PluginScore

PPOM – Product Addons & Custom Fields for WooCommerce

Easily add a range of custom fields to WooCommerce products, from text boxes to date selectors, allowing customers to personalize their orders.

v34.0.4ThemeisleUpdated Added 20k+ installs88% rating100% support resolved
Product AddonsVariable ProductsWoocommerce Product Addonscustom fieldswoocommerce product options
21
Score
336
Errors
1,322
Warnings
+0
Change

Category Scores

Security0
Repo72
Performance100
Maintainability0

Issues to Review

Prioritized issue groups from the latest Plugin Check scan

1,658 findings

Maintainability

1,123

14 issue groups

Security

517

9 issue groups

Supply Chain

2

1 issue group

I18n

1

1 issue group

WARNINGMaintainabilityNon-prefixed global variableGlobal variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$multi_product_var".944
Category
Maintainability
Occurrences
944
Severity
warning

Sample message

Global variables defined by a theme/plugin should start with the theme/plugin prefix. Found: "$$multi_product_var".

WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedVariableFound
ERRORSecurityOutput is not escapedAll output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<div class=\"updated\"><p>{$message}</p></div>"'.233
Category
Security
Occurrences
233
Severity
error

Sample message

All output should be run through an escaping function (see the Security sections in the WordPress Developer Handbooks), found '"<div class=\"updated\"><p>{$message}</p></div>"'.

WordPress.Security.EscapeOutput.OutputNotEscapedReference
WARNINGMaintainabilityNon-prefixed hook nameHook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: &quot;&#039;nm_input_class-&#039; . $type&quot;.84
Category
Maintainability
Occurrences
84
Severity
warning

Sample message

Hook names invoked by a theme/plugin should start with the theme/plugin prefix. Found: &quot;&#039;nm_input_class-&#039; . $type&quot;.

WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound
WARNINGSecurityNonce verification recommendedProcessing form data without nonce verification.79
Category
Security
Occurrences
79
Severity
warning

Sample message

Processing form data without nonce verification.

WordPress.Security.NonceVerification.Recommended
WARNINGSecurityRequest data is not unslashed$_GET[$data_name] not unslashed before sanitization. Use wp_unslash() or similar65
Category
Security
Occurrences
65
Severity
warning

Sample message

$_GET[$data_name] not unslashed before sanitization. Use wp_unslash() or similar

WordPress.Security.ValidatedSanitizedInput.MissingUnslash
ERRORSecurityUnsafe printing functionAll output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.47
Category
Security
Occurrences
47
Severity
error

Sample message

All output should be run through an escaping function (like esc_html_e() or esc_attr_e()), found '_e'.

WordPress.Security.EscapeOutput.UnsafePrintingFunctionReference
WARNINGSecurityInput is not sanitizedDetected usage of a non-sanitized input variable: $_FILES[&#039;file&#039;][&#039;tmp_name&#039;]31
Category
Security
Occurrences
31
Severity
warning

Sample message

Detected usage of a non-sanitized input variable: $_FILES[&#039;file&#039;][&#039;tmp_name&#039;]

WordPress.Security.ValidatedSanitizedInput.InputNotSanitized
WARNINGMaintainabilityNon-prefixed classClasses declared by a theme/plugin should start with the theme/plugin prefix. Found: &quot;NM_Audio_wooproduct&quot;.24
Category
Maintainability
Occurrences
24
Severity
warning

Sample message

Classes declared by a theme/plugin should start with the theme/plugin prefix. Found: &quot;NM_Audio_wooproduct&quot;.

WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedClassFound
WARNINGSecurityMissing nonce verificationProcessing form data without nonce verification.23
Category
Security
Occurrences
23
Severity
warning

Sample message

Processing form data without nonce verification.

WordPress.Security.NonceVerification.Missing
WARNINGSecurityDatabase parameter is not escapedUnescaped parameter $prepared used in $wpdb-&gt;get_results()\n$prepared assigned unsafely at line 83.17
Category
Security
Occurrences
17
Severity
warning

Sample message

Unescaped parameter $prepared used in $wpdb-&gt;get_results()\n$prepared assigned unsafely at line 83.

