WP-Safety

Admin and Customer Messages After Order for WooCommerce: OrderConvo Security & Risk Analysis

wordpress.org/plugins/admin-and-client-message-after-order-for-woocommerce

OrderConvo: Enable seamless post-order communication between vendors/admins and customers in WooCommerce.

200 active installs v15.0 PHP 7.2+ WP 4.0+ Updated Jan 15, 2026
woocommerce-customer-vendor-chatwoocommerce-order-communicationwoocommerce-order-file-attachmentswoocommerce-order-messagingwoocommerce-order-notes
87
A · Safe
CVEs total5
Unpatched0
Last CVENov 24, 2025
Plugin page Download
Safety Verdict

Is Admin and Customer Messages After Order for WooCommerce: OrderConvo Safe to Use in 2026?

Generally Safe

Score 87/100

Admin and Customer Messages After Order for WooCommerce: OrderConvo has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Nov 24, 2025Updated 2mo ago
Risk Assessment

The static analysis of "admin-and-client-message-after-order-for-woocommerce" v15.0 reveals a seemingly low attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events. The code also shows a good use of prepared statements for SQL queries (50%) and proper output escaping (76%). Nonce and capability checks are present. However, the plugin has a concerning vulnerability history with 5 known CVEs, including critical and high severity issues like Authorization Bypass, Path Traversal, Unrestricted File Uploads, and Missing Authorization. The fact that all past vulnerabilities are currently unpatched, despite the last one being recent, is a significant red flag. While the current code analysis doesn't expose immediate vulnerabilities, the historical pattern of severe, unpatched flaws strongly suggests that potential issues may still exist or have been overlooked in the static analysis, or that the patching process is unreliable. The plugin's security posture is therefore weakened by its past, with a reliance on the effectiveness of unproven fixes or the hope that no new vulnerabilities have been introduced.

Key Concerns

  • History of severe unpatched vulnerabilities
  • SQL queries not fully prepared
  • Output not fully escaped
Vulnerabilities
5

Admin and Customer Messages After Order for WooCommerce: OrderConvo Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
4 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
1
Medium
3

5 total CVEs

CVE-2025-13389medium · 5.3Authorization Bypass Through User-Controlled Key

Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated Information Disclosure

Nov 24, 2025 Patched in 15 (52d)
CVE-2025-13452medium · 4.3Authorization Bypass Through User-Controlled Key

Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 14 - Missing Authorization to Unauthenticated User Impersonation in Order Messages

Nov 24, 2025 Patched in 15 (52d)
CVE-2025-10162high · 7.5Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Admin and Customer Messages After Order for WooCommerce: OrderConvo <= 13.5 - Unauthenticated Arbitrary File Read

Sep 16, 2025 Patched in 14 (31d)
CVE-2024-13355medium · 5.4Unrestricted Upload of File with Dangerous Type

Admin and Customer Messages After Order for WooCommerce <= 13.2 - Authenticated (Subscriber+) Limited File Upload to Cross-Site Scripting

Jan 15, 2025 Patched in 13.3 (1d)
CVE-2024-33566critical · 9.8Missing Authorization

OrderConvo <= 12.4 - Missing Authorization to Arbitrary File Upload

Apr 25, 2024 Patched in 12.5 (7d)
Code Analysis
Analyzed Mar 16, 2026

Admin and Customer Messages After Order for WooCommerce: OrderConvo Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
1 prepared
Unescaped Output
9
28 escaped
Nonce Checks
1
Capability Checks
6
File Operations
7
External Requests
0
Bundled Libraries
0

SQL Query Safety

50% prepared2 total queries

Output Escaping

76% escaped37 total outputs
Attack Surface

Admin and Customer Messages After Order for WooCommerce: OrderConvo Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 22
actionadmin_bar_menuincludes\admin.class.php:21
actionadmin_menuincludes\admin.class.php:24
actionadmin_enqueue_scriptsincludes\admin.class.php:27
actionadmin_noticesincludes\migration.class.php:23
actionadmin_initincludes\single.rendering.php:26
actionadd_meta_boxes_woocommerce_page_wc-ordersincludes\single.rendering.php:29
actionwoocommerce_order_details_before_order_tableincludes\single.rendering.php:32
actionwoocommerce_checkout_order_createdincludes\wooconvo.class.php:23
actionwoocommerce_order_status_changedincludes\wooconvo.class.php:27
actionwoocommerce_new_customer_noteincludes\wooconvo.class.php:29
actionwooconvo_after_message_addedincludes\wooconvo.class.php:34
filterquery_varsincludes\wooconvo.class.php:38
filterwoocommerce_account_menu_itemsincludes\wooconvo.class.php:39
filterwoocommerce_account_menu_item_classesincludes\wooconvo.class.php:40
actionwoocommerce_account_wooconvo-messages_endpointincludes\wooconvo.class.php:41
filterwooconvo_react_dataincludes\wooconvo.class.php:44
filterwooconvo_react_dataincludes\wooconvo.class.php:46
filterwooconvo_get_settingsincludes\wooconvo.class.php:49
actionmofwc_after_insert_suborderincludes\wooconvo.class.php:54
actionrest_api_initincludes\wprest.class.php:23
actionrest_api_initincludes\wprest.class.php:29
actioninitnm-wooconvo.php:51
Maintenance & Trust

Admin and Customer Messages After Order for WooCommerce: OrderConvo Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 15, 2026
PHP min version7.2
Downloads40K

Community Trust

Rating92/100
Number of ratings22
Active installs200
Alternatives

Admin and Customer Messages After Order for WooCommerce: OrderConvo Alternatives

No alternatives data available yet.

Developer Profile

Admin and Customer Messages After Order for WooCommerce: OrderConvo Developer Profile

N-Media

23 plugins · 5K total installs

69
trust score
Avg Security Score
85/100
Avg Patch Time
588 days
View full developer profile
Detection Fingerprints

How We Detect Admin and Customer Messages After Order for WooCommerce: OrderConvo

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/admin-and-client-message-after-order-for-woocommerce/assets/react/front/static/js/main.e0db322b.js/wp-content/plugins/admin-and-client-message-after-order-for-woocommerce/assets/react/front/static/css/main.fa094ed3.css
Script Paths
/wp-content/plugins/admin-and-client-message-after-order-for-woocommerce/includes/helper_functions.php/wp-content/plugins/admin-and-client-message-after-order-for-woocommerce/includes/meta.json.php/wp-content/plugins/admin-and-client-message-after-order-for-woocommerce/includes/migration.class.php/wp-content/plugins/admin-and-client-message-after-order-for-woocommerce/includes/order.class.php/wp-content/plugins/admin-and-client-message-after-order-for-woocommerce/includes/wooconvo.class.php/wp-content/plugins/admin-and-client-message-after-order-for-woocommerce/includes/wprest.class.php+2 more
Version Parameters
admin-and-client-message-after-order-for-woocommerce/assets/react/front/static/js/main.e0db322b.js?ver=admin-and-client-message-after-order-for-woocommerce/assets/react/front/static/css/main.fa094ed3.css?ver=

HTML / DOM Fingerprints

CSS Classes
wooconvo-wp-admin-wrapper
JS Globals
WOOCONVO_Data
REST Endpoints
/wooconvo/v1
FAQ

Frequently Asked Questions about Admin and Customer Messages After Order for WooCommerce: OrderConvo