Does Bonus for Woo have any unpatched vulnerabilities?

No. All known vulnerabilities in Bonus for Woo have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Bonus for Woo compatible with WordPress 6.9.4?

According to WordPress.org data, Bonus for Woo 7.6.11 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Bonus for Woo compatible with PHP 7.4+?

Bonus for Woo requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Bonus for Woo updated?

Bonus for Woo was last updated on Mar 12, 2026. Frequent updates are generally a positive security signal.

What is Bonus for Woo's security score?

Bonus for Woo has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Bonus for Woo Security & Risk Analysis

wordpress.org/plugins/bonus-for-woo

This plugin is designed to create a bonus system with cashback.

200 active installs v7.6.11 PHP 7.4+ WP 5.6+ Updated Mar 12, 2026

cashbackloyaltypointsreferralreward

A · Safe

CVEs total2

Unpatched0

Last CVESep 5, 2025

Plugin page Download

Safety Verdict

Is Bonus for Woo Safe to Use in 2026?

Generally Safe

Score 98/100

Bonus for Woo has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Sep 5, 2025Updated 23d ago

Risk Assessment

The "bonus-for-woo" plugin, version 7.6.11, presents a mixed security posture. While it demonstrates some good practices, such as a moderate percentage of SQL queries using prepared statements and a decent number of capability checks, several areas raise significant concerns. The substantial attack surface, with 34 entry points, is amplified by 15 of these being unprotected, including a significant portion of AJAX handlers and REST API routes lacking proper authorization.

The taint analysis reveals a high-severity flow with unsanitized input, which is a critical risk point that could lead to vulnerabilities if not addressed. Furthermore, the plugin's history of two known CVEs, one of which is currently unpatched and classified as medium severity, along with past vulnerabilities like Cross-site Scripting and Improper Input Validation, indicates a recurring pattern of security weaknesses that warrant attention.

Overall, while the plugin doesn't exhibit critical taint flows or a complete absence of security measures, the combination of a large, poorly protected attack surface, a concerning taint flow, and a history of unpatched vulnerabilities suggests a moderate to high risk. The plugin needs urgent attention to secure its unprotected entry points and address the identified high-severity taint flow and the existing unpatched CVE. Strengthening input validation and output escaping practices is also advisable.

Key Concerns

Unpatched CVE present
High severity taint flow
Significant unprotected AJAX handlers
Unprotected REST API routes
SQL queries not always prepared
Output escaping only 49% proper
Bundled outdated DataTables library

Vulnerabilities

Bonus for Woo Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-58835medium · 5.3Improper Input Validation

Bonus for Woo <= 7.6.6 - Insufficient Input Validation

Sep 5, 2025 Patched in 7.6.7 (194d)

CVE-2023-5140medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Bonus for Woo <= 5.8.2 - Reflected Cross-Site Scripting

Oct 27, 2023 Patched in 5.8.3 (88d)

Code Analysis

Analyzed Mar 16, 2026

Bonus for Woo Code Analysis

Dangerous Functions

Raw SQL Queries

54 prepared

Unescaped Output

413

402 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

jQueryDataTables1.10.21TCPDF

SQL Query Safety

62% prepared87 total queries

Output Escaping

49% escaped815 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

10 flows2 with unsanitized paths

bonus_plugin_options (classes\BfwAdmin.php:2818)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

