WP-Safety

Kit (formerly ConvertKit) for WooCommerce Security & Risk Analysis

wordpress.org/plugins/convertkit-for-woocommerce

Integrates WooCommerce with Kit allowing customers to be automatically sent to your Kit account.

4K active installs v2.1.0 PHP 7.1+ WP 5.0+ Updated Mar 10, 2026
captureconvertkitemailembed-formmarketing
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Kit (formerly ConvertKit) for WooCommerce Safe to Use in 2026?

Generally Safe

Score 100/100

Kit (formerly ConvertKit) for WooCommerce has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 25d ago
Risk Assessment

The convertkit-for-woocommerce plugin version 2.1.0 exhibits a generally good security posture based on the provided static analysis. The plugin has a limited attack surface with no directly unprotected entry points identified, which is a positive indicator. Furthermore, the absence of dangerous function usage, file operations, and external HTTP requests suggests careful coding practices in these sensitive areas. The high percentage of properly escaped output and the presence of nonce and capability checks are also strong indicators of security awareness.

However, a significant concern arises from the SQL query analysis. The presence of a SQL query that does not utilize prepared statements is a notable weakness. While the total number of SQL queries is low, any unparameterized query represents a potential risk for SQL injection vulnerabilities, especially if user-supplied data is directly incorporated. The absence of any recorded vulnerabilities in its history is reassuring, but it does not negate the risks identified in the static analysis, particularly the raw SQL query.

In conclusion, the plugin demonstrates good fundamental security practices with a small attack surface and robust output escaping. The primary area of concern is the single SQL query lacking prepared statements. While the plugin's historical vulnerability record is clean, this static analysis finding requires attention to mitigate potential SQL injection risks. The overall security is good, but this specific coding practice detracts from an otherwise strong assessment.

Key Concerns

  • SQL query without prepared statements
Vulnerabilities
None known

Kit (formerly ConvertKit) for WooCommerce Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Kit (formerly ConvertKit) for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
0 prepared
Unescaped Output
6
132 escaped
Nonce Checks
6
Capability Checks
4
File Operations
0
External Requests
0
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

0% prepared1 total queries

Output Escaping

96% escaped138 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
maybe_import_configuration (includes\class-ckwc-integration.php:285)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Kit (formerly ConvertKit) for WooCommerce Attack Surface

Entry Points4
Unprotected0

AJAX Handlers 2

authwp_ajax_ckwc_abandoned_cart_emailincludes\class-ckwc-abandoned-cart.php:58
noprivwp_ajax_ckwc_abandoned_cart_emailincludes\class-ckwc-abandoned-cart.php:59

