Does Clerk have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Clerk compatible with WordPress 6.5.8?

According to WordPress.org data, Clerk 4.2.1 has been tested up to WordPress 6.5.8. Check the plugin's changelog for the latest compatibility information.

How often is Clerk updated?

Clerk was last updated on Mar 26, 2025. Frequent updates are generally a positive security signal.

What is Clerk's security score?

Clerk has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Clerk Security & Risk Analysis

wordpress.org/plugins/clerkio

Clerk.io is a software that helps your customers buy more from your webshop, through 4 amazing feature:

300 active installs v4.2.1 PHP + WP + Updated Mar 26, 2025

customer-conversioncustomer-retentioncustomer-segmentationproduct-recommendationssemantic-search

A · Safe

CVEs total1

Unpatched0

Last CVENov 10, 2022

Plugin page Download

Safety Verdict

Is Clerk Safe to Use in 2026?

Generally Safe

Score 92/100

Clerk has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Nov 10, 2022Updated 1yr ago

Risk Assessment

The "clerkio" v4.2.1 plugin presents a mixed security posture. On the positive side, it demonstrates good practices in its handling of SQL queries, exclusively using prepared statements, and a very high percentage of properly escaped output, minimizing risks of SQL injection and XSS. The absence of file operations and dangerous functions is also a strength. However, significant concerns arise from its attack surface. A substantial portion of AJAX handlers (5 out of 5) and REST API routes (12 out of 12) lack proper authorization checks, leaving them vulnerable to unauthorized access and manipulation. The complete absence of nonce checks on AJAX endpoints further exacerbates this risk, potentially allowing for Cross-Site Request Forgery (CSRF) attacks. While there are no currently unpatched CVEs, the plugin has a history of one medium-severity vulnerability related to Authorization Bypass Through User-Controlled Key. This past vulnerability, coupled with the current lack of authorization checks on many entry points, suggests a recurring area of weakness that requires attention. The two taint flows with unsanitized paths, while not rated critical or high, are concerning as they indicate potential vulnerabilities in how external data is processed.

Key Concerns

5 AJAX handlers without auth checks
12 REST API routes without permission callbacks
0 Nonce checks on AJAX endpoints
2 Flows with unsanitized paths (taint analysis)
1 Medium severity CVE in history

Vulnerabilities

1 published

Clerk Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2022-3907medium · 5.6Authorization Bypass Through User-Controlled Key

Clerk <= 3.8.2 - Authorization Bypass via Insufficient Validation

Nov 10, 2022 Patched in 3.8.3 (439d)

Version History

Clerk Release Timeline

v4.2.1Current

v4.2.0

v4.1.9

v4.1.8

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.9

v4.0.8

v4.0.7

v4.0.6

v4.0.5

v4.0.4

v4.0.3

v4.0.2

Code Analysis

Analyzed Mar 16, 2026

Clerk Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

356 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

95% escaped374 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

redirect_to_powerstep_no_ajax (includes\class-clerk-powerstep.php:131)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

17 unprotected

Clerk Attack Surface

Entry Points22

Unprotected17

AJAX Handlers 5

authwp_ajax_clerk_powerstepincludes\class-clerk-powerstep.php:66

noprivwp_ajax_clerk_powerstepincludes\class-clerk-powerstep.php:67

noprivwp_ajax_get_cartincludes\class-clerk-visitor-tracking.php:52

authwp_ajax_get_cartincludes\class-clerk-visitor-tracking.php:53

authwp_ajax_clerk_get_parameters_for_contentincludes\widgets\class-clerk-widget-content.php:44