15 unprotected

Bonus for Woo Attack Surface

Entry Points34

Unprotected15

AJAX Handlers 14

authwp_ajax_bfw_get_stats_timestampclasses\BfwRouter.php:19

authwp_ajax_deduct_pointsclasses\BfwRouter.php:169

authwp_ajax_track_coupon_removalclasses\BfwRouter.php:172

authwp_ajax_bfw_export_bonusesclasses\BfwRouter.php:174

noprivwp_ajax_bfw_export_bonusesclasses\BfwRouter.php:175

authwp_ajax_bfw_export_couponsclasses\BfwRouter.php:178

noprivwp_ajax_bfw_export_couponsclasses\BfwRouter.php:179

authwp_ajax_bfw_send_points_from_orderclasses\BfwRouter.php:185

authwp_ajax_cashback_prepareclasses\BfwRouter.php:356

authwp_ajax_cashback_recountclasses\BfwRouter.php:357

authwp_ajax_computy_mass_add_pointsclasses\BfwRouter.php:360

authwp_ajax_bfw_stat_stepclasses\BfwStatistic.php:15

authwp_ajax_bfw_get_stats_timestampclasses\BfwStatistic.php:16

authwp_ajax_bfw_clear_statsclasses\BfwStatistic.php:17

REST API Routes 5

POST/wp-json/bfw/v1/clear-fast-bonusclasses\BfwRouter.php:429

POST/wp-json/bfw/v1/apply-pointsclasses\BfwRouter.php:438

POST/wp-json/bfw/v1/get-spisanie-htmlclasses\BfwRouter.php:447

POST/wp-json/bfw/v1/get-cashback-htmlclasses\BfwRouter.php:454

POST/wp-json/bfw/v1/activate-couponclasses\BfwRouter.php:461

Shortcodes 15

[bfw_get_sum_orders] classes\BfwRouter.php:376

[bfw_status] classes\BfwRouter.php:379

[bfw_cashback] classes\BfwRouter.php:382

[bfw_points] classes\BfwRouter.php:385

[bfw_cashback_in_product] classes\BfwRouter.php:388

[bfw_how_much_cashback] classes\BfwRouter.php:391

[bfw-write-off-bonuses] classes\BfwRouter.php:394

[bfw-write-off-bonuses-checkout] classes\BfwRouter.php:397

[link_on_rulles] classes\BfwRouter.php:401

[bfw_account_referral] classes\BfwRouter.php:404

[bfw_ref] classes\BfwRouter.php:407

[bfw_account] classes\BfwRouter.php:410

[bfw_cart_user] classes\BfwRouter.php:413

[bfw_history_points] classes\BfwRouter.php:416

[bfw_coupon_form] classes\BfwRouter.php:418

WordPress Hooks 76

actionadmin_menuclasses\BfwAdmin.php:62

actionadmin_enqueue_scriptsclasses\BfwAdmin.php:65

actionadmin_initclasses\BfwAdmin.php:67

actionshow_user_profileclasses\BfwAdmin.php:71

actionedit_user_profileclasses\BfwAdmin.php:72

filtermanage_users_sortable_columnsclasses\BfwAdmin.php:75

filtermanage_users_sortable_columnsclasses\BfwAdmin.php:76

actionpre_get_usersclasses\BfwAdmin.php:78

filtermanage_users_columnsclasses\BfwAdmin.php:79

filtermanage_users_columnsclasses\BfwAdmin.php:80

filtermanage_users_custom_columnclasses\BfwAdmin.php:82

filtermanage_users_custom_columnclasses\BfwAdmin.php:83

actionwoocommerce_admin_order_data_after_order_detailsclasses\BfwAdmin.php:87

actionwoocommerce_screen_idsclasses\BfwAdmin.php:90

actionwoocommerce_product_options_general_product_dataclasses\BfwAdmin.php:94

actionwoocommerce_process_product_metaclasses\BfwAdmin.php:96

actionwoocommerce_product_after_variable_attributesclasses\BfwAdmin.php:97

actionwoocommerce_save_product_variationclasses\BfwAdmin.php:99

filterwoocommerce_order_is_paid_statusesclasses\BfwReview.php:48

actionpersonal_options_updateclasses\BfwRouter.php:95

actionedit_user_profile_updateclasses\BfwRouter.php:96

actionupgrader_process_completeclasses\BfwRouter.php:101

actionwoocommerce_cart_totals_get_fees_from_cart_taxesclasses\BfwRouter.php:104

actionwoocommerce_edit_account_form_startclasses\BfwRouter.php:115

actionwoocommerce_save_account_detailsclasses\BfwRouter.php:116

