Does WPC Product Options for WooCommerce have any unpatched vulnerabilities?

Yes — WPC Product Options for WooCommerce currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is WPC Product Options for WooCommerce compatible with WordPress 6.9.4?

According to WordPress.org data, WPC Product Options for WooCommerce 3.1.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is WPC Product Options for WooCommerce updated?

WPC Product Options for WooCommerce was last updated on Mar 6, 2026. Frequent updates are generally a positive security signal.

What is WPC Product Options for WooCommerce's security score?

WPC Product Options for WooCommerce has a WP-Safety security score of 76/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WPC Product Options for WooCommerce Security & Risk Analysis

wordpress.org/plugins/wpc-product-options

WPC Product Options brings about the power of adjusting prices with highly customizable additional fields for products.

4K active installs v3.1.3 PHP + WP 4.0+ Updated Mar 6, 2026

optionsproduct-addonsproduct-optionswoocommercewpc

B · Generally Safe

CVEs total1

Unpatched1

Last CVEMay 16, 2025

Plugin page Download

Safety Verdict

Is WPC Product Options for WooCommerce Safe to Use in 2026?

Mostly Safe

Score 76/100

WPC Product Options for WooCommerce is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: May 16, 2025Updated 28d ago

Risk Assessment

The "wpc-product-options" plugin v3.1.3 exhibits a mixed security posture. On the positive side, the static analysis reveals a robust use of prepared statements for SQL queries, strong output escaping percentages, and a considerable number of nonce and capability checks for its entry points. This suggests a generally good development practice for protecting against common web vulnerabilities. However, the presence of the `unserialize` function, even without detected unsanitized taint flows, introduces a potential risk of deserialization vulnerabilities if user-supplied data is ever passed to it without rigorous sanitization. The plugin's vulnerability history is a significant concern, with one high-severity CVE related to Remote File Inclusion that is currently unpatched. This indicates a recurring pattern of exploitable flaws in the plugin, requiring immediate attention.

The overall risk is elevated due to the unpatched RFI vulnerability. While the code analysis shows good practices in many areas, the single, high-severity, unpatched vulnerability in the history overshadows these strengths. The potential for deserialization vulnerabilities, though not actively demonstrated in taint analysis, warrants caution. The attack surface is well-protected by authentication and permission checks, which is a strong positive. The main weakness lies in the historical and current exploitable state of the plugin.

Key Concerns

Unpatched high severity CVE
Presence of unserialize function

Vulnerabilities

WPC Product Options for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2025-60248high · 7.5Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

WPC Product Options for WooCommerce <= 1.8.6 - Authenticated (Subscriber+) Local File Inclusion

May 16, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

WPC Product Options for WooCommerce Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

1384 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$plugins = unserialize( $response['body'] );includes\dashboard\wpc-dashboard.php:111

unserialize$plugins = unserialize( $response['body'] );includes\dashboard\wpc-dashboard.php:189

unserialize$plugins = unserialize( $response['body'] );includes\kit\wpc-kit.php:98

Output Escaping

96% escaped1436 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

ajax_export (includes\dashboard\wpc-dashboard.php:225)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WPC Product Options for WooCommerce Attack Surface

