingerprints

CSS Classes

thwepof-admin-form-fieldthwepof-admin-form-sectionthwepof-admin-settingsthwepof-frontend-fieldthwepof-frontend-section

HTML Comments

+1 more

Data Attributes

data-thwepof-field-typedata-thwepof-section-iddata-thwepof-field-id

JS Globals

THWEPOF_DATATHWEPOF_FRONTENDTHWEPOF_VALIDATION

FAQ