Does Course Flow have any unpatched vulnerabilities?

No. All known vulnerabilities in Course Flow have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Course Flow compatible with WordPress 6.9.4?

According to WordPress.org data, Course Flow 1.0.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Course Flow compatible with PHP 7.4+?

Course Flow requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Course Flow updated?

Course Flow was last updated on Jan 6, 2026. Frequent updates are generally a positive security signal.

What is Course Flow's security score?

Course Flow has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Course Flow Security & Risk Analysis

wordpress.org/plugins/course-flow

Sell online courses with Stripe using Course Flow — the fastest, lightweight WordPress plugin for Stripe Checkout integration with Tutor LMS, LearnPre …

0 active installs v1.0.0 PHP 7.4+ WP 6.7+ Updated Jan 6, 2026

learndashlearnpresslmsstripetutor

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Course Flow Safe to Use in 2026?

Generally Safe

Score 100/100

Course Flow has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago

Risk Assessment

The Course Flow plugin version 1.0.0 exhibits a generally strong security posture, with several positive indicators. The complete absence of known CVEs, including critical and high severity ones, along with no recorded vulnerabilities, suggests a history of good security practices by the developers. Furthermore, the code analysis reveals a low number of dangerous functions and 100% of SQL queries utilizing prepared statements, which are excellent defenses against SQL injection. The high percentage of properly escaped output (95%) also indicates a good effort to prevent cross-site scripting (XSS) vulnerabilities.

However, there are some areas for concern. The plugin presents a moderate attack surface with 11 total entry points, and notably, 3 of these (7 REST API routes, 3 without permission callbacks) are unprotected, meaning they could be accessed by unauthenticated users. While the taint analysis shows no critical or high severity flows, the presence of unprotected entry points, coupled with a lack of explicit capability checks on all of them, presents a potential risk. The plugin also bundles external libraries (Select2, Stripe PHP), and while their versioning isn't specified, outdated bundled libraries can sometimes introduce vulnerabilities. A more robust approach would involve ensuring that all entry points have appropriate authentication and authorization checks.

In conclusion, Course Flow v1.0.0 benefits from a clean vulnerability history and good internal coding practices for SQL and output sanitization. The primary weakness lies in its attack surface management, specifically the unprotected REST API routes. Addressing these unprotected endpoints with proper permission checks would significantly enhance the plugin's security. The limited number of unprotected entry points, combined with the absence of known vulnerabilities and good data sanitization practices, suggests that the overall risk is moderate, but attention should be paid to securing all API routes.

Key Concerns

Unprotected REST API routes
Bundled libraries without version info

Vulnerabilities

None known

Course Flow Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

Course Flow Code Analysis

Dangerous Functions

Raw SQL Queries

8 prepared

Unescaped Output

290 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2Stripe PHP

SQL Query Safety

100% prepared8 total queries

Output Escaping

95% escaped305 total outputs

Attack Surface

3 unprotected

Course Flow Attack Surface

Entry Points11

Unprotected3

AJAX Handlers 1

authwp_ajax_courseflow_get_attachment_dimensionscourse-flow.php:960

REST API Routes 7

POST/wp-json/course-flow/v1/create-checkoutcourse-flow.php:294

POST/wp-json/course-flow/v1/webhookcourse-flow.php:307

POST/wp-json/course-flow/v1/test-connectioncourse-flow.php:317

POST/wp-json/course-flow/v1/save-settingscourse-flow.php:329

POST/wp-json/course-flow/v1/client-debugcourse-flow.php:850

POST/wp-json/course-flow/v1/create-checkout-sessionincludes\stripe-handler.php:845

POST/wp-json/course-flow/v1/webhookincludes\stripe-handler.php:855

Shortcodes 3

[courseflow_course] includes\shortcode.php:22

[courseflow_buycourse] includes\shortcode.php:23

[courseflow_imagebuycourse] includes\shortcode.php:24

WordPress Hooks 51

actionadmin_initadmin\button-settings-page.php:314

actionadmin_initadmin\image-button-settings-page.php:72

actionadmin_initadmin\settings-page.php:14

actionadmin_initadmin\url-collection-handler.php:168

actionrest_pre_dispatchadmin\url-collection-handler.php:187

actionplugins_loadedcourse-flow.php:61

actionrest_api_initcourse-flow.php:341

actionadmin_menucourse-flow.php:432

actionadmin_enqueue_scriptscourse-flow.php:702

actionwp_enqueue_scriptscourse-flow.php:718

actionwp_enqueue_scriptscourse-flow.php:842

actionrest_api_initcourse-flow.php:862

actionplugins_loadedcourse-flow.php:979

actioninitincludes\courseflow-lp-integration.php:41

actioncourseflow_lp_checkout_order_processedincludes\courseflow-lp-integration.php:400

