WP-Safety

YITH WooCommerce Product Bundles Security & Risk Analysis

wordpress.org/plugins/yith-woocommerce-product-bundles

YITH WooCommerce Product Bundles allows you to bundle WooCommerce products and sell them with a unique price.

3K active installs v2.23.0 PHP 7.4+ WP 6.7+ Updated Mar 4, 2026
bundlebundlesproductproduct-bundleproduct-bundles
99
A · Safe
CVEs total1
Unpatched0
Last CVENov 11, 2022
Plugin page Download
Safety Verdict

Is YITH WooCommerce Product Bundles Safe to Use in 2026?

Generally Safe

Score 99/100

YITH WooCommerce Product Bundles has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Nov 11, 2022Updated 1mo ago
Risk Assessment

The YITH WooCommerce Product Bundles plugin (v2.23.0) demonstrates several positive security practices, including the exclusive use of prepared statements for all SQL queries and a high percentage of properly escaped output, indicating a general commitment to secure coding. The presence of numerous nonce and capability checks further reinforces its defense mechanisms. However, the analysis also highlights significant concerns regarding its attack surface. With 9 AJAX handlers, 4 of which lack authentication checks, there is a clear potential for unauthorized actions to be performed by unauthenticated users. While the taint analysis did not reveal critical or high-severity flows with unsanitized paths, the single flow with an unsanitized path is a noteworthy risk, especially when coupled with the unprotected AJAX endpoints. The plugin's vulnerability history shows one previous high-severity vulnerability, specifically related to missing authorization. This pattern suggests that authorization enforcement is an area that requires continued vigilance and careful review, as it has been a point of weakness in the past. Overall, while the plugin implements good fundamental security measures, the unprotected AJAX endpoints and the history of authorization issues present the most significant risks.

Key Concerns

  • 4 unprotected AJAX handlers
  • 1 flow with unsanitized path
  • 1 historical high-severity CVE (Missing Authorization)
Vulnerabilities
1

YITH WooCommerce Product Bundles Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

WF-b948574a-0aab-4596-83e6-04be21f78bc1-yith-woocommerce-product-bundleshigh · 7.1Missing Authorization

YITH plugins by YITHEMES <= (Various Versions) - Missing Authorization

Nov 11, 2022 Patched in 1.17.0 (438d)
Code Analysis
Analyzed Mar 16, 2026

YITH WooCommerce Product Bundles Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
5 prepared
Unescaped Output
103
1602 escaped
Nonce Checks
16
Capability Checks
17
File Operations
0
External Requests
7
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

100% prepared5 total queries

Output Escaping

94% escaped1705 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

15 flows1 with unsanitized paths
do_shortcode (plugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:279)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

