Does PPOM – Product Addons & Custom Fields for WooCommerce have any unpatched vulnerabilities?

No. All known vulnerabilities in PPOM – Product Addons & Custom Fields for WooCommerce have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is PPOM – Product Addons & Custom Fields for WooCommerce compatible with WordPress 6.9.4?

According to WordPress.org data, PPOM – Product Addons & Custom Fields for WooCommerce 33.0.18 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is PPOM – Product Addons & Custom Fields for WooCommerce compatible with PHP 7.2+?

PPOM – Product Addons & Custom Fields for WooCommerce requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is PPOM – Product Addons & Custom Fields for WooCommerce's security score?

PPOM – Product Addons & Custom Fields for WooCommerce has a WP-Safety security score of 80/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

PPOM – Product Addons & Custom Fields for WooCommerce Security & Risk Analysis

wordpress.org/plugins/woocommerce-product-addon

Easily add a range of custom fields to WooCommerce products, from text boxes to date selectors, allowing customers to personalize their orders.

20K active installs v33.0.18 PHP 7.2+ WP 3.5+ Updated Jan 27, 2026

product-addonswoocommerce-productwoocommerce-product-addonswoocommerce-product-fieldswoocommerce-product-options

B · Generally Safe

CVEs total11

Unpatched0

Last CVENov 17, 2025

Plugin page Download

Safety Verdict

Is PPOM – Product Addons & Custom Fields for WooCommerce Safe to Use in 2026?

Mostly Safe

Score 80/100

PPOM – Product Addons & Custom Fields for WooCommerce is generally safe to use. 11 past CVEs were resolved. Keep it updated.

11 known CVEsLast CVE: Nov 17, 2025Updated 2mo ago

Risk Assessment

The "woocommerce-product-addon" plugin exhibits a concerning security posture primarily due to a substantial attack surface with a high percentage of unprotected entry points. While the plugin demonstrates good practices in SQL query preparation and output escaping, the lack of authorization checks on many AJAX handlers and REST API routes creates significant vulnerabilities. Taint analysis further highlights critical risks with three high-severity flows indicating potential for injection attacks, even with the absence of critical severity taint. The plugin's history of 11 known CVEs, including critical SQL injection, XSS, and authorization bypass vulnerabilities, strongly suggests a recurring pattern of exploitable weaknesses, with a recent vulnerability in late 2025 reinforcing this concern. Although the current version has no unpatched CVEs, the historical data and the static analysis findings present a picture of a plugin that, while improving in some areas, still carries significant inherent risks.

Key Concerns

18 unprotected entry points (AJAX/REST)
3 high severity taint flows
11 CVEs historically, 3 critical
Recent vulnerability in 2025
11 AJAX handlers without auth checks
7 REST API routes without permission callbacks
Vulnerability history: SQLi, XSS, Injection

Vulnerabilities

PPOM – Product Addons & Custom Fields for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2016

2016

1 CVE in 2019

2019

1 CVE in 2022

2022

2 CVEs in 2023

2023

2 CVEs in 2024

2024

4 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

11 total CVEs

CVE-2025-66069medium · 4.3Missing Authorization

PPOM for WooCommerce <= 33.0.16 - Missing Authorization

Nov 17, 2025 Patched in 33.0.17 (9d)

CVE-2025-11691high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated SQL Injection

Oct 17, 2025 Patched in 33.0.16 (1d)

CVE-2025-11391critical · 9.8Unrestricted Upload of File with Dangerous Type

PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated Arbitrary File Upload

Oct 17, 2025 Patched in 33.0.16 (1d)

CVE-2025-24668medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PPOM for WooCommerce <= 33.0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 33.0.9 (5d)

CVE-2024-35728medium · 5.3Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

PPOM for WooCommerce <= 32.0.20 - Unauthenticated Content Injection Vulnerability

Jun 6, 2024 Patched in 32.0.21 (7d)

CVE-2024-3962critical · 9.8Unrestricted Upload of File with Dangerous Type

Product Addons & Fields for WooCommerce <= 32.0.18 - Unauthenticated Arbitrary File Upload via ppom_upload_file

Apr 25, 2024 Patched in 32.0.19 (1d)

