WP-Safety

Bayarcash WooCommerce Security & Risk Analysis

wordpress.org/plugins/bayarcash-wc

Accept online payment & QR from Malaysia. Currently, Bayarcash support FPX, Direct Debit and DuitNow payment channels.

800 active installs v4.3.14 PHP 7.4+ WP 5.6+ Updated Feb 13, 2026
direct-debitduitnowduitnow-qrfpx
99
A · Safe
CVEs total1
Unpatched0
Last CVEJan 13, 2026
Plugin page Download
Safety Verdict

Is Bayarcash WooCommerce Safe to Use in 2026?

Generally Safe

Score 99/100

Bayarcash WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jan 13, 2026Updated 1mo ago
Risk Assessment

The bayarcash-wc plugin version 4.3.14 exhibits a generally strong security posture with a notable absence of critical or high-severity vulnerabilities identified in both static analysis and taint flows. The plugin demonstrates good practices by implementing capability checks and nonce checks for its entry points, and a high percentage of output escaping is present, which helps mitigate cross-site scripting risks. The static analysis also indicates no dangerous functions are being used.

However, there are several areas that warrant attention. The single SQL query identified is not using prepared statements, which poses a significant risk of SQL injection, especially if the query involves user-supplied input. While taint analysis did not reveal any critical or high-severity issues, the presence of three flows with unsanitized paths is a concern and suggests potential for vulnerabilities if these paths are ever exposed to untrusted input. Furthermore, the plugin bundles external libraries (Lodash and Guzzle), which, if not regularly updated and audited, could introduce their own vulnerabilities. The vulnerability history, despite having no currently unpatched CVEs, shows a past medium-severity vulnerability related to missing authorization, indicating a historical weakness that users should be aware of.

In conclusion, bayarcash-wc v4.3.14 has strengths in its authorization and output escaping mechanisms, and currently lacks critical exploitable flaws. Nevertheless, the unescaped SQL query and the identified unsanitized paths are significant risks that require immediate attention. Regular updates and audits of bundled libraries are also recommended to maintain a robust security profile.

Key Concerns

  • SQL query not using prepared statements
  • Flows with unsanitized paths identified
  • Bundled external libraries (Lodash, Guzzle)
  • Past medium severity vulnerability (Missing Authorization)
Vulnerabilities
1

Bayarcash WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2026-24606medium · 5.3Missing Authorization

Bayarcash WooCommerce <= 4.3.12 - Missing Authorization

Jan 13, 2026 Patched in 4.3.14 (31d)
Code Analysis
Analyzed Mar 16, 2026

Bayarcash WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
6
38 escaped
Nonce Checks
4
Capability Checks
4
File Operations
1
External Requests
2
Bundled Libraries
2

Bundled Libraries

LodashGuzzle

SQL Query Safety

0% prepared1 total queries

Output Escaping

86% escaped44 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
handle_success_callback (includes\src\Gateway\DirectDebitGateway.php:808)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Bayarcash WooCommerce Attack Surface