PluginCheck.Security.DirectDB.UnescapedDBParameter
Show 15 more
ERRORMaintainabilityMissing direct file access protection17
Category
Maintainability
Occurrences
17
Severity
error

Sample message

PHP file should prevent direct access. Add a check like: if ( ! defined( 'ABSPATH' ) ) exit;

missing_direct_file_access_protectionReference
WARNINGSecurityInput is not validated16
Category
Security
Occurrences
16
Severity
warning

Sample message

Detected usage of a possibly undefined superglobal array index: $_POST[&#039;ppom_product_id&#039;]. Check that the array index exists before using it.

WordPress.Security.ValidatedSanitizedInput.InputNotValidated
WARNINGMaintainabilityMissing Version15
Category
Maintainability
Occurrences
15
Severity
warning

Sample message

Resource version not set in call to wp_enqueue_script(). This means new versions of the script may not always be loaded due to browser caching.

WordPress.WP.EnqueuedResourceParameters.MissingVersion
ERRORMaintainabilitystrip tags strip tags10
Category
Maintainability
Occurrences
10
Severity
error

Sample message

strip_tags() is discouraged. Use the more comprehensive wp_strip_all_tags() instead.

WordPress.WP.AlternativeFunctions.strip_tags_strip_tags
WARNINGSecuritywp redirect wp redirect6
Category
Security
Occurrences
6
Severity
warning

Sample message

wp_redirect() found. Using wp_safe_redirect(), along with the &quot;allowed_redirect_hosts&quot; filter if needed, can help avoid any chances of malicious redirects within code. It is also important to remember to call exit() after a redirect so that no other unwanted code is executed.

WordPress.Security.SafeRedirect.wp_redirect_wp_redirectReference
ERRORMaintainabilityunlink unlink6
Category
Maintainability
Occurrences
6
Severity
error

Sample message

unlink() is discouraged. Use wp_delete_file() to delete a file.

WordPress.WP.AlternativeFunctions.unlink_unlink
ERRORMaintainabilitydate date5
Category
Maintainability
Occurrences
5
Severity
error

Sample message

date() is affected by runtime timezone changes which can cause date/time to be incorrectly displayed. Use gmdate() instead.

WordPress.DateTime.RestrictedFunctions.date_date
ERRORMaintainabilityrename rename4
Category
Maintainability
Occurrences
4
Severity
error

Sample message

rename() is discouraged. Use WP_Filesystem::move() to rename a file.

WordPress.WP.AlternativeFunctions.rename_rename
WARNINGMaintainabilityNot In Footer4
Category
Maintainability
Occurrences
4
Severity
warning

Sample message

In footer ($in_footer) is not set explicitly wp_enqueue_script; It is recommended to load scripts in the footer. Please set this value to `true` to load it in the footer, or explicitly `false` if it should be loaded in the header.

WordPress.WP.EnqueuedResourceParameters.NotInFooter
WARNINGMaintainabilityNon-prefixed function3
Category
Maintainability
Occurrences
3
Severity
warning

Sample message

Functions declared in the global namespace by a theme/plugin should start with the theme/plugin prefix. Found: &quot;nm_get_order_id&quot;.

WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedFunctionFound
ERRORMaintainabilityfile system operations fclose3
Category
Maintainability
Occurrences
3
Severity
error

Sample message

File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fclose().

WordPress.WP.AlternativeFunctions.file_system_operations_fclose
ERRORMaintainabilityfile system operations fopen3
Category
Maintainability
Occurrences
3
Severity
error

Sample message

File operations should use WP_Filesystem methods instead of direct PHP filesystem calls. Found: fopen().

WordPress.WP.AlternativeFunctions.file_system_operations_fopen
ERRORSupply ChainHidden files included2
Category
Supply Chain
Occurrences
2
Severity
error

Sample message

Hidden files are not permitted.

hidden_files
WARNINGI18nDiscouraged text-domain loading1
Category
I18n
Occurrences
1
Severity
warning

Sample message

load_plugin_textdomain() has been discouraged since WordPress version 4.6. When your plugin is hosted on WordPress.org, you no longer need to manually include this function call for translations under your plugin slug. WordPress will automatically load the translations for you as needed.