CVE-2023-1839medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PPOM for WooCommerce <= 32.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting via plugin settings

May 2, 2023 Patched in 32.0.6 (266d)

CVE-2023-2256medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PPOM for WooCommerce <= 32.0.6 - Reflected Cross-Site Scripting

May 1, 2023 Patched in 32.0.7 (267d)

CVE-2021-25018medium · 5.4Missing Authorization

PPOM for WooCommerce <= 23.9 - Missing Authorization to Stored Cross-Site Scripting

Jan 17, 2022 Patched in 24.0 (736d)

CVE-2019-14948medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PPOM for WooCommerce <= 18.3 - Authenticated Stored Cross-Site Scripting

Aug 10, 2019 Patched in 18.4 (1627d)

WF-2b0198c8-4be8-44e0-9728-d5d2aa376796-woocommerce-product-addoncritical · 9.8Unrestricted Upload of File with Dangerous Type

PPOM for WooCommerce <= 1.1 - Arbitrary File Upload

Sep 19, 2016 Patched in 2.0 (2682d)

Code Analysis

Analyzed Mar 16, 2026

PPOM – Product Addons & Custom Fields for WooCommerce Code Analysis

Dangerous Functions

Raw SQL Queries

23 prepared

Unescaped Output

211

1952 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2DataTables

SQL Query Safety

96% prepared24 total queries

Output Escaping

90% escaped2163 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

14 flows6 with unsanitized paths

ppom_fields_render (classes\form.class.php:87)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

18 unprotected

PPOM – Product Addons & Custom Fields for WooCommerce Attack Surface

Entry Points20

Unprotected18

AJAX Handlers 12

authwp_ajax_ppom_get_productsclasses\admin.class.php:52

authwp_ajax_ppom_attach_ppomsclasses\admin.class.php:53

noprivwp_ajax_ppom_upload_fileclasses\plugin.class.php:232

authwp_ajax_ppom_upload_fileclasses\plugin.class.php:233

noprivwp_ajax_ppom_delete_fileclasses\plugin.class.php:234

authwp_ajax_ppom_delete_fileclasses\plugin.class.php:235

authwp_ajax_ppom_ajax_validationclasses\plugin.class.php:237

noprivwp_ajax_ppom_ajax_validationclasses\plugin.class.php:238

authwp_ajax_ppom_save_form_metaclasses\plugin.class.php:253

authwp_ajax_ppom_update_form_metaclasses\plugin.class.php:254

authwp_ajax_ppom_delete_metaclasses\plugin.class.php:255

authwp_ajax_ppom_delete_selected_metaclasses\plugin.class.php:256

REST API Routes 7

GET/wp-json/ppom/v1/get/product/inc\rest.class.php:27

GET/wp-json/ppom/v1/get/id/(?P<id>\d+)inc\rest.class.php:38

POST/wp-json/ppom/v1/set/product/inc\rest.class.php:49

POST/wp-json/ppom/v1/delete/product/inc\rest.class.php:60

GET/wp-json/ppom/v1/get/order/inc\rest.class.php:73

POST/wp-json/ppom/v1/set/order/inc\rest.class.php:84

POST/wp-json/ppom/v1/delete/order/inc\rest.class.php:95

Shortcodes 1

[ppom] classes\plugin.class.php:229

WordPress Hooks 120

actioninitbackend\options.php:132

actioninitbackend\options.php:754

actioninitbackend\settings-panel.class.php:81

actionadmin_post_ppom_migrate_settings_panelbackend\settings-panel.class.php:98

actionadmin_menubackend\settings-panel.class.php:100

actionadmin_enqueue_scriptsbackend\settings-panel.class.php:102

filterwoocommerce_settings_tabs_arraybackend\settings-panel.class.php:686

actionwoocommerce_settings_tabs_ppom_settingsbackend\settings-panel.class.php:687

