WP-Safety

YayExtra – WooCommerce Extra Product Options Security & Risk Analysis

wordpress.org/plugins/yayextra

YayExtra – Product Options for WooCommerce lets you add customizable options and extra fields to your products.

1K active installs v2.0.2 PHP 7.2+ WP 6.2+ Updated Mar 23, 2026
extra-product-optionsproduct-addonsproduct-customizerwoocommerce-product-fieldswoocommerce-product-options
93
A · Safe
CVEs total3
Unpatched0
Last CVEJul 16, 2025
Plugin page Download
Safety Verdict

Is YayExtra – WooCommerce Extra Product Options Safe to Use in 2026?

Generally Safe

Score 93/100

YayExtra – WooCommerce Extra Product Options has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Jul 16, 2025Updated 1mo ago
Risk Assessment

The "yayextra" v2.0.1 plugin exhibits a generally good security posture based on static analysis, with robust use of prepared statements for SQL queries and high percentages of properly escaped output. The absence of direct file operations and external HTTP requests further strengthens its security. Nonce and capability checks are implemented extensively, covering all identified AJAX entry points, which is a positive indicator of secure development practices for handling user interactions.

However, a significant concern arises from the plugin's vulnerability history. The presence of three known CVEs, including one critical vulnerability, suggests a pattern of past security weaknesses. While no CVEs are currently unpatched, the historical types of vulnerabilities (SQL Injection, Missing Authorization, Unrestricted Upload) indicate recurring security flaws that the developers have had to address. The recent vulnerability in July 2025 is particularly concerning, implying that even recent versions have had exploitable issues.

In conclusion, while "yayextra" v2.0.1 demonstrates good practices in its current static analysis, the historical vulnerability data necessitates caution. The past critical SQL injection, missing authorization, and unrestricted upload vulnerabilities, even if patched, point to potential areas where future vulnerabilities might emerge. Users should remain vigilant and ensure they are always running the latest patched version of the plugin, alongside other WordPress security best practices.

Key Concerns

  • History of critical vulnerability
  • History of medium vulnerabilities (2)
  • Flow with unsanitized path detected
Vulnerabilities
3 published

YayExtra – WooCommerce Extra Product Options Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
2

3 total CVEs

CVE-2025-48299medium · 4.9Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

YayExtra <= 1.5.5 - Authenticated (Administrator+) SQL Injection

Jul 16, 2025 Patched in 1.5.6 (7d)
CVE-2025-31415medium · 4.3Missing Authorization

YayExtra <= 1.5.2 - Missing Authorization

Mar 31, 2025 Patched in 1.5.3 (9d)
CVE-2024-7257critical · 9.8Unrestricted Upload of File with Dangerous Type

YayExtra – WooCommerce Extra Product Options <= 1.3.7 - Unauthenticated Arbitrary File Upload via handle_upload_file Function

Aug 2, 2024 Patched in 1.3.8 (1d)
Version History

YayExtra – WooCommerce Extra Product Options Release Timeline

v2.0.2Current
v2.0.1
v2.0.0
v1.5.6.1
v1.5.6
v1.5.51 CVE
CVE-2025-48299
v1.5.31 CVE
CVE-2025-48299
v1.5.22 CVEs
CVE-2025-48299 CVE-2025-31415
v1.4.02 CVEs
CVE-2025-48299 CVE-2025-31415
v1.3.92 CVEs
CVE-2025-48299 CVE-2025-31415
v1.3.82 CVEs
CVE-2025-48299 CVE-2025-31415
v1.3.73 CVEs
CVE-2024-7257 CVE-2025-48299 CVE-2025-31415
v1.3.63 CVEs
CVE-2024-7257 CVE-2025-48299 CVE-2025-31415
v1.3.43 CVEs
CVE-2024-7257 CVE-2025-48299 CVE-2025-31415
v1.3.13 CVEs
CVE-2024-7257 CVE-2025-48299 CVE-2025-31415
v1.33 CVEs
CVE-2024-7257 CVE-2025-48299 CVE-2025-31415
v1.2.93 CVEs
CVE-2024-7257 CVE-2025-48299 CVE-2025-31415
v1.2.83 CVEs
CVE-2024-7257 CVE-2025-48299 CVE-2025-31415
v1.2.73 CVEs
CVE-2024-7257 CVE-2025-48299 CVE-2025-31415
v1.2.63 CVEs
CVE-2024-7257 CVE-2025-48299 CVE-2025-31415
Code Analysis
Analyzed Mar 16, 2026

