Does Culqi have any unpatched vulnerabilities?

No. All known vulnerabilities in Culqi have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Culqi compatible with WordPress 6.0.11?

According to WordPress.org data, Culqi 3.1.4 has been tested up to WordPress 6.0.11. Check the plugin's changelog for the latest compatibility information.

Is Culqi compatible with PHP 5.6+?

Culqi requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Culqi updated?

Culqi was last updated on Feb 6, 2025. Frequent updates are generally a positive security signal.

What is Culqi's security score?

Culqi has a WP-Safety security score of 91/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Culqi Security & Risk Analysis

wordpress.org/plugins/culqi-checkout

Conéctate a nuestra pasarela de pago CulqiOnline de forma segura y estable en tu tienda virtual.

1K active installs v3.1.4 PHP 5.6+ WP 5.0+ Updated Feb 6, 2025

checkoutculqipayment-methodperuwoocommerce

A · Safe

CVEs total1

Unpatched0

Last CVEApr 22, 2024

Plugin page Download

Safety Verdict

Is Culqi Safe to Use in 2026?

Generally Safe

Score 91/100

Culqi has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Apr 22, 2024Updated 1yr ago

Risk Assessment

The "culqi-checkout" v3.1.4 plugin exhibits a generally good security posture, with strong practices in SQL query handling and output escaping, indicating developers are mindful of common web vulnerabilities. The plugin effectively utilizes prepared statements for all SQL queries and demonstrates a high percentage of properly escaped outputs, minimizing risks of SQL injection and cross-site scripting (XSS) through these vectors. The absence of critical or high severity taint flows further reinforces this positive assessment, suggesting that user-supplied data is being handled with care within the analyzed code paths. Additionally, the plugin leverages nonces and capability checks for most of its AJAX handlers.

However, a notable concern arises from the presence of 4 AJAX handlers without any authentication or authorization checks. This directly exposes these entry points to potential abuse by unauthenticated users, creating a significant attack surface. While no specific vulnerabilities were identified in the static analysis related to these unprotected handlers, their existence represents a clear risk. The plugin's vulnerability history, which includes one medium severity Server-Side Request Forgery (SSRF) vulnerability in the past, even though currently patched, indicates a past oversight in handling external requests or data that could be manipulated. This history, combined with the unprotected AJAX handlers, suggests a need for continued vigilance and robust security reviews.

In conclusion, the "culqi-checkout" plugin demonstrates strong foundational security practices, particularly in data handling and sanitization. The developers have shown commitment to secure coding by addressing past vulnerabilities. The primary weakness lies in the exposed AJAX endpoints, which should be prioritized for immediate security hardening. A balanced view acknowledges the strengths in code quality while highlighting the critical need to secure the identified unprotected entry points to further mitigate potential risks.

Key Concerns

4 AJAX handlers without auth checks
1 medium severity CVE in vulnerability history

Vulnerabilities

Culqi Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-32819medium · 6.4Server-Side Request Forgery (SSRF)

Culqi <= 3.0.14 - Authenticated (Subscriber+) Server-Side Request Forgery

Apr 22, 2024 Patched in 3.0.15 (9d)

Code Analysis

Analyzed Mar 16, 2026

Culqi Code Analysis

Dangerous Functions

Raw SQL Queries

14 prepared

Unescaped Output

478 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared14 total queries

Output Escaping

98% escaped487 total outputs

Data Flows

All sanitized

Data Flow Analysis

6 flows

welcome_panel (admin\class-fullculqi-admin.php:40)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Culqi Attack Surface

Entry Points14

Unprotected4

AJAX Handlers 14

authwp_ajax_load_culqi_checkoutincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-method.php:50

noprivwp_ajax_load_culqi_checkoutincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-method.php:51

authwp_ajax_load_culqi_checkoutincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-method.php:966

noprivwp_ajax_load_culqi_checkoutincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-method.php:967

authwp_ajax_upgrade_2_0_0includes\admin\class-fullculqi-upgrader.php:20

authwp_ajax_culqi_merchantsincludes\class-fullculqi-ajax.php:33

authwp_ajax_culqi_merchantincludes\class-fullculqi-ajax.php:36

authwp_ajax_create_culqi_refundincludes\class-fullculqi-ajax.php:39

authwp_ajax_delete_culqi_chargesincludes\class-fullculqi-ajax.php:42

authwp_ajax_delete_culqi_ordersincludes\class-fullculqi-ajax.php:45

authwp_ajax_delete_culqi_customersincludes\class-fullculqi-ajax.php:48

authwp_ajax_sync_culqi_chargesincludes\class-fullculqi-ajax.php:51

authwp_ajax_sync_culqi_ordersincludes\class-fullculqi-ajax.php:54

authwp_ajax_sync_culqi_customersincludes\class-fullculqi-ajax.php:57

WordPress Hooks 53

actionadmin_initadmin\class-fullculqi-admin.php:7

actionadmin_menuadmin\class-fullculqi-admin.php:8

actionadmin_headadmin\class-fullculqi-admin.php:9

actionadd_meta_boxesadmin\class-fullculqi-admin.php:12

actionadmin_enqueue_scriptsadmin\class-fullculqi-entities.php:7

actionadd_meta_boxesadmin\class-fullculqi-entities.php:9

actionadmin_enqueue_scriptsadmin\class-fullculqi-settings.php:7

actionadmin_menuadmin\class-fullculqi-settings.php:8

actionadmin_initadmin\class-fullculqi-settings.php:9

actionadd_meta_boxes_shop_orderincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:13