Entry Points11

Unprotected0

AJAX Handlers 10

authwp_ajax_wpcpo_search_termincludes\class-backend.php:37

authwp_ajax_wpcpo_add_fieldincludes\class-backend.php:38

authwp_ajax_wpcpo_add_optionincludes\class-backend.php:39

authwp_ajax_wpcpo_add_dimensionincludes\class-backend.php:40

authwp_ajax_wpcpo_add_conditionincludes\class-backend.php:41

authwp_ajax_wpc_get_pluginsincludes\dashboard\wpc-dashboard.php:19

authwp_ajax_wpc_get_suggestionincludes\dashboard\wpc-dashboard.php:20

authwp_ajax_wpc_exportincludes\dashboard\wpc-dashboard.php:21

authwp_ajax_wpc_importincludes\dashboard\wpc-dashboard.php:22

authwp_ajax_wpc_get_essential_kitincludes\kit\wpc-kit.php:22

Shortcodes 1

[wpcpo] includes\class-frontend.php:44

WordPress Hooks 45

actioninitincludes\class-backend.php:24

actionadmin_enqueue_scriptsincludes\class-backend.php:25

actionadmin_initincludes\class-backend.php:26

actionadmin_menuincludes\class-backend.php:27

filterplugin_action_linksincludes\class-backend.php:28

filterplugin_row_metaincludes\class-backend.php:29

actionadd_meta_boxesincludes\class-backend.php:31

actionsave_post_wpc_product_optionincludes\class-backend.php:32

filtermanage_edit-wpc_product_option_columnsincludes\class-backend.php:33

actionmanage_wpc_product_option_posts_custom_columnincludes\class-backend.php:34

filterwoocommerce_product_data_tabsincludes\class-backend.php:44

actionwoocommerce_product_data_panelsincludes\class-backend.php:45

actionwoocommerce_process_product_metaincludes\class-backend.php:46

filterwpcsm_locationsincludes\class-backend.php:49

actionwpincludes\class-cart.php:17

filterwoocommerce_get_cart_item_from_sessionincludes\class-cart.php:20

filterwoocommerce_add_to_cart_validationincludes\class-cart.php:23

filterwoocommerce_add_cart_item_dataincludes\class-cart.php:26

filterwoocommerce_get_item_dataincludes\class-cart.php:29

actionwoocommerce_checkout_create_order_line_itemincludes\class-cart.php:32

actionwoocommerce_order_item_meta_startincludes\class-cart.php:33

actionwoocommerce_before_order_itemmetaincludes\class-cart.php:36

actionwoocommerce_before_mini_cart_contentsincludes\class-cart.php:39

actionwoocommerce_before_calculate_totalsincludes\class-cart.php:40

filterwoocommerce_cart_item_priceincludes\class-cart.php:43

filterwoocommerce_cart_item_subtotalincludes\class-cart.php:44

filterwoocommerce_cart_item_permalinkincludes\class-cart.php:47

filterupload_dirincludes\class-cart.php:302

actioninitincludes\class-frontend.php:19

actionwp_enqueue_scriptsincludes\class-frontend.php:20

filterwoocommerce_loop_add_to_cart_linkincludes\class-frontend.php:21

filterwoocommerce_quantity_input_argsincludes\class-frontend.php:22

actionwoocommerce_before_add_to_cart_buttonincludes\class-frontend.php:52

actionwoocommerce_before_variations_formincludes\class-frontend.php:56

actionwoocommerce_after_add_to_cart_buttonincludes\class-frontend.php:60

actionwoocommerce_after_variations_formincludes\class-frontend.php:64

actionwoocommerce_single_variationincludes\class-frontend.php:410

actionwoocommerce_single_variationincludes\class-frontend.php:418

actionadmin_enqueue_scriptsincludes\dashboard\wpc-dashboard.php:17

actionadmin_menuincludes\dashboard\wpc-dashboard.php:18

actionbefore_woocommerce_initincludes\hpos.php:7

actionadmin_enqueue_scriptsincludes\kit\wpc-kit.php:20

actionadmin_menuincludes\kit\wpc-kit.php:21

actionplugins_loadedwpc-product-options.php:34

actionadmin_noticeswpc-product-options.php:38

Maintenance & Trust

WPC Product Options for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 6, 2026

PHP min version

Downloads91K

Community Trust

Rating82/100

Number of ratings10

Active installs4K

Alternatives

WPC Product Options for WooCommerce Alternatives

Advanced Product Fields (Product Addons) for WooCommerce

advanced-product-fields-for-woocommerce

Add options (addons) to your WooCommerce products so your customers can personalize their products. Product forms for everyone!

50K 1 CVE

Product Addons for Woocommerce – Product Options with Custom Fields

woo-custom-product-addons

WooCommerce Product Addons Add custom fields to your WooCommerce product page. With an easy-to-use Custom Form Builder.

30K 1 CVE

Extra Product Options For WooCommerce | Custom Product Addons and Fields

woo-extra-product-options

100

WooCommerce Extra Product Options plugin lets you add product addons (custom products field) of 20 different field types to your product page.

30K No CVEs

PPOM – Product Addons & Custom Fields for WooCommerce

woocommerce-product-addon

Easily add a range of custom fields to WooCommerce products, from text boxes to date selectors, allowing customers to personalize their orders.

20K 11 CVEs

YITH WooCommerce Product Add-Ons

yith-woocommerce-product-add-ons

Increase average order value by letting your customers purchase additional options on your products.

20K 7 CVEs

Developer Profile

WPC Product Options for WooCommerce Developer Profile

WPClever

71 plugins · 441K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

68 days

View full developer profile

Detection Fingerprints

How We Detect WPC Product Options for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wpc-product-options/assets/css/backend.css/wp-content/plugins/wpc-product-options/assets/css/frontend.css/wp-content/plugins/wpc-product-options/assets/js/backend.js/wp-content/plugins/wpc-product-options/assets/js/frontend.js/wp-content/plugins/wpc-product-options/assets/js/wpclever-core.js/wp-content/plugins/wpc-product-options/assets/css/wpc-dashboard.css/wp-content/plugins/wpc-product-options/assets/js/wpc-dashboard.js/wp-content/plugins/wpc-product-options/assets/css/wpc-kit.css+1 more

Version Parameters

/wp-content/plugins/wpc-product-options/assets/css/backend.css?ver=/wp-content/plugins/wpc-product-options/assets/css/frontend.css?ver=/wp-content/plugins/wpc-product-options/assets/js/backend.js?ver=/wp-content/plugins/wpc-product-options/assets/js/frontend.js?ver=/wp-content/plugins/wpc-product-options/assets/js/wpclever-core.js?ver=/wp-content/plugins/wpc-product-options/assets/css/wpc-dashboard.css?ver=/wp-content/plugins/wpc-product-options/assets/js/wpc-dashboard.js?ver=/wp-content/plugins/wpc-product-options/assets/css/wpc-kit.css?ver=/wp-content/plugins/wpc-product-options/assets/js/wpc-kit.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpcpo-frontendwpc-product-optionswpcpo_formwpcpo-backendwpc-dashboard-wrapwpc-kit-wrap

HTML Comments

Data Attributes

data-wpcpo-iddata-wpcpo-product-iddata-wpcpo-field-id

JS Globals

WPCProductOptionsFrontendWPCProductOptionsBackendWPCleverDashboardWPCCore

REST Endpoints

/wp-json/wpcpo/v1/get_product_options/wp-json/wpcpo/v1/save_product_options

Shortcode Output

[wpc_product_options]

FAQ