WP-Safety

Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools Security & Risk Analysis

wordpress.org/plugins/woocommerce-store-toolkit

A huge set of Quick Enhancements and Handy Tools for WooCommerce – the ultimate WooCommerce booster!

8K active installs v2.4.4 PHP + WP 5.4+ Updated Nov 19, 2025
delete-ordersstore-toolkitwoocommerce-boosterwoocommerce-extensionswoocommerce-tools
93
A · Safe
CVEs total4
Unpatched0
Last CVEJul 15, 2025
Plugin page Download
Safety Verdict

Is Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools Safe to Use in 2026?

Generally Safe

Score 93/100

Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Jul 15, 2025Updated 6mo ago
Risk Assessment

The "woocommerce-store-toolkit" plugin v2.4.4 presents a mixed security posture. While the static analysis shows no unprotected entry points and a relatively good percentage of prepared SQL queries and properly escaped outputs, there are significant historical concerns and some code signals that warrant attention. The plugin has a history of four known CVEs, with three high-severity and one medium-severity, all of which are currently patched. However, the nature of these past vulnerabilities (PHP Remote File Inclusion, Cross-site Scripting, Improper Privilege Management, and Missing Authorization) indicates a pattern of potential weaknesses in input sanitization, authorization checks, and file handling.

The static analysis reveals four AJAX handlers, none of which are explicitly stated as unprotected, which is a positive sign for the current version. However, the presence of four "flows with unsanitized paths" in the taint analysis, even if not classified as critical or high severity in this version, is a red flag. This suggests that while critical vulnerabilities might not be present now, the underlying patterns for path manipulation or insecure file operations could still exist and potentially be exploited if combined with other factors or if future code changes introduce new vulnerabilities. The single file operation identified also warrants careful review to ensure it's handled securely.

Overall, the plugin has made improvements by patching past vulnerabilities and implementing some good security practices like nonce and capability checks. However, the historical pattern of critical and high-severity vulnerabilities, coupled with the taint analysis indicating unsanitized paths, suggests that ongoing vigilance and thorough security testing are crucial. The strength lies in its current lack of exposed critical issues and good adherence to prepared statements and output escaping. The weakness lies in its historical track record and the presence of unsanitized path flows, which could be a latent risk.

Key Concerns

  • High-severity vulnerabilities in history (3)
  • Medium-severity vulnerabilities in history (1)
  • Flows with unsanitized paths (4)
  • File operations present (1)
Vulnerabilities
4 published

Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools Security Vulnerabilities

CVEs by Year

2 CVEs in 2016
2016
1 CVE in 2022
2022
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
3
Medium
1

4 total CVEs

CVE-2025-60204high · 8.1Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WooCommerce Store Toolkit <= 2.4.3 - Unauthenticated Local File Inclusion

Jul 15, 2025 Patched in 2.4.4 (129d)
CVE-2021-25077medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Store Toolkit for WooCommerce <= 2.3.1 - Reflected Cross-Site Scripting

Jan 10, 2022 Patched in 2.3.2 (743d)
CVE-2016-10923high · 8.8Improper Privilege Management

Store Toolkit for WooCommerce <= 1.5.7 - Privilege Escalation

Feb 10, 2016 Patched in 1.5.8 (2904d)
CVE-2016-10922high · 8.8Missing Authorization

