WP-Safety

XML for Google Merchant Center Security & Risk Analysis

wordpress.org/plugins/xml-for-google-merchant-center

Creates a XML feed that allows merchants to easily display their products across Google’s network.

4K active installs v4.0.10 PHP 7.4.0+ WP 5.9+ Updated Jan 12, 2026
exportgoogleproduct-feedwoocommercexml
99
A · Safe
CVEs total2
Unpatched0
Last CVEJan 21, 2025
Plugin page Download
Safety Verdict

Is XML for Google Merchant Center Safe to Use in 2026?

Generally Safe

Score 99/100

XML for Google Merchant Center has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jan 21, 2025Updated 2mo ago
Risk Assessment

The "xml-for-google-merchant-center" plugin v4.0.10 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices in several areas. It exclusively uses prepared statements for SQL queries, has a very high percentage of properly escaped output, and implements a reasonable number of nonce and capability checks. The absence of critical or high-severity taint flows is also encouraging, suggesting that the plugin developers are mindful of common injection vulnerabilities. Furthermore, the vulnerability history shows that all previously known CVEs are patched, which is a significant strength.

However, there are notable concerns. The plugin has a single unprotected AJAX handler, creating a direct entry point that could be exploited if not properly secured by other means. While the static analysis shows no dangerous functions directly, the presence of unprotected entry points always poses a risk. The vulnerability history, while showing no currently unpatched issues, does reveal two past medium-severity CVEs, both related to Cross-site Scripting. This suggests a recurring pattern of input sanitization weaknesses that, while addressed in the past, warrant continued vigilance.

In conclusion, the plugin has strengths in its SQL handling and output escaping, and a good track record of patching vulnerabilities. The primary weakness lies in the unprotected AJAX handler. The history of XSS vulnerabilities, though patched, indicates a need for ongoing thorough security reviews of input handling. Overall, it's a plugin with areas of good practice but requires attention to the identified unprotected entry point.

Key Concerns

  • Unprotected AJAX handler
  • Past medium severity XSS vulnerabilities
Vulnerabilities
2

XML for Google Merchant Center Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-13406medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

XML for Google Merchant Center <= 3.0.11 - Reflected Cross-Site Scripting

Jan 21, 2025 Patched in 3.0.12 (1d)
CVE-2023-30877medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

XML for Google Merchant Center <= 3.0.1 - Reflected Cross-Site Scripting via page parameter

Apr 24, 2023 Patched in 3.0.2 (274d)
Code Analysis
Analyzed Mar 16, 2026

XML for Google Merchant Center Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
4
175 escaped
Nonce Checks
8
Capability Checks
4
File Operations
21
External Requests
2
Bundled Libraries
1

Bundled Libraries

Select2

Output Escaping

98% escaped179 total outputs
Data Flows
5 unsanitized

Data Flow Analysis

11 flows5 with unsanitized paths
save_plugin_set (admin\class-xfgmc-admin.php:532)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

XML for Google Merchant Center Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_xfgmc_select2includes\class-xfgmc.php:274
WordPress Hooks 42
actionshutdownincludes\class-xfgmc-autoloader.php:96
actionadmin_print_footer_scriptsincludes\class-xfgmc-feedback.php:83
actionadmin_initincludes\class-xfgmc-feedback.php:90
filterwp_mail_content_typeincludes\class-xfgmc-feedback.php:275
actionplugins_loadedincludes\class-xfgmc.php:207
actionadmin_enqueue_scriptsincludes\class-xfgmc.php:224
actionadmin_enqueue_scriptsincludes\class-xfgmc.php:225
actioninitincludes\class-xfgmc.php:228
actionproduct_cat_add_form_fieldsincludes\class-xfgmc.php:231
actionproduct_cat_edit_form_fieldsincludes\class-xfgmc.php:232
actionedited_product_catincludes\class-xfgmc.php:233
actioncreate_product_catincludes\class-xfgmc.php:234
actionwoocommerce_product_data_tabsincludes\class-xfgmc.php:237
actionadmin_footerincludes\class-xfgmc.php:238
actionwoocommerce_product_data_panelsincludes\class-xfgmc.php:239
actionwoocommerce_product_options_skuincludes\class-xfgmc.php:240
actionsave_postincludes\class-xfgmc.php:241
actionwoocommerce_product_after_variable_attributesincludes\class-xfgmc.php:242
actionwoocommerce_save_product_variationincludes\class-xfgmc.php:243
actionadmin_footerincludes\class-xfgmc.php:246
actionadmin_menuincludes\class-xfgmc.php:254
actionadmin_initincludes\class-xfgmc.php:257
actionadmin_initincludes\class-xfgmc.php:260
filterxfgmc_f_flag_save_if_emptyincludes\class-xfgmc.php:263
actionxfgmc_f_feedback_additional_infoincludes\class-xfgmc.php:281
actionupload_mimesincludes\class-xfgmc.php:284
actioncron_schedulesincludes\class-xfgmc.php:287
actionxfgmc_cron_start_feed_creationincludes\class-xfgmc.php:290
actionxfgmc_cron_sborkiincludes\class-xfgmc.php:293
actionwp_enqueue_scriptsincludes\class-xfgmc.php:310
actionwp_enqueue_scriptsincludes\class-xfgmc.php:311
actionadmin_print_footer_scriptsincludes\common-libs\class-icpd-promo.php:145
actionadmin_noticesincludes\common-libs\class-icpd-set-admin-notices.php:68
actionxfgmc_activation_formsincludes\updates\class-xfgmc-plugin-form-activate.php:112
filterpre_site_transient_update_pluginsincludes\updates\class-xfgmc-plugin-form-activate.php:260
filterpre_set_site_transient_update_pluginsincludes\updates\class-xfgmc-plugin-upd.php:136
filterplugins_apiincludes\updates\class-xfgmc-plugin-upd.php:138
filterupgrader_package_optionsincludes\updates\class-xfgmc-plugin-upd.php:140
filterplugin_action_linksincludes\updates\class-xfgmc-plugin-upd.php:141
actionadmin_noticesxml-for-google-merchant-center.php:152
actionadmin_noticesxml-for-google-merchant-center.php:172
actionbefore_woocommerce_initxml-for-google-merchant-center.php:184