filterfullculqi/charges/column_nameincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:16

filterfullculqi/charges/column_valueincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:17

filterfullculqi/orders/column_nameincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:18

filterfullculqi/orders/column_valueincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:19

actionfullculqi/charges/basic/print_dataincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:22

actionfullculqi/orders/basic/print_dataincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:23

actionfullculqi/charges/sync/loopincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:26

actionfullculqi/customers/link_to_emailincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:27

filterfullculqi/ajax/refund/processincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:31

actionfullculqi/upgrader/2_0_0/chargesincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:34

actionfullculqi/upgrader/2_0_0/afterincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-admin.php:35

actionplugins_loadedincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-main.php:15

filterwoocommerce_payment_gatewaysincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-main.php:18

actionfullculqi/api/wc-actionsincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-main.php:21

actionfullculqi/orders/updateincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-main.php:24

actionwoocommerce_api_fullculqi_update_orderincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-main.php:27

actionadmin_noticesincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-main.php:44

actionwp_footerincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-method.php:52

filterscript_loader_tagincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-method.php:284

actionadmin_headincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-method.php:969

actionwp_headincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-method.php:994

actionwp_enqueue_scriptsincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-method.php:1016

actionwp_enqueue_scriptsincludes\3rd-party\plugins\woocommerce\class-fullculqi-wc-method.php:1022

actionadmin_enqueue_scriptsincludes\admin\class-fullculqi-settings.php:49

actionadmin_menuincludes\admin\class-fullculqi-settings.php:52

actionadmin_initincludes\admin\class-fullculqi-settings.php:55

actionadmin_noticesincludes\admin\class-fullculqi-updater.php:17

actionadmin_noticesincludes\admin\class-fullculqi-upgrader.php:17

actionadmin_initincludes\admin\class-fullculqi-welcome.php:28

actionadmin_menuincludes\admin\class-fullculqi-welcome.php:29

actionadmin_headincludes\admin\class-fullculqi-welcome.php:30

actionadmin_enqueue_scriptsincludes\admin\metaboxes\class-fullculqi-metaboxes.php:15

actionbefore_delete_postincludes\admin\metaboxes\class-fullculqi-metaboxes.php:21

actionpre_get_postsincludes\admin\metaboxes\class-fullculqi-metaboxes.php:33

actioninitincludes\class-fullculqi-cpt.php:14

actioninitincludes\class-fullculqi-endpoints.php:15

filterquery_varsincludes\class-fullculqi-endpoints.php:18

actionparse_requestincludes\class-fullculqi-endpoints.php:21

actionplugins_loadedincludes\class-fullculqi-i18n.php:20

actionfullculqi/api/webhooksincludes\class-fullculqi-webhooks.php:16

actionplugins_loadedincludes\class-fullculqi.php:82

actionadmin_enqueue_scriptsincludes\class-fullculqi.php:153

actionbefore_woocommerce_initindex.php:109

Maintenance & Trust

Culqi Maintenance & Trust

Maintenance Signals

WordPress version tested6.0.11

Last updatedFeb 6, 2025

PHP min version5.6

Downloads21K

Community Trust

Rating60/100

Number of ratings2

Active installs1K

Alternatives

Culqi Alternatives

Culqi Full Integracion

culqi-full-integration

100

Podrás hacer pagos desde Woocommerce usando el servicio de Culqi, además de reembolsos, estados, logs y personalizaciones del modal de pago.

300 No CVEs

Default Payment Gateway for WooCommerce

hw-default-payment-gateway-for-woocommerce

Manage the default chosen Payment method on checkout, easily!

100 No CVEs

Checkout Field Editor (Checkout Manager) for WooCommerce

woo-checkout-field-editor-pro

Checkout Field Editor (Checkout Manager) for WooCommerce – The best WooCommerce checkout manager plugin to manage WooCommerce checkout fields.

500K 3 CVEs

Checkout Field Manager (Checkout Manager) for WooCommerce

woocommerce-checkout-manager

Checkout Field Manager (Checkout Manager) for WooCommerce is the most advanced plugin to customize checkout fields on your WooCommerce checkout page.

90K 5 CVEs

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager

flexible-checkout-fields

The best WooCommerce checkout manager. Edit, remove or add checkout fields. Customize WooCommerce checkout with this checkout field customizer.

80K 2 CVEs

Developer Profile

Culqi Developer Profile

culqionline

1 plugin · 1K total installs

trust score

Avg Security Score

91/100

Avg Patch Time

9 days

View full developer profile

Detection Fingerprints

How We Detect Culqi

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/culqi-checkout/admin/assets/css/fullculqi_admin.css/wp-content/plugins/culqi-checkout/admin/assets/css/fullculqi_addons.css/wp-content/plugins/culqi-checkout/admin/assets/js/fullculqi_admin.js

Version Parameters

culqi-checkout/admin/assets/css/fullculqi_admin.css?_=culqi-checkout/admin/assets/css/fullculqi_addons.css?_=culqi-checkout/admin/assets/js/fullculqi_admin.js?_=

HTML / DOM Fingerprints

JS Globals

fullculqi

FAQ