Description
Genvoris Virtual Try-On lets your shoppers upload a photo and instantly preview how a product looks on them, right from the WooCommerce product page. It works for clothing, accessories, jewelry, bags, and home textiles.
The plugin is a WordPress front-end for the Genvoris SaaS service (https://genvoris.org). The heavy AI work — image analysis and try-on generation — runs on Genvoris servers; this plugin handles connection, monetization, and widget injection on your store.
Key features
- AI-generated try-on previews from a single shopper photo.
- Five built-in monetization models: free for everyone, subscription, credits-with-purchase, pay-per-use, freemium.
- Per-customer quota tracking with monthly resets.
- Tight WooCommerce integration: order events, optional WooCommerce Subscriptions support.
- No theme code changes — the widget injects itself into product pages.
- All sensitive credentials encrypted at rest using WordPress salts.
- HPOS / custom order tables compatible.
Requires a Genvoris account
You’ll need a free account at https://genvoris.org. The plugin walks you through connecting on first activation. The API key is provisioned automatically — you never copy/paste secrets.
External services
This plugin connects to Genvoris-operated services to deliver its functionality. Connections are only made AFTER you authorize the plugin via the in-plugin “Connect with Genvoris” button. Until then, the plugin is dormant and contacts no third-party server.
1. Genvoris portal API (https://genvoris.org/api/v1)
- What it does: receives the merchant’s site metadata during OAuth, then handles plan/customer/usage/session-token operations server-to-server.
- What is sent: site URL, site name, admin email (during OAuth only), and per-customer identifiers (
wp_<user_id>), email (optional), and metadata (source: wordpress,wp_user_id,site_url). - When it is sent: only after the merchant clicks “Connect with Genvoris”, and on subsequent storefront try-on activity.
- Terms of service: https://genvoris.org/terms-of-service
- Privacy policy: https://genvoris.org/privacy-policy
2. Genvoris try-on backend (https://api.genvoris.org)
- What it does: serves the storefront widget bundle (
/widget.js) and processes the actual try-on (/api/analyze,/api/tryon). - What is sent: shopper-uploaded photo (image bytes), the product reference (id/title/image URL/page URL), and the merchant’s API key (server-side only — the key is never exposed to the browser).
- When it is sent: only when a shopper interacts with the try-on widget on a connected store.
- Terms of service: https://genvoris.org/terms-of-service
- Privacy policy: https://genvoris.org/privacy-policy
The hosted widget bundle (/widget.js) is loaded on WooCommerce product pages only, and only when the plugin is connected and the widget is enabled in settings. Disabling the widget or disconnecting the account stops every external call.
Installation
- Upload the
genvoris-virtual-tryonfolder to/wp-content/plugins/, or install via Plugins -> Add New. - Activate the plugin through the Plugins menu in WordPress.
- Go to WooCommerce -> Genvoris Try-On -> General.
- Click Connect with Genvoris and authorize on genvoris.org.
- Pick a monetization model under Monetization and (optionally) tweak the widget under Widget.
- Visit any product page on your storefront — the try-on button is live.
FAQ
-
Do I need a Genvoris account?
-
Yes. The plugin is the WordPress front-end for the Genvoris try-on service. The account is free and includes a starter quota.
-
Does it work without WooCommerce?
-
No. The plugin requires WooCommerce for products, customers, and orders. It refuses to load without it.
-
Where is my API key stored?
-
Encrypted in
wp_optionsusing AES-256-CBC with a key derived from your WordPress AUTH_KEY + SECURE_AUTH_KEY. The raw key is never written to disk in plaintext and is never sent to the browser. The widget uses a same-origin REST proxy so the API key never leaves the server. -
What data leaves my site?
-
Only what is required for the try-on flow:
- During OAuth: site URL, site name, admin email.
- On every status check: customer identifier (
wp_<user_id>), email (optional), and metadata (source: wordpress,wp_user_id,site_url). - On every try-on: the shopper-uploaded photo, the product reference (id/title/image URL/page URL), and the merchant API key (server-to-server).
WordPress passwords, payment details, and order line items are NEVER sent to Genvoris.
-
How are credits deducted?
-
The Genvoris portal deducts one credit per successful try-on, server-to-server, after the image is generated. The plugin never decides credit consumption client-side.
-
Can I use this with WooCommerce Subscriptions?
-
Yes. Activating a subscription flips an
is_subscribedflag on the local customer row; cancellations and expirations revert it. The SUBSCRIPTION and FREEMIUM monetization models use this flag to gate access. -
Is the plugin HPOS-compatible?
-
Yes. We declare
custom_order_tablescompatibility and use the WooCommerce high-level order API (no directwp_postmetaqueries on orders). -
Can I uninstall cleanly?
-
Yes. Uninstall (not just deactivate) removes every option, transient, and database table the plugin created. Customer data is preserved through deactivation so you can re-enable without losing state.
Reviews
There are no reviews for this plugin.
Contributors & Developers
“Genvoris Virtual Try-On” is open source software. The following people have contributed to this plugin.
ContributorsTranslate “Genvoris Virtual Try-On” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
Changelog
1.2.4
- Fix: Removed UTF-8 Byte Order Marks (BOM) inadvertently introduced in the 1.2.3 release, which corrupted API key masking in the admin panel and could cause unexpected “Headers already sent” warnings.