PluginCheck.CodeAnalysis.DiscouragedFunctions.load_plugin_textdomainFoundReference
ERRORMaintainabilityOffloaded Content1
Category
Maintainability
Occurrences
1
Severity
error

Sample message

Found call to wp_enqueue_style() with external resource. Offloading styles to your servers or any remote service is disallowed.

PluginCheck.CodeAnalysis.EnqueuedResourceOffloading.OffloadedContent

External Connections

Potential connections found in static code analysis.

44 domains

Outbound calls

205

External assets

3

Incoming endpoints

36

Notable Domains

themeisle.com20 · outbound
jqueryui.com13 · outbound
docs.themeisle.com10 · outbound
api.jqueryui.com6 · outbound
ns.adobe.com6 · outbound
api.themeisle.com5 · outbound

Platform / Reference Domains

opensource.org32 · platform/reference
w3.org23 · platform/reference
github.com20 · platform/reference
wordpress.org13 · platform/reference
api.wordpress.org6 · platform/reference
codex.wordpress.org1 · platform/reference
translate.wordpress.org1 · platform/reference

External Asset Domains

cdnjs.cloudflare.com2 · asset + outbound
youtube.com2 · asset + outbound
fonts.googleapis.com1 · asset

Incoming Endpoints

/wp-json/ppom/v1/delete/order/REST

register_rest_route

/wp-json/ppom/v1/delete/product/REST

register_rest_route

/wp-json/ppom/v1/get/id/(?P<id>\d+)REST

register_rest_route

/wp-json/ppom/v1/get/order/REST

register_rest_route

/wp-json/ppom/v1/get/product/REST

register_rest_route

/wp-json/ppom/v1/nonces/file/REST

register_rest_route

Admin AJAX endpoints24
wp_ajax_themeisle_sdk_dismiss_noticeauthenticated

wp_ajax

admin_post_ppom_attachauthenticated

admin_post

admin_post_ppom_export_metaauthenticated

admin_post

admin_post_ppom_migrate_settings_panelauthenticated

admin_post

wp_ajax_ppom_ajax_validationauthenticated

wp_ajax

wp_ajax_ppom_attach_ppomsauthenticated

wp_ajax

wp_ajax_ppom_delete_fileauthenticated

wp_ajax

wp_ajax_ppom_delete_metaauthenticated

wp_ajax

wp_ajax_ppom_delete_selected_metaauthenticated

wp_ajax

wp_ajax_ppom_get_preview_urlauthenticated

wp_ajax

wp_ajax_ppom_get_productsauthenticated

wp_ajax

wp_ajax_ppom_import_templateauthenticated

wp_ajax

12 more hidden

Score History

3 score snapshots

+0
1007550250Jun 20, 2026, 11:33 AM UTC Score 21/100 Plugin v34.0.2 Plugin Check 2.0.0 336 errors, 1,325 warningsJun 23, 2026, 01:37 PM UTC Score 21/100 Plugin v34.0.3 Plugin Check 2.0.0 336 errors, 1,325 warningsJun 24, 2026, 01:57 PM UTC Score 21/100 Plugin v34.0.4 Plugin Check 2.0.0 336 errors, 1,322 warningsJun 20, 2026Jun 24, 2026

v34.0.4

21

Latest

Findings
1,658
Errors
336
Warnings
1,322
Check
2.0.0

v34.0.3

21

Score

Findings
1,661
Errors
336
Warnings
1,325
Check
2.0.0

v34.0.2

21

Score

Findings
1,661
Errors
336
Warnings
1,325
Check
2.0.0

Relationship Map

Author, categories, issues, domains, and nearby plugins.

37 nodes

Related Plugins

Product Addons and Product Options With Custom Fields – WowAddons

3k+ active installs

100
Show only lowest prices in variable products for WooCommerce

7k+ active installs

100
Ajax Load More for Advanced Custom Fields

2k+ active installs

98
Extra Product Options For WooCommerce | Custom Product Addons and Fields

30k+ active installs

98
MB Elementor Integration

2k+ active installs

98
CubeWP Forms

4k+ active installs

97