YayExtra – WooCommerce Extra Product Options Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
11 prepared
Unescaped Output
7
405 escaped
Nonce Checks
32
Capability Checks
11
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

100% prepared11 total queries

Output Escaping

98% escaped412 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

7 flows1 with unsanitized paths
add_options_field (includes\Classes\ProductPage.php:99)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

YayExtra – WooCommerce Extra Product Options Attack Surface

Entry Points3
Unprotected0

AJAX Handlers 3

authwp_ajax_yay_recommended_get_plugin_dataincludes\YayCommerceMenu\OtherPluginsMenu.php:27
authwp_ajax_yay_recommended_activate_pluginincludes\YayCommerceMenu\OtherPluginsMenu.php:28
authwp_ajax_yay_recommended_upgrade_pluginincludes\YayCommerceMenu\OtherPluginsMenu.php:29
WordPress Hooks 55
actionwoocommerce_before_add_to_cart_buttonincludes\Classes\ProductPage.php:63
filterwoocommerce_add_to_cart_validationincludes\Classes\ProductPage.php:64
filterwoocommerce_add_cart_item_dataincludes\Classes\ProductPage.php:65
actionwoocommerce_before_calculate_totalsincludes\Classes\ProductPage.php:66
filterwoocommerce_cart_calculate_feesincludes\Classes\ProductPage.php:67
filterwoocommerce_get_item_dataincludes\Classes\ProductPage.php:68
actionwoocommerce_checkout_create_order_line_itemincludes\Classes\ProductPage.php:69
actionwoocommerce_before_add_to_cart_formincludes\Classes\ProductPage.php:72
actionwoocommerce_after_add_to_cart_formincludes\Classes\ProductPage.php:73
filterwoocommerce_widget_cart_item_quantityincludes\Classes\ProductPage.php:76
filterwoocommerce_cart_item_classincludes\Classes\ProductPage.php:78
filterwoocommerce_mini_cart_item_classincludes\Classes\ProductPage.php:79
actionwoocommerce_cart_item_removedincludes\Classes\ProductPage.php:81
filterwoocommerce_after_cart_item_quantity_updateincludes\Classes\ProductPage.php:82
actionwp_print_stylesincludes\Classes\ProductPage.php:88
actionwoocommerce_checkout_update_order_metaincludes\Classes\ProductPage.php:90
actionwoocommerce_checkout_order_exceptionincludes\Classes\ProductPage.php:91
actionwoocommerce_check_cart_itemsincludes\Classes\ProductPage.php:93
filterwoocommerce_product_single_add_to_cart_textincludes\Classes\ProductPage.php:158
filterwoocommerce_quantity_input_argsincludes\Classes\ProductPage.php:178
filteryaye_check_adjust_priceincludes\Classes\ProductPage.php:663
filterposts_clausesincludes\Helper\Database.php:374
filterposts_clausesincludes\Helper\Database.php:381
filterposts_clausesincludes\Helper\Database.php:411
actioninitincludes\I18n.php:18
actioninitincludes\Init\CustomPostType.php:17
actionbefore_woocommerce_initincludes\Init\Settings.php:27
filteradmin_body_classincludes\Init\Settings.php:35
actionadmin_menuincludes\Init\Settings.php:36
actionadmin_enqueue_scriptsincludes\Init\Settings.php:38
actionwp_enqueue_scriptsincludes\Init\Settings.php:39
actionyay_currency_set_cart_contentsincludes\Integrations\YayCurrency.php:23
filterYayCurrency/ApplyCurrency/GetPriceOptionsincludes\Integrations\YayCurrency.php:25
filterYayCurrency/StoreCurrency/GetPriceincludes\Integrations\YayCurrency.php:28
filteryay_currency_product_price_3rd_with_conditionincludes\Integrations\YayCurrency.php:29
filteryay_currency_extra_get_product_subtotalincludes\Integrations\YayCurrency.php:32
filteradvanced_woo_discount_extra_get_price_optionsincludes\Integrations\YayCurrency.php:36
filteradvanced_woo_discount_rules_cart_strikeout_price_htmlincludes\Integrations\YayCurrency.php:37
filteryaye_option_cost_display_cart_checkoutincludes\Integrations\YayCurrency.php:41
filteryaye_option_cost_display_orders_and_emailsincludes\Integrations\YayCurrency.php:42
filterYayCurrency/ApplyCurrency/ByCartItem/GetPriceOptionsincludes\Integrations\YayCurrency.php:44
filterYayCurrency/StoreCurrency/ByCartItem/GetPriceOptionsincludes\Integrations\YayCurrency.php:45
filterYayCurrency/ApplyCurrency/GetFixedProductPriceincludes\Integrations\YayCurrency.php:47
actionadmin_footerincludes\Register\RegisterDev.php:17
actioninitincludes\Register\RegisterDev.php:19
filterscript_loader_tagincludes\Register\RegisterFacade.php:18
actioninitincludes\Register\RegisterFacade.php:19
actioninitincludes\Register\RegisterProd.php:14
actionnetwork_admin_noticesincludes\UpdateVersion.php:7
actionadmin_noticesincludes\UpdateVersion.php:8
actionadmin_enqueue_scriptsincludes\YayCommerceMenu\RegisterMenu.php:56
actionadmin_menuincludes\YayCommerceMenu\RegisterMenu.php:57
actionadmin_menuincludes\YayCommerceMenu\RegisterMenu.php:58
actionadmin_noticesyayextra.php:76
actionplugins_loadedyayextra.php:97
Maintenance & Trust