YITH WooCommerce Product Bundles Attack Surface

Entry Points9
Unprotected4

AJAX Handlers 9

authwp_ajax_yith_wcpb_select_product_boxincludes\class.yith-wcpb-admin.php:84
authwp_ajax_yith_wcpb_select_product_box_filteredincludes\class.yith-wcpb-admin.php:85
authwp_ajax_yith_wcpb_add_product_in_bundleincludes\class.yith-wcpb-admin.php:86
authwp_ajax_woocommerce_add_order_itemincludes\class.yith-wcpb-admin.php:98
authwp_ajax_yith_plugin_fw_gutenberg_do_shortcodeplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:63
authwp_ajax_yith_plugin_fw_save_toggle_element_metaboxplugin-fw\includes\class-yit-metabox.php:86
authwp_ajax_yith_plugin_fw_save_toggle_elementplugin-fw\includes\class-yit-plugin-panel.php:138
authwp_ajax_yith_bh_onboardingplugin-fw\includes\class-yith-bh-onboarding.php:37
authwp_ajax_yith_create_log_fileplugin-fw\includes\class-yith-system-status.php:101
WordPress Hooks 148
actionadmin_menuincludes\class.yith-wcpb-admin.php:74
filteryith_show_plugin_row_metaincludes\class.yith-wcpb-admin.php:77
actionadmin_enqueue_scriptsincludes\class.yith-wcpb-admin.php:79
filterwoocommerce_product_data_tabsincludes\class.yith-wcpb-admin.php:81
actionwoocommerce_product_data_panelsincludes\class.yith-wcpb-admin.php:82
actionwoocommerce_admin_process_product_objectincludes\class.yith-wcpb-admin.php:88
actionyith_wcpb_admin_bundled_item_optionsincludes\class.yith-wcpb-admin.php:90
filterwoocommerce_admin_html_order_item_classincludes\class.yith-wcpb-admin.php:92
filterwoocommerce_admin_order_item_classincludes\class.yith-wcpb-admin.php:93
filterwoocommerce_admin_order_item_countincludes\class.yith-wcpb-admin.php:94
filterwoocommerce_hidden_order_itemmetaincludes\class.yith-wcpb-admin.php:95
filterwoocommerce_order_item_display_meta_keyincludes\class.yith-wcpb-admin.php:96
actionyith_wcpb_premium_tabincludes\class.yith-wcpb-admin.php:100
actionyith_wcpb_how_to_tabincludes\class.yith-wcpb-admin.php:101
actionwoocommerce_blocks_loadedincludes\class.yith-wcpb-cart-checkout-blocks.php:50
actionwp_enqueue_scriptsincludes\class.yith-wcpb-cart-checkout-blocks.php:53
actionwoocommerce_blocks_cart_block_registrationincludes\class.yith-wcpb-cart-checkout-blocks.php:61
actionwoocommerce_blocks_checkout_block_registrationincludes\class.yith-wcpb-cart-checkout-blocks.php:62
filterwoocommerce_store_api_product_quantity_minimumincludes\class.yith-wcpb-cart-checkout-blocks.php:63
filterwoocommerce_store_api_product_quantity_maximumincludes\class.yith-wcpb-cart-checkout-blocks.php:64
actionwp_enqueue_scriptsincludes\class.yith-wcpb-frontend.php:53
actionwoocommerce_yith_bundle_add_to_cartincludes\class.yith-wcpb-frontend.php:56
filterwoocommerce_add_to_cart_validationincludes\class.yith-wcpb-frontend.php:57
filterwoocommerce_add_cart_item_dataincludes\class.yith-wcpb-frontend.php:59
actionwoocommerce_add_to_cartincludes\class.yith-wcpb-frontend.php:60
filterwoocommerce_cart_item_remove_linkincludes\class.yith-wcpb-frontend.php:61
filterwoocommerce_cart_item_quantityincludes\class.yith-wcpb-frontend.php:62
actionwoocommerce_after_cart_item_quantity_updateincludes\class.yith-wcpb-frontend.php:63
actionwoocommerce_before_cart_item_quantity_zeroincludes\class.yith-wcpb-frontend.php:64
filterwoocommerce_cart_item_priceincludes\class.yith-wcpb-frontend.php:66
filterwoocommerce_cart_item_subtotalincludes\class.yith-wcpb-frontend.php:67
filterwoocommerce_checkout_item_subtotalincludes\class.yith-wcpb-frontend.php:68
filterwoocommerce_add_cart_itemincludes\class.yith-wcpb-frontend.php:69
actionwoocommerce_cart_item_removedincludes\class.yith-wcpb-frontend.php:70
actionwoocommerce_cart_item_restoredincludes\class.yith-wcpb-frontend.php:71
filterwoocommerce_cart_contents_countincludes\class.yith-wcpb-frontend.php:73
filterwoocommerce_cart_item_classincludes\class.yith-wcpb-frontend.php:75
filterwoocommerce_get_cart_item_from_sessionincludes\class.yith-wcpb-frontend.php:77
actionwoocommerce_cart_loaded_from_sessionincludes\class.yith-wcpb-frontend.php:78