Entry Points6
Unprotected0

AJAX Handlers 6

authwp_ajax_get_bayarcash_settingsincludes\src\Bayarcash.php:201
authwp_ajax_cancel_direct_debit_subscriptionincludes\src\Bayarcash.php:707
authwp_ajax_update_custom_fieldsincludes\src\CustomFieldFunnelKit.php:13
noprivwp_ajax_update_custom_fieldsincludes\src\CustomFieldFunnelKit.php:14
authwp_ajax_update_directdebit_fieldsincludes\src\Gateway\DirectDebitGateway.php:120
noprivwp_ajax_update_directdebit_fieldsincludes\src\Gateway\DirectDebitGateway.php:121
WordPress Hooks 53
actionadmin_headincludes\admin\compatibility.php:14
filterwoocommerce_settings_tabs_arrayincludes\src\AdditionalTab.php:8
actionwoocommerce_settings_tabs_bayarcash_additional_merchantincludes\src\AdditionalTab.php:9
actionwoocommerce_update_options_bayarcash_additional_merchantincludes\src\AdditionalTab.php:10
actionplugins_loadedincludes\src\Bayarcash.php:121
actionshutdownincludes\src\Bayarcash.php:141
filterplugin_row_metaincludes\src\Bayarcash.php:235
filterwoocommerce_payment_gatewaysincludes\src\Bayarcash.php:261
actionplugins_loadedincludes\src\Bayarcash.php:348
actionall_admin_noticesincludes\src\Bayarcash.php:356
actionadmin_enqueue_scriptsincludes\src\Bayarcash.php:369
actionwp_enqueue_scriptsincludes\src\Bayarcash.php:406
actionbefore_woocommerce_initincludes\src\Bayarcash.php:544
actionwoocommerce_blocks_loadedincludes\src\Bayarcash.php:573
actionwoocommerce_blocks_checkout_block_registrationincludes\src\Bayarcash.php:581
actionwoocommerce_blocks_loadedincludes\src\Bayarcash.php:609
actionwoocommerce_blocks_payment_method_type_registrationincludes\src\Bayarcash.php:617
actionwp_enqueue_scriptsincludes\src\Bayarcash.php:706
filterwcs_view_subscription_actionsincludes\src\Bayarcash.php:708
actionwp_footerincludes\src\Bayarcash.php:709
actionwoocommerce_cart_calculate_feesincludes\src\BayarcashCheckoutFee.php:47
filterwoocommerce_available_payment_gatewaysincludes\src\BayarcashCheckoutFee.php:48
filterwoocommerce_available_payment_gatewaysincludes\src\BayarcashCheckoutFee.php:49
actionwp_footerincludes\src\BayarcashCheckoutFee.php:50
actionwoocommerce_before_checkout_processincludes\src\BayarcashCheckoutFee.php:51
filterwoocommerce_checkout_error_messageincludes\src\BayarcashCheckoutFee.php:52
filtercron_schedulesincludes\src\CronEvent.php:50
actionbayarcash_wc_checkpaymentincludes\src\CronEvent.php:67
actionbayarcash_wc_check_transactionincludes\src\CronEvent.php:68
actionwfacp_after_template_foundincludes\src\CustomFieldFunnelKit.php:11
actionwp_footerincludes\src\CustomFieldFunnelKit.php:12
filterwfacp_get_checkout_fieldsincludes\src\CustomFieldFunnelKit.php:113
filterwfacp_get_fieldsetsincludes\src\CustomFieldFunnelKit.php:114
actiontemplate_redirectincludes\src\CustomFieldFunnelKit.php:167
filterwoocommerce_loop_add_to_cart_linkincludes\src\CustomProductText.php:29
actionwoocommerce_single_product_summaryincludes\src\CustomProductText.php:30
actionwp_footerincludes\src\CustomProductText.php:31
actionadmin_initincludes\src\DependencyChecker.php:16
actionadmin_noticesincludes\src\DependencyChecker.php:24
actionadmin_initincludes\src\DependencyChecker.php:25
actionwoocommerce_before_order_notesincludes\src\Gateway\DirectDebitGateway.php:100
actionwoocommerce_subscription_status_cancelledincludes\src\Gateway\DirectDebitGateway.php:101
actionadmin_noticesincludes\src\Gateway\DirectDebitGateway.php:102
actionwp_footerincludes\src\Gateway\DirectDebitGateway.php:123
actionwp_enqueue_scriptsincludes\src\Gateway.php:69
actionwoocommerce_api_bayarcash_paymentincludes\src\Gateway.php:71
actionwoocommerce_api_bayarcash_callbackincludes\src\Gateway.php:72
filterwoocommerce_order_button_textincludes\src\Gateway.php:73
actionwoocommerce_order_action_wc_mark_cancelledincludes\src\OrderCancellationPrevention.php:8
actionwoocommerce_order_action_mark_cancelledincludes\src\OrderCancellationPrevention.php:9
filterwc_order_statusesincludes\src\OrderCancellationPrevention.php:10
filterwoocommerce_bulk_action_idsincludes\src\OrderCancellationPrevention.php:11
actionadmin_noticesincludes\src\OrderCancellationPrevention.php:12