actioncourseflow_lp_order_status_completedincludes\courseflow-lp-integration.php:412

actioncourseflow_lp_user_enrolled_courseincludes\courseflow-lp-integration.php:424

actioncourseflow_lp_order_completedincludes\courseflow-lp-integration.php:439

actioninitincludes\courseflow-lp-integration.php:450

actionwp_enqueue_scriptsincludes\courseflow-lp-integration.php:491

actionpre_get_postsincludes\learndash-integration.php:84

filterlearndash_transactions_queryincludes\learndash-integration.php:105

filterposts_pre_queryincludes\learndash-integration.php:126

filterthe_postsincludes\learndash-integration.php:144

actionsave_postincludes\learndash-integration.php:157

actiondelete_postincludes\learndash-integration.php:158

actiontrash_postincludes\learndash-integration.php:159

actionuntrash_postincludes\learndash-integration.php:160

filterposts_requestincludes\learndash-integration.php:178

actionposts_resultsincludes\learndash-integration.php:196

filterlearndash_admin_columnsincludes\learndash-integration.php:214

filterlearndash_get_payment_processor_nameincludes\learndash-integration.php:231

filterlearndash_transaction_detailsincludes\learndash-integration.php:262

filtermanage_sfwd-transactions_posts_columnsincludes\learndash-integration.php:285

filtermanage_edit-sfwd-transactions_sortable_columnsincludes\learndash-integration.php:299

filterlearndash_admin_column_content_itemincludes\learndash-integration.php:332

actionmanage_sfwd-transactions_posts_custom_columnincludes\learndash-integration.php:383

filtergettextincludes\learndash-integration.php:403

filterngettextincludes\learndash-integration.php:423

filterwp_new_user_notification_emailincludes\learndash-integration.php:472

filterwp_new_user_notification_email_adminincludes\learndash-integration.php:473

actioninitincludes\shortcode.php:26

actionrest_api_initincludes\stripe-handler.php:842

actionplugins_loadedincludes\tutor-integration.php:623

actiontutor_course_single_enroll_formincludes\tutor-integration.php:628

actiontutor_course_single_add_to_cart_formincludes\tutor-integration.php:631

actiontutor_course_single_buttonsincludes\tutor-integration.php:634

actiontutor_course_loop_buttonincludes\tutor-integration.php:637

actionwp_enqueue_scriptsincludes\tutor-integration.php:646

filtertutor_enroll_required_login_classincludes\tutor-integration.php:649

filtertutor_add_to_cart_btnincludes\tutor-integration.php:652

Maintenance & Trust

Course Flow Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 6, 2026

PHP min version7.4

Downloads136

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

Course Flow Alternatives

Learning Management System (LMS) Chat Application

lms-chat

WP LMS Conversation allow to conversation with LMS teacher or other student.

100 No CVEs

Uncanny Toolkit for LearnDash

uncanny-learndash-toolkit

Extend LearnDash with a variety of useful modules that make it even easier to build great learner experiences with LearnDash.

20K 7 CVEs

All-in-One Addons for Elementor – WidgetKit

widgetkit-for-elementor

Build stunning websites with Elementor using premium widgets for WooCommerce, LearnDash & LearnPress. Free creative, content & dynamic widget pack.

9K 2 unpatched

Design Upgrade for LearnDash

design-upgrade-learndash

Instantly improve LearnDash's design -- focus mode, course content, profile page, course navigation & course grid -- to more closely match yo …

7K No CVEs

BuddyPress for LearnDash

buddypress-learndash

BuddyPress for LearnDash integrates the LearnDash LMS plugin with BuddyPress, so you can add groups, activity, members, and forums to your courses.

2K No CVEs

Developer Profile

Course Flow Developer Profile

Pawel Borowiec

1 plugin · 0 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Course Flow

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

Data Attributes

data-courseflow-checkout-button

REST Endpoints

/course-flow/v1/webhook

Shortcode Output

[courseflow_checkout_button]

FAQ