Store Toolkit for WooCommerce <= 1.5.6 - Missing Authorization

Feb 8, 2016 Patched in 1.5.7 (2906d)
Version History

Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools Release Timeline

v2.4.4Current
v2.4.31 CVE
CVE-2025-60204
v2.4.2.11 CVE
CVE-2025-60204
v2.4.21 CVE
CVE-2025-60204
v2.4.11 CVE
CVE-2025-60204
v2.4.01 CVE
CVE-2025-60204
v2.3.101 CVE
CVE-2025-60204
v2.3.91 CVE
CVE-2025-60204
v2.3.81 CVE
CVE-2025-60204
v2.3.71 CVE
CVE-2025-60204
v2.3.61 CVE
CVE-2025-60204
v2.3.51 CVE
CVE-2025-60204
v2.3.31 CVE
CVE-2025-60204
v2.3.21 CVE
CVE-2025-60204
v2.3.12 CVEs
CVE-2021-25077 CVE-2025-60204
v2.32 CVEs
CVE-2021-25077 CVE-2025-60204
v2.22 CVEs
CVE-2021-25077 CVE-2025-60204
v2.1.12 CVEs
CVE-2021-25077 CVE-2025-60204
v2.12 CVEs
CVE-2021-25077 CVE-2025-60204
v2.0.22 CVEs
CVE-2021-25077 CVE-2025-60204
Code Analysis
Analyzed Mar 16, 2026

Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools Code Analysis

Dangerous Functions
0
Raw SQL Queries
16
35 prepared
Unescaped Output
154
499 escaped
Nonce Checks
17
Capability Checks
16
File Operations
1
External Requests
0
Bundled Libraries
0

SQL Query Safety

69% prepared51 total queries

Output Escaping

76% escaped653 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
<admin> (includes\admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 4

authwp_ajax_woo_st_empty_cartincludes\functions.php:936
noprivwp_ajax_woo_st_empty_cartincludes\functions.php:937
authwp_ajax_wst_install_activate_pluginincludes\plugin-installer.php:48
authwp_ajax_woo_st_save_quick_enhancementstore-toolkit.php:491
WordPress Hooks 56
actionwp_dashboard_setupincludes\admin\dashboard.php:25
filterwc_memberships_allowed_meta_box_idsincludes\admin\meta_box.php:131
actionadmin_noticesincludes\admin.php:28
filterplugin_action_linksincludes\admin.php:98
actionadmin_enqueue_scriptsincludes\admin.php:134
filterpost_row_actionsincludes\admin.php:178
filterpage_row_actionsincludes\admin.php:179
actionadmin_action_permanent_delete_productincludes\admin.php:214
actionadmin_footer-edit.phpincludes\admin.php:248
actionload-edit.phpincludes\admin.php:294
actionwoocommerce_order_list_table_restrict_manage_ordersincludes\admin.php:309
actionrestrict_manage_postsincludes\admin.php:323
filterrequestincludes\admin.php:447
filterwoocommerce_shop_order_list_table_prepare_items_query_argsincludes\admin.php:496
filterwoocommerce_register_post_type_product_variationincludes\admin.php:882
actionwoocommerce_register_post_typeincludes\admin.php:885
actionwoocommerce_system_status_reportincludes\admin.php:959
actionwoocommerce_product_options_inventory_product_dataincludes\class-woo-st-unit-pricing.php:25
actionwoocommerce_process_product_metaincludes\class-woo-st-unit-pricing.php:26
actionwoocommerce_product_after_variable_attributesincludes\class-woo-st-unit-pricing.php:27
actionwoocommerce_save_product_variationincludes\class-woo-st-unit-pricing.php:28
actionwoocommerce_ajax_save_product_variationincludes\class-woo-st-unit-pricing.php:29
filterwoocommerce_get_price_htmlincludes\class-woo-st-unit-pricing.php:33
filterwoocommerce_available_variationincludes\class-woo-st-unit-pricing.php:34
filterwoocommerce_variation_price_htmlincludes\class-woo-st-unit-pricing.php:35
actionwp_headincludes\class-woo-st-unit-pricing.php:36
actionadmin_menuincludes\functions.php:47
filterwoocommerce_admin_order_preview_get_order_detailsincludes\functions.php:918
filterwoocommerce_product_single_add_to_cart_textincludes\functions.php:982
filterwoocommerce_product_add_to_cart_textincludes\functions.php:983
actionwoocommerce_cart_couponincludes\functions.php:997
actioninitincludes\functions.php:1007
filterwoocommerce_order_button_textincludes\functions.php:1026
actioninitincludes\functions.php:1047
actionwp_enqueue_scriptsincludes\functions.php:1084
filterloop_shop_per_pageincludes\functions.php:1100
actionbefore_delete_postincludes\functions.php:2832
actioninitstore-toolkit.php:57
actioninitstore-toolkit.php:65
actionbefore_woocommerce_initstore-toolkit.php:77
actionshow_user_profilestore-toolkit.php:370
actionedit_user_profilestore-toolkit.php:371
actionshow_user_profilestore-toolkit.php:372
actionedit_user_profilestore-toolkit.php:373
actionadd_meta_boxesstore-toolkit.php:375
filtermanage_users_columnsstore-toolkit.php:377
filtermanage_users_custom_columnstore-toolkit.php:378
filteradmin_footer_textstore-toolkit.php:379
filtermanage_edit-shop_order_columnsstore-toolkit.php:382
actionmanage_shop_order_posts_custom_columnstore-toolkit.php:383
filterwoocommerce_shop_order_list_table_columnsstore-toolkit.php:385
actionmanage_woocommerce_page_wc-orders_custom_columnstore-toolkit.php:386
actionadmin_initstore-toolkit.php:402
actioninitstore-toolkit.php:549
actionwoocommerce_checkout_order_processedstore-toolkit.php:558
actioninitstore-toolkit.php:561
Maintenance & Trust

Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 19, 2025
PHP min version
Downloads342K

Community Trust

Rating96/100
Number of ratings44
Active installs8K
Alternatives

Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools Alternatives

WooCommerce Gateway Affirm

WooCommerce Gateway Affirm

woocommerce-gateway-affirm

A
100

Affirm Payments for WooCommerce: Buy now, pay later for your business—but smarter. Increase conversions and AOV by offering shoppers flexible payment &hellip;

6K No CVEs
WC Delete orders

WC Delete orders

wc-delete-orders

A
100

This plugin lets you nuke all existing orders — please use with caution!

300 No CVEs
Coderlift Product Page Booster

Coderlift Product Page Booster

coderlift-product-page-booster

A
85

Coderlift Product Page Booster plugin will add an extra field to add content after the cart in single product page

0 No CVEs
Developer Profile

Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools Developer Profile

Josh Kohlbach

9 plugins · 141K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
744 days
View full developer profile
Detection Fingerprints

How We Detect Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/woocommerce-store-toolkit/assets/css/woo-st-admin.css/wp-content/plugins/woocommerce-store-toolkit/assets/css/woo-st-public.css/wp-content/plugins/woocommerce-store-toolkit/assets/js/woo-st-admin.js/wp-content/plugins/woocommerce-store-toolkit/assets/js/woo-st-public.js
Script Paths
/wp-content/plugins/woocommerce-store-toolkit/assets/js/woo-st-admin.js/wp-content/plugins/woocommerce-store-toolkit/assets/js/woo-st-public.js
Version Parameters
woocommerce-store-toolkit/assets/css/woo-st-admin.css?ver=woocommerce-store-toolkit/assets/css/woo-st-public.css?ver=woocommerce-store-toolkit/assets/js/woo-st-admin.js?ver=woocommerce-store-toolkit/assets/js/woo-st-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
woo-st-admin-panelwoo-st-admin-headerwoo-st-admin-contentwoo-st-admin-footerwoo-st-nuke-formwoo-st-dataset-optionwoo-st-dataset-checkboxwoo-st-dataset-label+4 more
HTML Comments
<!-- Start of: WordPress Administration --><!-- Admin-specific initialization here. --><!-- Start of: WooCommerce Admin Page --><!-- Settings Page -->+20 more
Data Attributes
data-woo-st-actiondata-woo-st-datasetdata-woo-st-noncedata-woo-st-iddata-woo-st-typedata-woo-st-field
JS Globals
woo_st_admin_paramswoo_st_public_paramswoo_st_ajax_url
REST Endpoints
/wp-json/woo-st/v1/settings/wp-json/woo-st/v1/nuke
FAQ

Frequently Asked Questions about Store Toolkit – WooCommerce Extensions, Quick Enhancements & Handy Tools