Scheduled Events 2

bayarcash_wc_checkpayment
bayarcash_wc_check_transaction
Maintenance & Trust

Bayarcash WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedFeb 13, 2026
PHP min version7.4
Downloads9K

Community Trust

Rating100/100
Number of ratings1
Active installs800
Alternatives

Bayarcash WooCommerce Alternatives

toyyibPay for WooCommerce

toyyibPay for WooCommerce

toyyibpay-for-woocommerce

A
100

The official toyyibPay payment gateway plugin for WooCommerce — enabling Malaysian merchants to accept secure online payments with ease.

7K No CVEs
Bayarcash GiveWP

Bayarcash GiveWP

bayarcash-givewp

A
100

Accept online donation from Malaysia and international payments. Supports FPX, DuitNow, NETS, Alipay, WeChat Pay, PromptPay and more payment channels.

20 No CVEs
RinggitPay for WooCommerce

RinggitPay for WooCommerce

ringgitpay

A
92

RinggitPay payment gateway plugin for WooCommerce

10 No CVEs
Bayarcash for FluentCart

Bayarcash for FluentCart

bayarcash-for-fluentcart

A
100

Accept payments via Bayarcash payment gateway for FluentCart. Supports FPX, DuitNow QR, and other Malaysian payment methods.

0 No CVEs
GoCardless for WooCommerce

GoCardless for WooCommerce

woocommerce-gateway-gocardless

A
100

Extends WooCommerce with a GoCardless gateway. A GoCardless merchant account is required.

1K 1 CVE
Developer Profile

Bayarcash WooCommerce Developer Profile

Web Impian

5 plugins · 840 total installs

87
trust score
Avg Security Score
98/100
Avg Patch Time
31 days
View full developer profile
Detection Fingerprints

How We Detect Bayarcash WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/bayarcash-wc/assets/css/backend.css/wp-content/plugins/bayarcash-wc/assets/css/frontend.css/wp-content/plugins/bayarcash-wc/assets/js/backend.js/wp-content/plugins/bayarcash-wc/assets/js/frontend.js/wp-content/plugins/bayarcash-wc/assets/js/backend/app.js/wp-content/plugins/bayarcash-wc/assets/js/frontend/app.js
Script Paths
/wp-content/plugins/bayarcash-wc/assets/js/backend.js/wp-content/plugins/bayarcash-wc/assets/js/frontend.js/wp-content/plugins/bayarcash-wc/assets/js/backend/app.js/wp-content/plugins/bayarcash-wc/assets/js/frontend/app.js
Version Parameters
bayarcash-wc/assets/css/backend.css?ver=bayarcash-wc/assets/css/frontend.css?ver=bayarcash-wc/assets/js/backend.js?ver=bayarcash-wc/assets/js/frontend.js?ver=bayarcash-wc/assets/js/backend/app.js?ver=bayarcash-wc/assets/js/frontend/app.js?ver=

HTML / DOM Fingerprints

CSS Classes
bayarcash-wc-settings-pagebayarcash-wc-backend-appbayarcash-wc-frontend-app
HTML Comments
<!-- Bayarcash WC Settings Page --><!-- Bayarcash WC Backend App --><!-- Bayarcash WC Frontend App -->
Data Attributes
data-bayarcash-wc-settingsdata-bayarcash-wc-app
JS Globals
window.BayarcashWCSettingswindow.BayarcashWCBackendAppwindow.BayarcashWCFriendendAppvar BayarcashWCSettingsvar BayarcashWCBackendAppvar BayarcashWCFriendendApp
REST Endpoints
/wp-json/bayarcash-wc/v1/settings/wp-json/bayarcash-wc/v1/payment-status
Shortcode Output
[bayarcash_payment_form][bayarcash_order_summary]
FAQ

Frequently Asked Questions about Bayarcash WooCommerce