Scheduled Events 2

xfgmc_cron_start_feed_creation
xfgmc_cron_sborki
Maintenance & Trust

XML for Google Merchant Center Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 12, 2026
PHP min version7.4.0
Downloads142K

Community Trust

Rating94/100
Number of ratings15
Active installs4K
Alternatives

XML for Google Merchant Center Alternatives

GG Woo Feed for WooCommerce Shopping Feed on Google and Other Channels

GG Woo Feed for WooCommerce Shopping Feed on Google and Other Channels

gg-woo-feed

A
99

No #1 WooCommerce Feed Generator Creates product feed for marketing channel Google Shopping Merchant, Meta Remarketing, Printerest and Others Channels

1K 2 CVEs
Products Feed Generator

Products Feed Generator

products-feed-generator

A
92

Generates an XML Products Feed for Google Merchant Center in RSS 2.0 format.

30 No CVEs
Dropshipping Product Export for WooCommerce

Dropshipping Product Export for WooCommerce

dropshipping-product-export-for-woocommerce

A
100

Effortlessly export your WooCommerce products to CSV or XML — perfect for dropshipping partners.

0 No CVEs
AW Feed Manager For WooCommerce Product

AW Feed Manager For WooCommerce Product

my-feed

A
85

Generate error-free woocommerce product feed plugin for Google Shopping, Google Merchant.

0 No CVEs
FeedCraft Product Feed

FeedCraft Product Feed

thebasics-product-feed

A
100

Powerful Google Merchant Center feed generator for WooCommerce. Adds GTIN, MPN, and Brand fields with high-performance XML/JSON REST API feeds.

0 No CVEs
Developer Profile

XML for Google Merchant Center Developer Profile

icopydoc

14 plugins · 16K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
102 days
View full developer profile
Detection Fingerprints

How We Detect XML for Google Merchant Center

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/xml-for-google-merchant-center/asset/js/backend/setting.js/wp-content/plugins/xml-for-google-merchant-center/asset/js/frontend/feed.js/wp-content/plugins/xml-for-google-merchant-center/asset/css/backend/setting.css/wp-content/plugins/xml-for-google-merchant-center/asset/css/frontend/feed.css
Script Paths
/wp-content/plugins/xml-for-google-merchant-center/asset/js/backend/setting.js/wp-content/plugins/xml-for-google-merchant-center/asset/js/frontend/feed.js
Version Parameters
xml-for-google-merchant-center/asset/js/backend/setting.js?ver=xml-for-google-merchant-center/asset/js/frontend/feed.js?ver=xml-for-google-merchant-center/asset/css/backend/setting.css?ver=xml-for-google-merchant-center/asset/css/frontend/feed.css?ver=

HTML / DOM Fingerprints

CSS Classes
xfgmc_feed_listxfgmc_feed_settings_pagexfgmc_add_feed_pagexfgmc_page_feed_generalxfgmc_page_feed_google_attributesxfgmc_page_feed_products
HTML Comments
<!-- XFGMC_DATA_START --><!-- XFGMC_DATA_END --><!-- Start XFGMC settings --><!-- End XFGMC settings -->+8 more
Data Attributes
data-xfgmc-settingsdata-xfgmc-product-settingsdata-xfgmc-feed-list
JS Globals
window.xfgmc_admin_settingswindow.xfgmc_frontend_feed
REST Endpoints
/wp-json/xfgmc/v1/settings/wp-json/xfgmc/v1/feed/generate
Shortcode Output
[xfgmc_feed]
FAQ

Frequently Asked Questions about XML for Google Merchant Center