REST API Routes 2

GET/wp-json/kit/v1/woocommerce/resources/refreshincludes\class-ckwc-rest-api.php:46
GET/wp-json/kit/v1/woocommerce/order/send/(?P<id>\d+)includes\class-ckwc-rest-api.php:67
WordPress Hooks 55
actionadmin_enqueue_scriptsadmin\class-ckwc-admin-bulk-edit.php:37
actionload-edit.phpadmin\class-ckwc-admin-bulk-edit.php:38
actionin_admin_footeradmin\class-ckwc-admin-bulk-edit.php:62
actionwoocommerce_process_shop_order_metaadmin\class-ckwc-admin-order.php:44
actionadmin_enqueue_scriptsadmin\class-ckwc-admin-post-type.php:58
actionadmin_enqueue_scriptsadmin\class-ckwc-admin-post-type.php:59
actionadmin_enqueue_scriptsadmin\class-ckwc-admin-quick-edit.php:37
actionadd_inline_dataadmin\class-ckwc-admin-quick-edit.php:38
actionin_admin_footeradmin\class-ckwc-admin-quick-edit.php:93
actionwoocommerce_add_to_cartincludes\class-ckwc-abandoned-cart.php:47
actionwoocommerce_after_cart_item_quantity_updateincludes\class-ckwc-abandoned-cart.php:48
actionwoocommerce_cart_item_removedincludes\class-ckwc-abandoned-cart.php:49
actionwoocommerce_before_cartincludes\class-ckwc-abandoned-cart.php:52
actionwoocommerce_checkout_initincludes\class-ckwc-abandoned-cart.php:55
actionwoocommerce_checkout_order_processedincludes\class-ckwc-abandoned-cart.php:62
actionwp_enqueue_scriptsincludes\class-ckwc-abandoned-cart.php:65
actionadmin_noticesincludes\class-ckwc-admin-notices.php:35
filterwoocommerce_checkout_fieldsincludes\class-ckwc-checkout.php:49
actionwoocommerce_checkout_update_order_metaincludes\class-ckwc-checkout.php:52
actionwoocommerce_set_additional_field_valueincludes\class-ckwc-checkout.php:62
actionwoocommerce_store_api_checkout_update_order_from_requestincludes\class-ckwc-checkout.php:69
actionwoocommerce_checkout_update_order_metaincludes\class-ckwc-checkout.php:75
actionwoocommerce_store_api_checkout_update_order_from_requestincludes\class-ckwc-checkout.php:78
actionadmin_initincludes\class-ckwc-integration.php:92
actionadmin_initincludes\class-ckwc-integration.php:93
actionadmin_initincludes\class-ckwc-integration.php:94
actionadmin_enqueue_scriptsincludes\class-ckwc-integration.php:97
actionadmin_enqueue_scriptsincludes\class-ckwc-integration.php:98
actionwoocommerce_process_shop_order_metaincludes\class-ckwc-order.php:75
actionwoocommerce_checkout_update_order_metaincludes\class-ckwc-order.php:76
actionwoocommerce_order_status_changedincludes\class-ckwc-order.php:77
actionwoocommerce_order_status_changedincludes\class-ckwc-order.php:81
filterwoocommerce_order_formatted_billing_addressincludes\class-ckwc-order.php:1039
filterwoocommerce_order_formatted_shipping_addressincludes\class-ckwc-order.php:1040
filterwoocommerce_formatted_address_force_country_displayincludes\class-ckwc-order.php:1041
actionadmin_enqueue_scriptsincludes\class-ckwc-refresh-resources.php:25
actionrest_api_initincludes\class-ckwc-rest-api.php:34
actionshutdownincludes\class-ckwc-setup.php:36
filterconvertkit_for_woocommerce_order_should_opt_in_customerincludes\class-ckwc-wc-subscriptions.php:62
filterwoocommerce_integrationsincludes\class-wp-ckwc.php:45
actionwoocommerce_blocks_loadedincludes\class-wp-ckwc.php:48
actionbefore_woocommerce_initincludes\class-wp-ckwc.php:51
actionwoocommerce_initincludes\class-wp-ckwc.php:54
actionconvertkit_for_woocommerce_initialize_globalincludes\class-wp-ckwc.php:57
actionwoocommerce_blocks_checkout_block_registrationincludes\class-wp-ckwc.php:119
actionckwc_abandoned_cartincludes\cron-functions.php:91
actionckwc_refresh_tokenincludes\cron-functions.php:145
actionshutdownincludes\functions.php:21
actionshutdownincludes\functions.php:31
actionshutdownincludes\functions.php:55
actionconvertkit_api_get_access_tokenincludes\functions.php:246
actionconvertkit_api_refresh_tokenincludes\functions.php:247
actionconvertkit_api_access_token_invalidincludes\functions.php:251
actionwp_insert_sitewoocommerce-convertkit.php:82
actionactivate_blogwoocommerce-convertkit.php:83

Scheduled Events 1

ckwc_refresh_token
Maintenance & Trust

Kit (formerly ConvertKit) for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version7.1
Downloads343K

Community Trust

Rating100/100
Number of ratings6
Active installs4K
Alternatives

Kit (formerly ConvertKit) for WooCommerce Alternatives

Gravity Forms ConvertKit Add-On

Gravity Forms ConvertKit Add-On

convertkit-gravity-forms

A
92

ConvertKit is an email marketing platform for capturing leads from your WordPress blog.