filterwoocommerce_order_formatted_line_subtotalincludes\class.yith-wcpb-frontend.php:81
filterwoocommerce_checkout_create_order_line_itemincludes\class.yith-wcpb-frontend.php:82
filterwoocommerce_order_item_classincludes\class.yith-wcpb-frontend.php:83
filterwoocommerce_order_item_needs_processingincludes\class.yith-wcpb-frontend.php:85
filterwoocommerce_order_again_cart_item_dataincludes\class.yith-wcpb-frontend.php:88
actionwoocommerce_ordered_againincludes\class.yith-wcpb-frontend.php:89
filterwoocommerce_cart_shipping_packagesincludes\class.yith-wcpb-frontend.php:92
filterproduct_type_selectorincludes\class.yith-wcpb.php:91
actionbefore_woocommerce_initincludes\class.yith-wcpb.php:93
actionwcml_after_duplicate_product_post_metaincludes\compatibility\class.yith-wcpb-wpml-compatibility.php:53
actionyith_wcpb_initinit.php:130
actionadmin_noticesinit.php:138
actionadmin_noticesinit.php:140
actionplugins_loadedinit.php:147
actionelementor/elements/categories_registeredplugin-fw\includes\builders\elementor\class-yith-elementor.php:50
actionelementor/editor/after_enqueue_stylesplugin-fw\includes\builders\elementor\class-yith-elementor.php:52
actionelementor/frontend/after_enqueue_stylesplugin-fw\includes\builders\elementor\class-yith-elementor.php:53
actioninitplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:60
actioninitplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:61
actioninitplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:62
actionwc_ajax_yith_plugin_fw_gutenberg_do_shortcodeplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:64
actioninitplugin-fw\includes\class-yit-assets.php:47
actionelementor/editor/before_enqueue_stylesplugin-fw\includes\class-yit-assets.php:48
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-assets.php:50
actioninitplugin-fw\includes\class-yit-assets.php:52
actionshould_load_block_editor_scripts_and_stylesplugin-fw\includes\class-yit-assets.php:53
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-icons.php:970
actionwp_enqueue_scriptsplugin-fw\includes\class-yit-icons.php:971
actionadd_meta_boxesplugin-fw\includes\class-yit-metabox.php:80
actionsave_postplugin-fw\includes\class-yit-metabox.php:81
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-metabox.php:82
filteryit_icons_screen_idsplugin-fw\includes\class-yit-metabox.php:84
filteradmin_body_classplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:93
actionadmin_initplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:94
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:95
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:96
actionadmin_bar_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:97
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:98
actionadmin_initplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:99
filterwoocommerce_screen_idsplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:100
filterwoocommerce_admin_settings_sanitize_optionplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:102
actionyith_plugin_fw_get_field_afterplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:104
actionadmin_action_yith_plugin_fw_save_toggle_elementplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:105
filterwoocommerce_admin_settings_sanitize_optionplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:106
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:108
actionadmin_initplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:109
filteryith_plugin_fw_premium_landing_uriplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:112
actionwoocommerce_admin_field_boxinfoplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:126
actionwoocommerce_admin_field_yith-fieldplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:127
filterwoocommerce_admin_settings_sanitize_optionplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:129
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:132
filteradd_menu_classesplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:134
