WP-Safety

Checkbox Security & Risk Analysis

wordpress.org/plugins/checkbox

Плагін інтеграції WooCommerce з Checkbox.ua, сервісом програмної реєстрації розрахункових операцій (пРРО).

300 active installs v2.8.14 PHP 7.1+ WP 5.2+ Updated Mar 3, 2026
checkbox%d1%80%d1%80%d0%bewoocommerce
99
A · Safe
CVEs total1
Unpatched0
Last CVENov 20, 2025
Plugin page Download
Safety Verdict

Is Checkbox Safe to Use in 2026?

Generally Safe

Score 99/100

Checkbox has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Nov 20, 2025Updated 1mo ago
Risk Assessment

The "checkbox" v2.8.14 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries and leveraging WordPress's nonce and capability checks in some areas. The absence of critical or high-severity taint flows is also a positive indicator. However, there are notable areas of concern, particularly with the presence of 3 unprotected AJAX handlers, which represent a significant attack surface without proper authorization checks.

The vulnerability history, while showing no currently unpatched CVEs, does reveal a past medium-severity vulnerability, specifically related to missing authorization. This, combined with the identified unprotected AJAX endpoints, suggests a recurring pattern where authorization is not consistently enforced across all entry points. The plugin also has a moderate number of file operations and external HTTP requests, which, while not inherently dangerous, can become points of vulnerability if not handled with extreme care regarding input validation and sanitization.

In conclusion, while the plugin has strengths in its database interaction and some security checks, the presence of unprotected AJAX handlers is a critical weakness that needs immediate attention. The past vulnerability related to missing authorization further reinforces the need for a comprehensive security audit of all entry points to ensure robust protection against potential exploits.

Key Concerns

  • Unprotected AJAX handlers
  • Past medium severity vulnerability (Missing Authorization)
  • Output escaping not fully implemented
  • Some capability checks missing on AJAX handlers
Vulnerabilities
1

Checkbox Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-12170medium · 5.3Missing Authorization

Checkbox <= 2.8.10 - Missing Authorization to Unauthenticated Log Clearing

Nov 20, 2025 Patched in 2.8.11 (1d)
Code Analysis
Analyzed Mar 16, 2026

Checkbox Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
28
93 escaped
Nonce Checks
5
Capability Checks
2
File Operations
3
External Requests
6
Bundled Libraries
1

Bundled Libraries

jQuery

Output Escaping

77% escaped121 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
mrkv_checkbox_wc_add_metabox_content (includes\class-woocommerce.php:307)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Checkbox Attack Surface

Entry Points9
Unprotected3

AJAX Handlers 9

authwp_ajax_mrkv_checkbox_dismiss_noticecheckbox.php:131
authwp_ajax_mrkv_checkbox_check_connectionincludes\class-conntect-disconnect.php:67
authwp_ajax_mrkv_checkbox_connectincludes\class-conntect-disconnect.php:70
authwp_ajax_mrkv_checkbox_connect_ajaxincludes\class-conntect-disconnect.php:72
authwp_ajax_mrkv_checkbox_disconnectincludes\class-conntect-disconnect.php:74
authwp_ajax_checkbox_clean_logincludes\class-setup.php:30
noprivwp_ajax_checkbox_clean_logincludes\class-setup.php:31
authwp_ajax_submit_morkva_checkboxincludes\class-woocommerce.php:42
noprivwp_ajax_submit_morkva_checkboxincludes\class-woocommerce.php:43
WordPress Hooks 20
actionbefore_woocommerce_initcheckbox.php:23
actionadmin_noticescheckbox.php:123
actioninitcheckbox.php:153
filterpre_update_option_ppo_cashbox_keyincludes\class-activation-deactivation.php:51
actionupgrader_process_completeincludes\class-activation-deactivation.php:53
actioncheckbox_close_shiftincludes\class-conntect-disconnect.php:78
actioncheckbox_open_shiftincludes\class-conntect-disconnect.php:80
actionwoocommerce_order_status_changedincludes\class-create-receipt.php:99
actionwp_dashboard_setupincludes\class-dashboard-widget.php:34
actionadmin_print_scriptsincludes\class-dashboard-widget.php:37
actionadmin_initincludes\class-setup.php:25
actionadmin_menuincludes\class-setup.php:28
actionadmin_enqueue_scriptsincludes\class-setup.php:33
actionwoocommerce_order_actionsincludes\class-woocommerce.php:20
actionwoocommerce_order_action_create_bill_actionincludes\class-woocommerce.php:23
filtermanage_woocommerce_page_wc-orders_columnsincludes\class-woocommerce.php:28
actionmanage_woocommerce_page_wc-orders_custom_columnincludes\class-woocommerce.php:30
filtermanage_edit-shop_order_columnsincludes\class-woocommerce.php:34
actionmanage_shop_order_posts_custom_columnincludes\class-woocommerce.php:36
actionadd_meta_boxesincludes\class-woocommerce.php:40
Maintenance & Trust

Checkbox Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 3, 2026
PHP min version7.1
Downloads12K

Community Trust

Rating96/100
Number of ratings12
Active installs300
Alternatives

Checkbox Alternatives

Payment gateway – Robokassa for WooCommerce

Payment gateway – Robokassa for WooCommerce

wc-robokassa

A
85

Integration Robokassa in WooCommerce as payment gateway plugin.

300 No CVEs
MORKVA Vchasno Kasa Integration

MORKVA Vchasno Kasa Integration

mrkv-vchasno-kasa

A
98

Плагін інтеграції WooCommerce з Kasa.vchasno.com.ua, сервісом програмної реєстрації розрахункових операцій (пРРО).

80 2 CVEs
Custom Checkbox Ultimate for WooCommerce

Custom Checkbox Ultimate for WooCommerce

custom-checkbox-ultimate-for-woocommerce

A
92

Add customizable checkbox options on WooCommerce product pages for additional services and charges.

0 No CVEs
Datamap Address for Woocommerce

Datamap Address for Woocommerce

datamap-address-for-woo

A
100

Този модул за WooCommerce добавя интелигентна функционалност за автоматично разпознаване и потвърждение на адреси при финализиране на поръчката.

0 No CVEs
Essential Addons for Elementor – Popular Elementor Templates & Widgets

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

B
76

Elementor addon offering 110+ widgets and templates — Elementor Gallery, Slider, Form, Post Grid, Menu, Accordion, WooCommerce & more.

2.0M 56 CVEs
Developer Profile

Checkbox Developer Profile

Ihor Kit

14 plugins · 3K total installs

93
trust score
Avg Security Score
98/100
Avg Patch Time
11 days
View full developer profile
Detection Fingerprints

How We Detect Checkbox

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/checkbox/assets/css/checkbox.css/wp-content/plugins/checkbox/assets/js/checkbox.js/wp-content/plugins/checkbox/assets/js/checkbox-admin.js/wp-content/plugins/checkbox/assets/css/checkbox-admin.css
Version Parameters
checkbox/style.css?ver=checkbox/script.js?ver=

HTML / DOM Fingerprints

CSS Classes
mrkv-checkbox-noticecheckbox-settings-page
HTML Comments
Stop access .php files through URLVersions numberInclude autoloadInclude checkbox api library+20 more
Data Attributes
data-toggle="modal"data-target="#add-new-product-modal"
JS Globals
mrkv_checkbox_admin_params
REST Endpoints
/wp-json/checkbox/v1/settings/wp-json/checkbox/v1/save-settings
FAQ

Frequently Asked Questions about Checkbox