actionwoocommerce_register_form_startclasses\BfwRouter.php:119

actioncomment_form_beforeclasses\BfwRouter.php:121

actionwp_loginclasses\BfwRouter.php:124

actionbfw_account_titleclasses\BfwRouter.php:127

actionbfw_account_basic_infoclasses\BfwRouter.php:130

filterbfw_account_referalclasses\BfwRouter.php:137

actionuser_registerclasses\BfwRouter.php:140

actionbfw_account_progressclasses\BfwRouter.php:146

actionbfw_account_historyclasses\BfwRouter.php:149

actionbfw_account_rullesclasses\BfwRouter.php:152

actionwoocommerce_account_bonuses_endpointclasses\BfwRouter.php:155

actionwoocommerce_review_order_after_order_totalclasses\BfwRouter.php:159

actionwoocommerce_cart_totals_after_order_totalclasses\BfwRouter.php:160

actionwoocommerce_before_cartclasses\BfwRouter.php:164

actionwoocommerce_before_checkout_formclasses\BfwRouter.php:165

actionwoocommerce_cart_calculate_feesclasses\BfwRouter.php:182

actiondelete_userclasses\BfwRouter.php:189

actionwoocommerce_remove_cart_itemclasses\BfwRouter.php:192

actionwoocommerce_cart_item_set_quantityclasses\BfwRouter.php:196

actionwoocommerce_removed_couponclasses\BfwRouter.php:199

actionwp_footerclasses\BfwRouter.php:205

actionwoocommerce_checkout_create_order_line_itemclasses\BfwRouter.php:208

actionuser_registerclasses\BfwRouter.php:214

actioncomputy_copyrightclasses\BfwRouter.php:217

actioncomment_unapproved_to_approvedclasses\BfwRouter.php:259

actioncomment_approved_to_unapprovedclasses\BfwRouter.php:262

actionbfw_clear_old_cashbackclasses\BfwRouter.php:265

actionbfw_search_birthdayclasses\BfwRouter.php:268

actionbfw_daily_cashback_checkclasses\BfwRouter.php:271

actionwp_enqueue_scriptsclasses\BfwRouter.php:275

actionwp_enqueue_scriptsclasses\BfwRouter.php:278

actiondelete_userclasses\BfwRouter.php:282

actionwpmu_delete_userclasses\BfwRouter.php:284

filterplugin_action_linksclasses\BfwRouter.php:291

filterwoocommerce_account_menu_itemsclasses\BfwRouter.php:296

filterwoocommerce_get_query_varsclasses\BfwRouter.php:298

filterwoocommerce_cart_totals_fee_htmlclasses\BfwRouter.php:304

filterwoocommerce_get_shop_coupon_dataclasses\BfwRouter.php:308

filterwoocommerce_cart_totals_coupon_htmlclasses\BfwRouter.php:310

filterwoocommerce_cart_totals_coupon_labelclasses\BfwRouter.php:312

filterwoocommerce_coupon_messageclasses\BfwRouter.php:316

actionwoocommerce_removed_couponclasses\BfwRouter.php:337

filterwoocommerce_shop_manager_editable_rolesclasses\BfwRouter.php:364

filterwoocommerce_get_price_htmlclasses\BfwRouter.php:367

filterwoocommerce_coupon_errorclasses\BfwRouter.php:423

actionrest_api_initclasses\BfwRouter.php:427

filterwoocommerce_coupon_errorclasses\BfwRouter.php:471

actionbefore_woocommerce_initindex.php:50

actioninitindex.php:61

actioninitindex.php:64

actionplugins_loadedindex.php:91

Scheduled Events 3

bfw_clear_old_cashback

bfw_search_birthday

bfw_daily_cashback_check

Maintenance & Trust

Bonus for Woo Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 12, 2026

PHP min version7.4

Downloads27K

Community Trust

Rating96/100

Number of ratings22

Active installs200

Alternatives

Bonus for Woo Alternatives

Points and Rewards for WooCommerce – Create Loyalty Programs, Reward Customer Purchases, User Badges, Gamification

points-and-rewards-for-woocommerce

Points and Rewards for WooCommerce offer a reward for points to your customers for their activities & increase customer loyalty.