filteradmin_body_classplugin-fw\includes\class-yit-plugin-panel.php:121
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:122
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel.php:123
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel.php:124
actionadmin_bar_menuplugin-fw\includes\class-yit-plugin-panel.php:125
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:126
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel.php:128
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:129
filteryith_plugin_fw_premium_landing_uriplugin-fw\includes\class-yit-plugin-panel.php:132
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel.php:137
actionall_admin_noticesplugin-fw\includes\class-yit-plugin-panel.php:242
actionadmin_footerplugin-fw\includes\class-yit-plugin-panel.php:243
filterparent_fileplugin-fw\includes\class-yit-plugin-panel.php:245
filtersubmenu_fileplugin-fw\includes\class-yit-plugin-panel.php:246
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel.php:259
filteradd_menu_classesplugin-fw\includes\class-yit-plugin-panel.php:260
filterremovable_query_argsplugin-fw\includes\class-yit-plugin-panel.php:261
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel.php:1081
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:1082
actionadmin_footerplugin-fw\includes\class-yit-plugin-panel.php:1213
actionadmin_initplugin-fw\includes\class-yit-plugin-subpanel.php:44
actionadmin_menuplugin-fw\includes\class-yit-plugin-subpanel.php:45
actionadmin_bar_menuplugin-fw\includes\class-yit-plugin-subpanel.php:46
actionadmin_initplugin-fw\includes\class-yit-plugin-subpanel.php:47
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-subpanel.php:48
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-pointers.php:118
actionadmin_initplugin-fw\includes\class-yit-pointers.php:119
actionyith_bh_onboardingplugin-fw\includes\class-yith-bh-onboarding.php:36
actionwp_dashboard_setupplugin-fw\includes\class-yith-dashboard.php:146
actionadmin_enqueue_scriptsplugin-fw\includes\class-yith-dashboard.php:147
actionadmin_initplugin-fw\includes\class-yith-post-type-admin.php:65
actioncurrent_screenplugin-fw\includes\class-yith-post-type-admin.php:67
actionedit_form_topplugin-fw\includes\class-yith-post-type-admin.php:70
actionmanage_posts_extra_tablenavplugin-fw\includes\class-yith-post-type-admin.php:119
actionmanage_posts_extra_tablenavplugin-fw\includes\class-yith-post-type-admin.php:120
actionrestrict_manage_postsplugin-fw\includes\class-yith-post-type-admin.php:122
filterrequestplugin-fw\includes\class-yith-post-type-admin.php:123
filterlist_table_primary_columnplugin-fw\includes\class-yith-post-type-admin.php:125
filterpost_row_actionsplugin-fw\includes\class-yith-post-type-admin.php:126
filterpage_row_actionsplugin-fw\includes\class-yith-post-type-admin.php:127
filterdefault_hidden_columnsplugin-fw\includes\class-yith-post-type-admin.php:129
actiondisable_months_dropdownplugin-fw\includes\class-yith-post-type-admin.php:137
filteradmin_body_classplugin-fw\includes\class-yith-system-status.php:95
actionadmin_menuplugin-fw\includes\class-yith-system-status.php:96
actionadmin_initplugin-fw\includes\class-yith-system-status.php:97
actionadmin_noticesplugin-fw\includes\class-yith-system-status.php:98
actionadmin_enqueue_scriptsplugin-fw\includes\class-yith-system-status.php:99
actioninitplugin-fw\includes\class-yith-system-status.php:100
filteryith_plugin_fw_privacy_guide_contentplugin-fw\includes\privacy\class-yith-privacy-plugin-abstract.php:39
actionadmin_initplugin-fw\includes\privacy\class-yith-privacy.php:50
actionplugins_loadedplugin-fw\init.php:94
filterextra_theme_headersplugin-fw\yit-functions.php:602
filteryit_title_special_charactersplugin-fw\yit-functions.php:726
filterplugin_row_metaplugin-fw\yit-plugin.php:56
actionadmin_noticesplugin-fw\yit-plugin.php:298
actionplugins_loadedplugin-fw\yit-plugin.php:300
actionshutdownplugin-fw\yit-woocommerce-compatibility.php:765
Maintenance & Trust