1.2.3
- Fix: Hardened same-origin checks across the REST proxy and events webhook to gracefully handle differing WordPress Address and Site Address configurations, and
www.subdomain permutations. - Fix: Proxied requests now correctly forward the
OriginandRefererheaders to the try-on backend, supporting strict portal-level domain allowlists. - Fix: The OAuth handshake now includes the explicit
storefront_urlmetadata to support headless WordPress setups.
1.2.2
- Feature: Support for advanced Conversion Analytics. Added an internal events proxy to securely stream widget telemetry (funnel metrics) to your Genvoris dashboard while protecting API keys.
- UI/UX: Added full customization settings for the try-on button (Background Color, Text Color, Border Radius) directly in the WordPress admin panel.
- Compat: synchronised the readme
Stable tagwith the plugin fileVersionheader (now 1.2.2).
1.2.1
- UI/UX: Added full customization settings for the try-on button (Background Color, Text Color, Border Radius) directly in the WordPress admin panel.
1.2.0
- Security: REST proxy
permission_callbacknow uses a dedicatedcheck_proxy_permission()method instead of__return_true. All access-control checks (plugin-connected, same-origin, path allow-list, per-IP rate limit) are enforced in the permission callback where WordPress expects them. - Security: Origin or Referer header is now required on every proxy request. Requests without either header (e.g. direct curl/scripted abuse) are rejected with 403. Previously, missing Origin/Referer was silently allowed.
- Compat: synchronised the readme
Stable tagwith the plugin fileVersionheader (now 1.2.0).
1.1.0
- Auto-style detection: the widget now matches your store’s colors automatically.
- Security: webhook deliveries are now de-duplicated by delivery id (
X-Genvoris-Delivery), so a retried portal webhook can never re-apply the same side effect. - UX: all five monetization model labels are shown in plain English throughout the admin.
- Improved error handling across the storefront loader and REST proxy.
- Performance: storefront loader improvements.
- Compat: synchronised the readme
Stable tagand the pluginVersionheader at 1.1.0 (resolves the prior 1.0.9 header / 1.1.0 constant mismatch).
1.0.5
- Security: REST proxy now sanitizes every forwarded query parameter and returns the upstream JSON via WP_REST_Response (no more raw
echo), so all output is escaped by WordPress. - Security: REST proxy and per-user
/statusendpoint now require a validwp_restnonce in addition to the existing same-origin check; guests still get a generic status payload without a nonce. - Security: storefront widget config now ships
wp_create_nonce('wp_rest')so the bundle can attachX-WP-Nonceto every proxy/status call. - I18n: text domain renamed from
genvoris-virtual-tryontogenvoris-virtual-try-onto match the plugin slug; affects all gettext calls and the Plugin Header. - Compat:
Tested up tobumped to 6.9. - Docs: fixed a Plugin Header description that was split mid-word.
1.0.8
- Fix: added a
rest_authentication_errorsfilter at priority 200 (runs after WordPress core’srest_cookie_check_errorsat priority 100) to clearrest_cookie_invalid_nonceerrors for the/wp-json/genvoris/v1/proxy/*route only. The widget bundle sendsX-WP-Nonceon every call; on cached/guest pages that nonce could not be validated, causing a 403 that the widget surfaced as “This domain is not authorized for try-on. Please contact the store.” - Fix: relaxed the same-origin Origin/Referer check so that requests missing both headers (normal for same-origin simple GETs under a strict Referrer-Policy) are allowed through rather than rejected.
- Compat: synchronised the readme
Stable tagwith the plugin fileVersionheader (now 1.0.8).
1.0.7
- Fix: removed the
wp_restnonce requirement from the same-origin/wp-json/genvoris/v1/proxy/*route. On cached storefront pages and in guest sessions, server-minted nonces frequently failedwp_verify_nonce(), so every widget call to/api/status,/api/config,/api/analyze, and/api/tryonreturned 403rest_cookie_invalid_nonce— surfaced to shoppers as “This domain is not authorized for try-on”. The proxy is still protected by the server-held API key, same-origin Origin/Referer check, per-IP rate limit, and an explicit upstream path allow-list, matching the v1.0.6 fix already applied to/wp-json/genvoris/v1/status. - Fix: added
api/statusto the proxy’s upstream allow-list so the widget’s status poll no longer 404s through the proxy after the nonce gate was lifted. - Compat: synchronised the readme
Stable tagwith the plugin fileVersionheader (now 1.0.7).
1.0.6
- Fix: removed
X-WP-Nonceheader from the public status endpoint request in the storefront widget; sending a nonce to apermission_callback: '__return_true'endpoint caused WordPress to return 403rest_cookie_invalid_noncewhen the nonce was stale or guest-generated. - Compat: synchronised the readme
Stable tagwith the plugin fileVersionheader (now 1.0.6).
1.0.4
- Fix: PHP 8 TypeError when the session-mint REST endpoint received a
WP_Errorwithout status data. - Fix: dead code path in the front-end placement guard could trigger on themes that fired both the configured WC hook AND
woocommerce_after_single_product_summary. - Tweak: hosted widget bundle cache-buster now tracks plugin version (no more drifting magic constant).
- Docs: full WP.org-compliant readme with explicit External Services disclosure.
- Compat: synchronised the readme
Stable tagwith the plugin fileVersionheader (now 1.0.4).
1.0.3
- Default widget position changed to “below Add to Cart” so the button is discoverable on themes that don’t render a floating fallback.
- Activation hook now seeds defaults for every monetization-related option.
1.0.0
- Initial public release.
- Five monetization models.
- OAuth-based connection to genvoris.org.
- Per-customer quota tracking.
- WooCommerce order + subscription event hooks.