actioninitclasses\admin.class.php:39

actionadmin_menuclasses\admin.class.php:41

actioninitclasses\admin.class.php:49

filterwoocommerce_settings_tabs_arrayclasses\admin.class.php:57

actionwoocommerce_settings_tabs_ppom_settingsclasses\admin.class.php:59

actionwoocommerce_update_options_ppom_settingsclasses\admin.class.php:61

filterwoocommerce_admin_settings_sanitize_optionclasses\admin.class.php:65

actionadmin_headclasses\admin.class.php:67

actionwoocommerce_admin_field_ppom_multi_selectclasses\admin.class.php:69

actionadmin_initclasses\admin.class.php:79

actionadmin_initclasses\admin.class.php:80

filterupdate_footerclasses\admin.class.php:195

filterppom_render_attach_popupclasses\admin.class.php:354

actionadmin_enqueue_scriptsclasses\fields.class.php:21

filterppom_fields_tabs_showclasses\freemium.class.php:24

filterppom_all_inputsclasses\freemium.class.php:25

actionwp_enqueue_scriptsclasses\frontend-scripts.class.php:45

filterwoocommerce_quantity_input_classesclasses\frontend-scripts.class.php:440

filterppom_option_labelclasses\inputs\input.measure.php:29

actionplugins_loadedclasses\integrations\elementor\elementor.class.php:24

actionelementor/initclasses\integrations\elementor\elementor.class.php:47

actionelementor/widgets/widgets_registeredclasses\integrations\elementor\elementor.class.php:74

actionelementor/frontend/after_enqueue_stylesclasses\integrations\elementor\elementor.class.php:80

actionadmin_bar_menuclasses\plugin.class.php:44

actionwoocommerce_before_add_to_cart_buttonclasses\plugin.class.php:48

actionwoocommerce_before_add_to_cart_buttonclasses\plugin.class.php:50

filterppom_input_templates_pathclasses\plugin.class.php:58

filterwoocommerce_add_to_cart_validationclasses\plugin.class.php:63

filterwoocommerce_add_cart_item_dataclasses\plugin.class.php:67

filterwoocommerce_get_cart_item_from_sessionclasses\plugin.class.php:79

actionwoocommerce_cart_calculate_feesclasses\plugin.class.php:80

filterwoocommerce_get_cart_item_from_sessionclasses\plugin.class.php:83

filterwoocommerce_get_cart_item_from_sessionclasses\plugin.class.php:89

actionwoocommerce_cart_calculate_feesclasses\plugin.class.php:91

actionppom_before_calculate_cart_totalclasses\plugin.class.php:93

actionwoocommerce_cart_loaded_from_sessionclasses\plugin.class.php:100

actionwoocommerce_widget_shopping_cart_before_buttonsclasses\plugin.class.php:103