YITH WooCommerce Product Bundles Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 4, 2026
PHP min version7.4
Downloads320K

Community Trust

Rating62/100
Number of ratings25
Active installs3K
Alternatives

YITH WooCommerce Product Bundles Alternatives

Product Bundle Builder for WooCommerce

Product Bundle Builder for WooCommerce

easy-product-bundles-for-woocommerce

A
100

WooCommerce Product Bundle help to creates Product Bundles, Composite Products, Mix and Match, BOGO deals, Offer gift products, and Assembled Products &hellip;

7K No CVEs
WowRevenue – Product Bundles & Bulk Discounts

WowRevenue – Product Bundles & Bulk Discounts

revenue

A
96

WowRevenue is a combination of product bundles and discount campaigns, including bulk discounts, buy x get y discounts, and more.

1K 2 CVEs
Forge12 Accessories for WooCommerce

Forge12 Accessories for WooCommerce

f12-wc-accessories

A
100

Add optional accessories to WooCommerce products and categories. Increase your average order value with product accessories, cart crossselling and cat &hellip;

80 No CVEs
Bundle Product Manager

Bundle Product Manager

bundle-product-manager-for-woocommerce

A
92

Our WordPress WooCommerce plugin provides unique functionality by allowing you to easily add multiple additional products to your main product before &hellip;

0 No CVEs
Product Quick View for WooCommerce

Product Quick View for WooCommerce

hmh-woocommerce-quick-view

A
85

Products Quick View for WooCommerce gives your customers a true supermarket shopping experience. In a supermarket shoppers browse products on the shel &hellip;

0 No CVEs
Developer Profile

YITH WooCommerce Product Bundles Developer Profile

YITHEMES

33 plugins · 1.1M total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
411 days
View full developer profile
Detection Fingerprints

How We Detect YITH WooCommerce Product Bundles

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/yith-woocommerce-product-bundles/assets/css/yith-wcpb-admin.css/wp-content/plugins/yith-woocommerce-product-bundles/assets/css/yith-wcpb-frontend.css/wp-content/plugins/yith-woocommerce-product-bundles/assets/js/yith-wcpb-admin.js/wp-content/plugins/yith-woocommerce-product-bundles/assets/js/yith-wcpb-frontend.js/wp-content/plugins/yith-woocommerce-product-bundles/dist/css/yith-wcpb-admin.css/wp-content/plugins/yith-woocommerce-product-bundles/dist/css/yith-wcpb-frontend.css/wp-content/plugins/yith-woocommerce-product-bundles/dist/js/yith-wcpb-admin.js/wp-content/plugins/yith-woocommerce-product-bundles/dist/js/yith-wcpb-frontend.js
Script Paths
/wp-content/plugins/yith-woocommerce-product-bundles/assets/js/yith-wcpb-admin.js/wp-content/plugins/yith-woocommerce-product-bundles/assets/js/yith-wcpb-frontend.js/wp-content/plugins/yith-woocommerce-product-bundles/dist/js/yith-wcpb-admin.js/wp-content/plugins/yith-woocommerce-product-bundles/dist/js/yith-wcpb-frontend.js
Version Parameters
yith-woocommerce-product-bundles/assets/css/yith-wcpb-admin.css?ver=yith-woocommerce-product-bundles/assets/css/yith-wcpb-frontend.css?ver=yith-woocommerce-product-bundles/assets/js/yith-wcpb-admin.js?ver=yith-woocommerce-product-bundles/assets/js/yith-wcpb-frontend.js?ver=yith-woocommerce-product-bundles/dist/css/yith-wcpb-admin.css?ver=yith-woocommerce-product-bundles/dist/css/yith-wcpb-frontend.css?ver=yith-woocommerce-product-bundles/dist/js/yith-wcpb-admin.js?ver=yith-woocommerce-product-bundles/dist/js/yith-wcpb-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
yith-wcpb-bundle-optionsyith-wcpb-bundle-sectionyith-wcpb-bundled-item
HTML Comments
<!-- yith_wcpb_select_product_box --><!-- yith_wcpb_select_product_box_filtered --><!-- yith_wcpb_add_product_in_bundle --><!-- yith_wcpb_admin_bundled_item_options -->
Data Attributes
data-bundle-iddata-product-id
JS Globals
yith_wcpb_select_product_boxYITH_WCPB_ADMIN
REST Endpoints
/wp-json/yith-wcpb/v1/products/wp-json/yith-wcpb/v1/bundles
Shortcode Output
[yith_product_bundle][yith_bundle_item]
FAQ

Frequently Asked Questions about YITH WooCommerce Product Bundles