YayExtra – WooCommerce Extra Product Options Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 23, 2026
PHP min version7.2
Downloads36K

Community Trust

Rating96/100
Number of ratings22
Active installs1K
Alternatives

YayExtra – WooCommerce Extra Product Options Alternatives

Product Addons for Woocommerce – Product Options with Custom Fields

Product Addons for Woocommerce – Product Options with Custom Fields

woo-custom-product-addons

A
97

WooCommerce Product Addons Add custom fields to your WooCommerce product page. With an easy-to-use Custom Form Builder.

30K 1 CVE
Extra Product Options For WooCommerce | Custom Product Addons and Fields

Extra Product Options For WooCommerce | Custom Product Addons and Fields

woo-extra-product-options

A
100

WooCommerce Extra Product Options plugin lets you add product addons (custom products field) of 20 different field types to your product page.

30K No CVEs
PPOM – Product Addons & Custom Fields for WooCommerce

PPOM – Product Addons & Custom Fields for WooCommerce

woocommerce-product-addon

B
84

Easily add a range of custom fields to WooCommerce products, from text boxes to date selectors, allowing customers to personalize their orders.

20K 11 CVEs
YITH WooCommerce Product Add-Ons

YITH WooCommerce Product Add-Ons

yith-woocommerce-product-add-ons

A
96

Increase average order value by letting your customers purchase additional options on your products.

20K 7 CVEs
Product Addons and Product Options With Custom Fields – WowAddons

Product Addons and Product Options With Custom Fields – WowAddons

product-addons

B
78

Product addons for WooCommerce is the ultimate plugin that lets you add extra product options, product fields, and WooCommerce product fields.

3K 1 unpatched
Developer Profile

YayExtra – WooCommerce Extra Product Options Developer Profile

YayCommerce

16 plugins · 78K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
126 days
View full developer profile
Detection Fingerprints

How We Detect YayExtra – WooCommerce Extra Product Options

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/yayextra/assets/css/yayextra.css/wp-content/plugins/yayextra/assets/js/jquery.datetimepicker.min.js/wp-content/plugins/yayextra/assets/js/yayextra.js
Script Paths
/wp-content/plugins/yayextra/assets/js/yayextra.js/wp-content/plugins/yayextra/assets/js/jquery.datetimepicker.min.js
Version Parameters
yayextra.css?ver=jquery.datetimepicker.min.js?ver=yayextra.js?ver=

HTML / DOM Fingerprints

CSS Classes
yay-uiyayextra-section
Data Attributes
id="yayextra-section"
JS Globals
yaye_data
REST Endpoints
/yayextra/v1
FAQ

Frequently Asked Questions about YayExtra – WooCommerce Extra Product Options