filterwoocommerce_get_price_htmlclasses\plugin.class.php:106

filterwoocommerce_quantity_input_argsclasses\plugin.class.php:111

filterwoocommerce_available_variationclasses\plugin.class.php:112

filterwoocommerce_get_item_dataclasses\plugin.class.php:131

filterwoocommerce_add_to_cart_quantityclasses\plugin.class.php:134

filterwoocommerce_add_to_cart_redirectclasses\plugin.class.php:137

filterwoocommerce_cart_item_quantityclasses\plugin.class.php:141

filterwoocommerce_cart_item_quantityclasses\plugin.class.php:143

filterwoocommerce_cart_item_subtotalclasses\plugin.class.php:147

filterwoocommerce_checkout_cart_item_quantityclasses\plugin.class.php:148

filterwoocommerce_order_item_quantity_htmlclasses\plugin.class.php:149

filterwoocommerce_email_order_item_quantityclasses\plugin.class.php:150

filterwoocommerce_update_cart_validationclasses\plugin.class.php:160

actionwoocommerce_checkout_create_order_line_itemclasses\plugin.class.php:168

filterwoocommerce_order_item_display_meta_keyclasses\plugin.class.php:171

filterwoocommerce_order_item_display_meta_valueclasses\plugin.class.php:174

actionwoocommerce_order_item_meta_endclasses\plugin.class.php:176

filterwoocommerce_display_item_metaclasses\plugin.class.php:177

filterwpo_ips_display_item_meta_htmlclasses\plugin.class.php:178

filterwoocommerce_order_item_get_formatted_meta_dataclasses\plugin.class.php:181

filterwoocommerce_is_attribute_in_product_nameclasses\plugin.class.php:183

actionwoocommerce_checkout_order_processedclasses\plugin.class.php:189

filterppom_field_attributesclasses\plugin.class.php:192

filterppom_field_settingclasses\plugin.class.php:194

filterppom_has_posted_field_valueclasses\plugin.class.php:196

filternmform_attribute_valueclasses\plugin.class.php:198

filterppom_show_option_priceclasses\plugin.class.php:200

filterppom_meta_data_savingclasses\plugin.class.php:205

filterppom_input_wrapper_classclasses\plugin.class.php:208

filterppom_field_main_wrapper_classclasses\plugin.class.php:209

filterppom_input_wrapper_classclasses\plugin.class.php:212

filterppom_add_cart_item_dataclasses\plugin.class.php:216

filterppom_order_display_valueclasses\plugin.class.php:218

filterppom_option_price_operatorclasses\plugin.class.php:220

filterppom_option_metaclasses\plugin.class.php:226

actionadd_meta_boxesclasses\plugin.class.php:247

actionadmin_noticesclasses\plugin.class.php:250

actionwoocommerce_process_product_metaclasses\plugin.class.php:261

filterwoocommerce_product_add_to_cart_urlclasses\plugin.class.php:268

filterwoocommerce_product_add_to_cart_textclasses\plugin.class.php:269

filterwoocommerce_product_supportsclasses\plugin.class.php:270

actionwoocommerce_product_duplicateclasses\plugin.class.php:271

actiondo_action_remove_imagesclasses\plugin.class.php:278

filtercron_schedulesclasses\plugin.class.php:280

actionadmin_footer-edit.phpclasses\plugin.class.php:282

actionload-edit.phpclasses\plugin.class.php:284

actionadmin_noticesclasses\plugin.class.php:286

actionadmin_post_ppom_attachclasses\plugin.class.php:289

actiontemplate_redirectclasses\plugin.class.php:290

actionadmin_post_ppom_export_metaclasses\plugin.class.php:293

filtermanage_product_posts_columnsclasses\plugin.class.php:300

actionmanage_product_posts_custom_columnclasses\plugin.class.php:301

filterppom_price_matrix_postclasses\plugin.class.php:309

filterwoe_fetch_orderclasses\plugin.class.php:312

filterppom_input_classesclasses\plugin.class.php:316

filterwoocommerce_product_data_tabsclasses\plugin.class.php:321

filterwoocommerce_product_data_panelsclasses\plugin.class.php:322

filterppom_dom_option_idclasses\plugin.class.php:326

filterwoocommerce_order_again_cart_item_dataclasses\plugin.class.php:333

filterppom_field_descriptionclasses\plugin.class.php:335

filterthemeisle_sdk_blackfriday_datainc\admin.php:870

filterwoocommerce_quantity_input_classesinc\hooks.php:398

filternmform_attribute_valueinc\nmInput.class.php:32

filterppom_option_price_vatinc\prices.php:1494

filterppom_product_price_on_cartinc\prices.php:1535

actionrest_api_initinc\rest.class.php:18

filtersafecss_filter_attr_allow_cssinc\validation.php:376

filterthemeisle_sdk_productswoocommerce-product-addon.php:46

actioninitwoocommerce-product-addon.php:58

filterwoocommerce_product_addon_about_us_metadatawoocommerce-product-addon.php:130

filterwoocommerce_product_addon_float_widget_metadatawoocommerce-product-addon.php:136

filterwoocommerce_product_addon_welcome_metadatawoocommerce-product-addon.php:149

filterwoocommerce_product_addon_welcome_upsell_messagewoocommerce-product-addon.php:157

actionwoocommerce_initwoocommerce-product-addon.php:163

actionbefore_woocommerce_initwoocommerce-product-addon.php:165

Scheduled Events 2

do_action_remove_images

setup_styles_and_scripts_wooproduct

Maintenance & Trust

PPOM – Product Addons & Custom Fields for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 27, 2026

PHP min version7.2

Downloads1.4M

Community Trust

Rating90/100

Number of ratings277

Active installs20K

Alternatives

PPOM – Product Addons & Custom Fields for WooCommerce Alternatives

Product Addons for Woocommerce – Product Options with Custom Fields

woo-custom-product-addons

WooCommerce Product Addons Add custom fields to your WooCommerce product page. With an easy-to-use Custom Form Builder.