7K 3 CVEs

MyRewards

woorewards

Free top-rated points and rewards program to retain your customers, grow your sales and get new customers.

3K 2 CVEs

Loyalty Points Rewards and Referral for WooCommerce – WPLoyalty

wployalty

100

Create WooCommerce points and rewards program with WPLoyalty to increase customer loyalty and boost sales. Reward customers to drive repeat purchases.

3K No CVEs

RewardsWP – Loyalty Points & Referral Program for WooCommerce

rewardswp

Turn customers into brand advocates with loyalty points and referral programs for WooCommerce and Easy Digital Downloads.

90 1 CVE

Poket Loyalty Rewards For WooCommerce

poket-rewards-for-woocommerce

100

Welcome to Poket: Elevate Your Online Store with Proven Loyalty Solutions

0 No CVEs

Developer Profile

Bonus for Woo Developer Profile

calliko

6 plugins · 330 total installs

trust score

Avg Security Score

99/100

Avg Patch Time

51 days

View full developer profile

Detection Fingerprints

How We Detect Bonus for Woo

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/bonus-for-woo/js/admin.js/wp-content/plugins/bonus-for-woo/css/admin.css/wp-content/plugins/bonus-for-woo/js/bfw-points.js/wp-content/plugins/bonus-for-woo/js/bfw-admin-roles.js/wp-content/plugins/bonus-for-woo/js/bfw-settings.js/wp-content/plugins/bonus-for-woo/js/bfw-user-profile.js/wp-content/plugins/bonus-for-woo/js/bfw-products.js/wp-content/plugins/bonus-for-woo/css/bfw-products.css+1 more

Script Paths

/wp-content/plugins/bonus-for-woo/js/admin.js/wp-content/plugins/bonus-for-woo/js/bfw-points.js/wp-content/plugins/bonus-for-woo/js/bfw-admin-roles.js/wp-content/plugins/bonus-for-woo/js/bfw-settings.js/wp-content/plugins/bonus-for-woo/js/bfw-user-profile.js/wp-content/plugins/bonus-for-woo/js/bfw-products.js

Version Parameters

bonus-for-woo/js/admin.js?ver=bonus-for-woo/css/admin.css?ver=bonus-for-woo/js/bfw-points.js?ver=bonus-for-woo/js/bfw-admin-roles.js?ver=bonus-for-woo/js/bfw-settings.js?ver=bonus-for-woo/js/bfw-user-profile.js?ver=bonus-for-woo/js/bfw-products.js?ver=bonus-for-woo/css/bfw-products.css?ver=bonus-for-woo/css/bfw-notice.css?ver=

HTML / DOM Fingerprints

CSS Classes

bfw-order-cashback-infobfw-woo-product-cashback-fieldbfw-woo-product-cashback-field-descbfw-woo-product-cashback-variations-fieldbfw-woo-product-cashback-variations-field-descbfw-notice-wrapbfw-notice-premium

HTML Comments

/*-------Действия после обновления-------*//*Проверка бд после обновления */+22 more

Data Attributes

data-bfw-field-type="product_cashback"data-bfw-field-type="variation_cashback"

JS Globals

BFWSettingsBFWAdmin

Shortcode Output

[bfw_bonus_points_widget][bfw_cashback_progress_bar][bfw_cashback_history][bfw_bonus_points_balance]

FAQ