REST API Routes 12

GET/wp-json/clerk/getconfigincludes\class-clerk-rest-api.php:85

POST/wp-json/clerk/setconfigincludes\class-clerk-rest-api.php:96

GET/wp-json/clerk/productincludes\class-clerk-rest-api.php:107

GET/wp-json/clerk/pageincludes\class-clerk-rest-api.php:118

GET/wp-json/clerk/page-rtuincludes\class-clerk-rest-api.php:129

GET/wp-json/clerk/categoryincludes\class-clerk-rest-api.php:140

GET/wp-json/clerk/orderincludes\class-clerk-rest-api.php:151

GET/wp-json/clerk/customerincludes\class-clerk-rest-api.php:162

GET/wp-json/clerk/versionincludes\class-clerk-rest-api.php:173

GET/wp-json/clerk/pluginincludes\class-clerk-rest-api.php:184

GET/wp-json/clerk/logincludes\class-clerk-rest-api.php:195

GET/wp-json/clerk/rotatekeyincludes\class-clerk-rest-api.php:206

Shortcodes 5

[clerk-powerstep] includes\class-clerk-powerstep.php:64

[clerk-search] includes\class-clerk-search.php:53

[clerk_product_id] includes\class-clerk-visitor-tracking.php:67

[clerk_category_id] includes\class-clerk-visitor-tracking.php:68

[clerk_cart_ids] includes\class-clerk-visitor-tracking.php:69

WordPress Hooks 32

actionwidgets_initclass-clerk.php:73

actionplugins_loadedclass-clerk.php:81

actionadmin_initincludes\class-clerk-admin-settings.php:61

actionadmin_menuincludes\class-clerk-admin-settings.php:62

actionadmin_menuincludes\class-clerk-admin-settings.php:63

actionadmin_menuincludes\class-clerk-admin-settings.php:64

filterwoocommerce_add_to_cart_redirectincludes\class-clerk-basket.php:59

filtertemplate_redirectincludes\class-clerk-basket.php:60

actionwoocommerce_archive_descriptionincludes\class-clerk-content.php:35

actionwoocommerce_after_cartincludes\class-clerk-content.php:36

actionwoocommerce_after_single_productincludes\class-clerk-content.php:37

filterwc_get_templateincludes\class-clerk-content.php:38

actionwp_footerincludes\class-clerk-exit-intent.php:52

filterwoocommerce_add_to_cart_redirectincludes\class-clerk-powerstep.php:61

filtertemplate_redirectincludes\class-clerk-powerstep.php:62

filterquery_varsincludes\class-clerk-powerstep.php:63

actionwp_enqueue_scriptsincludes\class-clerk-powerstep.php:65

actionwoocommerce_new_productincludes\class-clerk-realtime-updates.php:78

actionsave_postincludes\class-clerk-realtime-updates.php:81

actionbefore_delete_postincludes\class-clerk-realtime-updates.php:82

actionwp_trash_postincludes\class-clerk-realtime-updates.php:83

actionwoocommerce_product_import_inserted_product_objectincludes\class-clerk-realtime-updates.php:85

actionbefore_delete_postincludes\class-clerk-realtime-updates.php:86

actionrest_api_initincludes\class-clerk-rest-api.php:68

filterrest_pre_serve_requestincludes\class-clerk-rest-api.php:69

actionpre_get_postsincludes\class-clerk-rest-api.php:1531

actionwoocommerce_thankyouincludes\class-clerk-sales-tracking.php:53

filterquery_varsincludes\class-clerk-search.php:52

actionwp_footerincludes\class-clerk-visitor-tracking.php:51

actioninitincludes\class-clerk-visitor-tracking.php:54

actionwoocommerce_review_order_before_submitincludes\class-clerk-visitor-tracking.php:59

actionadmin_enqueue_scriptsincludes\widgets\class-clerk-widget-content.php:43

Maintenance & Trust

Clerk Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8

Last updatedMar 26, 2025

PHP min version

Downloads17K

Community Trust

Rating100/100

Number of ratings1

Active installs300

Alternatives

Clerk Alternatives

Related Products – Create Upsells, Cross-sells, and Product Recommendations for WooCommerce

wt-woocommerce-related-products

100

This WooCommerce related products plugin, lets you create upsells, and cross-sells with smart WooCommerce product recommendations widget.

10K No CVEs

AI Search – Intelligent Search for WooCommerce and WordPress

ai-search

100

Replaces the default WordPress search with an AI-powered semantic search system. Perfect for WooCommerce stores and eCommerce sites. ---

90 No CVEs

Digioh Forms, Popups, Quizzes, Surveys, Abandon Cart

digioh

Turn visitors into customers with a suite of list growth and conversion rate optimization tools that drive revenue. Supports WooCommerce.

70 No CVEs

DynamicBlocks – Product Recommendations & Bundles for WooCommerce

dynamic-blocks-builder

100

Create product recommendations, bundles and upsell blocks for WooCommerce with flexible dynamic options and customizable display rules.

10 No CVEs

Easy Upsells, Related Products & Product Recommendations for WooCommerce

easy-upsells-for-woocommerce

100

Boost sales and increase average order value with WooCommerce upsells, related products, product recommendations, product addons, cross-sells.

10 No CVEs

Developer Profile

Clerk Developer Profile

clerkio

1 plugin · 300 total installs

trust score

Avg Security Score

92/100

Avg Patch Time

439 days

View full developer profile

Detection Fingerprints

How We Detect Clerk

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/clerkio/assets/css/admin.css/wp-content/plugins/clerkio/assets/js/admin.js

Version Parameters

clerkio/assets/css/admin.css?ver=clerkio/assets/js/admin.js?ver=

HTML / DOM Fingerprints

JS Globals

clerk_optionsclerk_pll_languages_listclerk_is_wpml_enabledclerk_wpml_get_active_scopeclerk_is_pll_enabledclerk_pll_current_language+1 more

FAQ