30K 1 CVE

YITH WooCommerce Product Add-Ons

yith-woocommerce-product-add-ons

Increase average order value by letting your customers purchase additional options on your products.

20K 7 CVEs

Conditional Logic for Woo Product Add-ons

conditional-logic-for-woo-product-add-ons

100

Show or hide certain fields of the WooCommerce Product Addons based on other fields' values or states (eg, show field X when option Y is selected …

500 No CVEs

Extra Product Options (Custom Addons) for WooCommerce

extra-product-addons-for-woocommerce

Add custom product options and extra fields using the best WooCommerce Product Addons plugin in minutes. Add Custom Product Options with our drag and …

100 No CVEs

Custom Product Type for WooCommerce – Add-Ons, Data, Options, Layouts, Booking & Appointments

custom-product-type-for-woocommerce

100

Create WooCommerce Add-Ons, Data, Options, Booking, Layouts, and Appointments as custom product types. Revolutionize store's possibilities!

70 No CVEs

Developer Profile

PPOM – Product Addons & Custom Fields for WooCommerce Developer Profile

Themeisle

37 plugins · 2.2M total installs

trust score

Avg Security Score

96/100

Avg Patch Time

420 days

View full developer profile

Detection Fingerprints

How We Detect PPOM – Product Addons & Custom Fields for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/woocommerce-product-addon/js/admin/pre-load.js/wp-content/plugins/woocommerce-product-addon/css/bootstrap/bootstrap.css/wp-content/plugins/woocommerce-product-addon/js/bootstrap/bootstrap.min.js/wp-content/plugins/woocommerce-product-addon/backend/assets/jquery-ui-accordion.js/wp-content/plugins/woocommerce-product-addon/backend/assets/js/ppom-backend.js/wp-content/plugins/woocommerce-product-addon/backend/assets/css/ppom-backend.css/wp-content/plugins/woocommerce-product-addon/js/frontend/ppom-frontend.js/wp-content/plugins/woocommerce-product-addon/css/frontend/ppom-frontend.css+5 more

Script Paths

../js/admin/pre-load.js../js/bootstrap/bootstrap.min.js../backend/assets/jquery-ui-accordion.js../backend/assets/js/ppom-backend.js../css/bootstrap/bootstrap.css../backend/assets/css/ppom-backend.css+7 more

Version Parameters

woocommerce-product-addon/js/admin/pre-load.js?ver=woocommerce-product-addon/css/bootstrap/bootstrap.css?ver=woocommerce-product-addon/js/bootstrap/bootstrap.min.js?ver=woocommerce-product-addon/backend/assets/jquery-ui-accordion.js?ver=woocommerce-product-addon/backend/assets/js/ppom-backend.js?ver=woocommerce-product-addon/backend/assets/css/ppom-backend.css?ver=woocommerce-product-addon/js/frontend/ppom-frontend.js?ver=woocommerce-product-addon/css/frontend/ppom-frontend.css?ver=woocommerce-product-addon/js/frontend/quantity-input.js?ver=woocommerce-product-addon/js/frontend/product-add-to-cart.js?ver=woocommerce-product-addon/js/ppom-woo-variation.js?ver=woocommerce-product-addon/js/ppom-woo-cart.js?ver=woocommerce-product-addon/js/ppom-woo-checkout.js?ver=

HTML / DOM Fingerprints

CSS Classes

ppom-input-optionsppom-upload-fileppom-option-titleppom-option-priceppom-option-fieldppom-add-to-cart-buttonppom-product-addon-cart-formppom-input-wrap

HTML Comments

========== Direct access not allowed ===========Plugin Name: PPOM for WooCommercePPOM Fields Manager ClassPPOM Product Class+4 more

Data Attributes

data-ppom-pricedata-ppom-field-iddata-ppom-product-id

JS Globals

ppom_frontend_paramsppom_variation_paramsppom_cart_paramsppom_checkout_paramsPPOM_VERSION

REST Endpoints

/wp-json/ppom/v1/products/wp-json/ppom/v1/settings

Shortcode Output

[ppom_product_options][ppom_add_to_cart_button]

FAQ