WooCommerce Product Builder works as a WooCommerce Product Configurator based on the WooCommerce platform, promising to provide you with many useful features like compatible, email-completed product, attributes filters …
Demo WooCommerce Product Builder CodeCanyon 19934326
WooCommerce Product Builder Features
- Create Product Builder pages
- Multiple steps
- Add/ remove steps
- Change step name
- Select product and categories for each step
- Search: The search bar available allows you to quickly look for a product or category.
- Icon of step:Â You can add an icon that stands for a step in general.
- Text prefix each step
- Description:Â Add a description to tell more what a product builder page is for, this description will appear under the product builder page name, applied for the Classic template only.
- Sort default: You can sort items on a product builder page in order: Title A-Z, Title Z-A; Price low to high, Price high to low, or Sort by latest.
- Child categories:Â Display all products in child categories.
- Select multiple products
- Quantity field: This option allows customers to select products quantity. If this option is disabled, the quantity will be set as 1.
- Preview button always shows
- Add to cart always shows
- Remove all buttons:Â Enable to display the remove all button on the product builder pages.
- Search product form: Enable if you want to display search products form by ajax.
- Product is required for each step
- Out of stock products
- Hide zero price product: Enable it to hide the products which have zero prices.
- Remove product title link
- Product per page:Â Set the maximum number of products per builder page.
- Support control bar on mobile mode
- Distance from bottom:Â Control the space from the bar to the bottom.
- Design control bar:Â You can change the text color and background color of the control bar.
- Display share link:Â Copy and share a URL that links to the selected products.
- Remove short share link records after x day(s)
- Custom CSS:Â Design the product builder page as you want.
Download WooCommerce Product Builder
Note:Â If you are having trouble with WooCommerce Product Builder – Custom PC Builder – Product Configurator Free Download Latest Version, try to disable AD blocking for the site or try another Web Browser. If disabling AD blocker or change Web Browser not help to you please contact us.
Vulnerability Detail
1. Authenticated SQL Injection (Critical condition)
Location:
includes/data.php
, Method
get_product_filters
. Lines: 695, 718, 727. Description: The plugin constructs SQL queries by directly concatenating user-controlled data (stored in Post Meta) into the WHERE clause.
Source: list_content and customized attributes stored in the “Product Builder” post meta.
Sink: $wpdb->get_col( $query ) and new WP_Query().
Mechanism: The list_content data is sanitized with sanitize_text_field during save (
admin/admin.php
, line 1258). This sanitization removes HTML tags but does not escape SQL characters (like ‘, ), UNION, etc.). When this data is retrieved and used in
get_product_filters
, it is imploded and concatenated directly into the SQL string.
Impact: An attacker with access to the Admin panel (or a role with edit_page capability) can inject arbitrary SQL commands, potentially reading sensitive data from the database.
Recommendation: Use esc_sql() or verify that IDs are integers (using array_map(‘intval’, …)) before using them in SQL IN clauses.
2. Price Manipulation / Fee Tampering (Configuration Dependent)
Location:
frontend/process.php
&
includes/data.php
. Description: The plugin allows storing session data in Cookies (
data_storage
setting).
Mechanism: If
data_storage
is set to ‘cookie’, the session data (including woopb_step_fee) is stored in a base64-encoded client-side cookie.
Impact: A malicious user can decode the cookie, modify the fee amount (e.g., set it to a negative value or zero), re-encode it, and replace the cookie. The woocommerce_cart_calculate_fees hook simply reads this value and applies it as a fee.
Mitigation: The default setting is ‘wc_session’ (database storage), which is safe. However, if an admin changes this to ‘cookie’, the shop becomes vulnerable.
Recommendation: Validate the fee against the server-side configuration instead of trusting the session/cookie value completely, or sign the cookie data to detect tampering.
3. Dynamic Method Call (Low Risk)
Location:
frontend/ajax.php
, Method
ajax
. Description: The AJAX handler calls class methods dynamically based on the
_action
parameter: $this->$action().
Mitigation: The code checks method_exists.
Observation: While currently limited to existing methods, any new public method added to this class in the future will automatically become an AJAX endpoint. This increases the attack surface.
Recommendation: Use a whitelist of allowed actions (switch/case) or prefix AJAX-callable methods (e.g., ajax_action_…).
Code Quality Observations
Nonce Usage: Good. Nonces are checked consistently in Admin and Frontend AJAX actions.
Sanitization: sanitize_text_field is used widely. absint is used for IDs in many places (but missed in the SQL injection vector described above).
Hardcoded Queries: Custom SQL queries are used in
includes/data.php
instead of WP_Query for some filtering logic. This increases complexity and the risk of SQL injection.