PLUGIN SECURITY
Is Woocommerce Payments safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Woocommerce Payments WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
woocommerce-payments - Requires PHP: 7.4+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 5.6.2 [WooCommerce Payments 4.8.0 - 5.6.1 Authentication Bypass and Privilege Escalation]
- WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 5.6.2 [WordPress WooCommerce Payments Plugin <= 5.6.1 is vulnerable to Privilege Escalation]
- WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 5.6.2 [CVE-2023-28121, WooCommerce Payments < 5.6.2 - Unauthenticated Privilege Escalation]
- WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 5.9.1 [CVE-2023-35915, WordPress WooCommerce Payments Plugin <= 5.9.0 is vulnerable to SQL Injection, WooCommerce Payments <= 5.9.0 - Authenticated (Shop manager+) SQL Injection via currency parameters]
- WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 5.9.1 [CVE-2023-35916, WordPress WooCommerce Payments Plugin <= 5.9.0 is vulnerable to Insecure Direct Object References (IDOR), WooCommerce Payments <= 5.9.0 - Missing Authorization via redirect_pay_for_order_to_update_payment_method]
+ 6 more known vulnerabilities
- WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 4.5.1 [WooCommerce Payments <= 4.5.0 - Payment Bypass]
- WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 4.5.1 [WooCommerce Payments < 4.5.1 - Intent Parameter Tampering]
- WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 4.9.0 [WooCommerce Payments < 4.9.0 - Subscription Suspension/Activation via CSRF]
- WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 6.5.0 [CVE-2023-49828, WordPress WooCommerce Payments Plugin <= 6.4.2 is vulnerable to Cross Site Scripting (XSS), WooCommerce Payments <= 6.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting, WooCommerce Payments < 6.5.0 - Contributor+ Cross-Site Scripting]
- WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 6.7.0 [CVE-2023-51503, WordPress WooCommerce Payments Plugin <= 6.6.2 is vulnerable to Insecure Direct Object References (IDOR), WooPayments – Fully Integrated Solution Built and Supported by Woo <= 6.6.2 - Unauthenticated Insecure Direct Object Reference, WooPayments < 6.7.0 - Unauthenticated Order Deletion via IDOR]
- WooPayments: Integrated WooCommerce Payments [woocommerce-payments] < 10.6.0 [CVE-2026-1710, WordPress WooCommerce Payments Plugin <= 10.5.1 is vulnerable to Broken Access Control, WooPayments <= 10.5.1 - Missing Authorization to Unauthenticated Plugin Settings Update via save_upe_appearance_ajax]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- WooCommerce PayPal Payments — 800000+ active installs — max PHP 8.4
- WooCommerce Stripe Payment Gateway — 700000+ active installs — max PHP 8.4
- Payment Plugins for Stripe WooCommerce — 100000+ active installs — max PHP 8.4
- Mollie Payments for WooCommerce — 100000+ active installs
- WooCommerce Square — 80000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.