800 No CVEs
Kit (formerly ConvertKit) for WPForms

Kit (formerly ConvertKit) for WPForms

integrate-convertkit-wpforms

A
100

Create Kit signup forms using WPForms

1K No CVEs
Download Magnet

Download Magnet

download-magnet

A
100

This plugin provides an easy-to-use way of capturing email addresses when the end user wishes to download a file.

90 No CVEs
Fast ConvertKit

Fast ConvertKit

fast-convertkit

A
85

Easily Sync ConvertKit Contacts With Your WordPress Users.

50 No CVEs
Genoo

Genoo

genoo

A
99

Combine the flexibility of WordPress with the power of Genoo and experience amazing results!

20 1 CVE
Developer Profile

Kit (formerly ConvertKit) for WooCommerce Developer Profile

nathanbarry

1 plugin · 4K total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Kit (formerly ConvertKit) for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/convertkit-for-woocommerce/resources/backend/css/bulk-quick-edit.css/wp-content/plugins/convertkit-for-woocommerce/resources/backend/css/refresh-resources.css/wp-content/plugins/convertkit-for-woocommerce/resources/backend/js/bulk-edit.js/wp-content/plugins/convertkit-for-woocommerce/resources/backend/js/quick-edit.js/wp-content/plugins/convertkit-for-woocommerce/resources/backend/js/refresh-resources.js/wp-content/plugins/convertkit-for-woocommerce/resources/backend/js/setup.js/wp-content/plugins/convertkit-for-woocommerce/resources/frontend/css/checkout.css/wp-content/plugins/convertkit-for-woocommerce/resources/frontend/js/checkout.js+1 more
Script Paths
/wp-content/plugins/convertkit-for-woocommerce/resources/backend/js/bulk-edit.js/wp-content/plugins/convertkit-for-woocommerce/resources/backend/js/quick-edit.js/wp-content/plugins/convertkit-for-woocommerce/resources/backend/js/refresh-resources.js/wp-content/plugins/convertkit-for-woocommerce/resources/backend/js/setup.js/wp-content/plugins/convertkit-for-woocommerce/resources/frontend/js/checkout.js/wp-content/plugins/convertkit-for-woocommerce/resources/frontend/js/setup.js
Version Parameters
convertkit-for-woocommerce/resources/backend/css/bulk-quick-edit.css?ver=convertkit-for-woocommerce/resources/backend/css/refresh-resources.css?ver=convertkit-for-woocommerce/resources/backend/js/bulk-edit.js?ver=convertkit-for-woocommerce/resources/backend/js/quick-edit.js?ver=convertkit-for-woocommerce/resources/backend/js/refresh-resources.js?ver=convertkit-for-woocommerce/resources/backend/js/setup.js?ver=convertkit-for-woocommerce/resources/frontend/css/checkout.css?ver=convertkit-for-woocommerce/resources/frontend/js/checkout.js?ver=convertkit-for-woocommerce/resources/frontend/js/setup.js?ver=

HTML / DOM Fingerprints

CSS Classes
ckwc-bulk-edit-formckwc-quick-edit-formckwc-refresh-resources-wrapperckwc-setup-wrapper
HTML Comments
<!-- Bulk Edit settings for ConvertKit --><!-- Quick Edit settings for ConvertKit --><!-- Setup Wizard for ConvertKit --><!-- Abandoned Cart Settings -->+1 more
Data Attributes
data-ckwc-bulk-editdata-ckwc-quick-editdata-ckwc-setup
JS Globals
ckwc_bulk_edit_paramsckwc_quick_edit_paramsckwc_refresh_resources_paramsckwc_setup_paramsCKWC_API_SETTINGSCKWC_RESOURCE_LIST
REST Endpoints
/wp-json/ckwc/v1/settings/wp-json/ckwc/v1/resources/wp-json/ckwc/v1/sync
Shortcode Output
[ckwc_checkout_form][ckwc_signup_form]
FAQ

Frequently Asked Questions about Kit (formerly ConvertKit) for WooCommerce