WP Clinic
Log in Sign up

PLUGIN SECURITY

Is Woocommerce Payments safe?

Known vulnerabilities, PHP compatibility and safer alternatives for the Woocommerce Payments WordPress plugin — checked against WP Clinic's local security database.

Plugin details

  • Slug: woocommerce-payments
  • Requires PHP: 7.4+
  • Max supported PHP (analyzed): 8.4

Known vulnerabilities

  • WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 5.6.2 [WooCommerce Payments 4.8.0 - 5.6.1 Authentication Bypass and Privilege Escalation]
  • WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 5.6.2 [WordPress WooCommerce Payments Plugin <= 5.6.1 is vulnerable to Privilege Escalation]
  • WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 5.6.2 [CVE-2023-28121, WooCommerce Payments &lt; 5.6.2 - Unauthenticated Privilege Escalation]
  • WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 5.9.1 [CVE-2023-35915, WordPress WooCommerce Payments Plugin <= 5.9.0 is vulnerable to SQL Injection, WooCommerce Payments <= 5.9.0 - Authenticated (Shop manager+) SQL Injection via currency parameters]
  • WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 5.9.1 [CVE-2023-35916, WordPress WooCommerce Payments Plugin <= 5.9.0 is vulnerable to Insecure Direct Object References (IDOR), WooCommerce Payments <= 5.9.0 - Missing Authorization via redirect_pay_for_order_to_update_payment_method]
+ 6 more known vulnerabilities
  • WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 4.5.1 [WooCommerce Payments <= 4.5.0 - Payment Bypass]
  • WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 4.5.1 [WooCommerce Payments &lt; 4.5.1 - Intent Parameter Tampering]
  • WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 4.9.0 [WooCommerce Payments &lt; 4.9.0 - Subscription Suspension/Activation via CSRF]
  • WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 6.5.0 [CVE-2023-49828, WordPress WooCommerce Payments Plugin <= 6.4.2 is vulnerable to Cross Site Scripting (XSS), WooCommerce Payments <= 6.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting, WooCommerce Payments &lt; 6.5.0 - Contributor+ Cross-Site Scripting]
  • WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 6.7.0 [CVE-2023-51503, WordPress WooCommerce Payments Plugin <= 6.6.2 is vulnerable to Insecure Direct Object References (IDOR), WooPayments – Fully Integrated Solution Built and Supported by Woo <= 6.6.2 - Unauthenticated Insecure Direct Object Reference, WooPayments &lt; 6.7.0 - Unauthenticated Order Deletion via IDOR]
  • WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 10.6.0 [CVE-2026-1710, WordPress WooCommerce Payments Plugin <= 10.5.1 is vulnerable to Broken Access Control, WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax]

Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.

Safer / more established alternatives

Check your own WordPress site

Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.