Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Security & Risk Analysis

wordpress.org/plugins/flexible-checkout-fields

The best WooCommerce checkout manager. Edit, remove or add checkout fields. Customize WooCommerce checkout with this checkout field customizer.

80K active installs v4.1.36 PHP 7.4+ WP 6.4+ Updated Mar 7, 2026

checkout-field-customizercustom-fieldswoocommerce-checkoutwoocommerce-checkout-fieldswoocommerce-checkout-manager

A · Safe

CVEs total2

Unpatched0

Last CVEApr 5, 2024

Plugin page Download

Safety Verdict

Is Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Safe to Use in 2026?

Generally Safe

Score 98/100

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Apr 5, 2024Updated 29d ago

Risk Assessment

The plugin "flexible-checkout-fields" v4.1.36 exhibits a mixed security posture, with some positive indicators but also several concerning elements that warrant attention. On the positive side, the plugin has a relatively small attack surface with only one AJAX handler, and importantly, it appears to have an authentication check on this entry point. The high percentage of properly escaped outputs (82%) suggests a general awareness of output sanitization, and the presence of nonce and capability checks further contributes to good security practices. However, the static analysis reveals the use of several dangerous functions, including `unserialize`, `proc_open`, and `shell_exec`, which can be exploited if not handled with extreme care and robust input validation. Additionally, the absence of prepared statements for all SQL queries is a significant risk, as it opens the door to SQL injection vulnerabilities. The taint analysis highlights critical flows with unsanitized paths, indicating potential for malicious input to be processed in an unsafe manner.

The vulnerability history of this plugin is a significant concern. With two known CVEs, including a high-severity one, and a recent vulnerability in April 2024, it suggests a recurring pattern of security weaknesses. The common types of vulnerabilities found in the past (Missing Authorization, Cross-site Scripting) align with the potential risks identified in the static and taint analyses. While there are currently no unpatched CVEs, the history indicates a persistent need for rigorous security auditing and prompt patching. The plugin demonstrates strengths in output escaping and the presence of some security checks, but the use of dangerous functions, lack of prepared statements for all SQL, critical taint flows, and a history of significant vulnerabilities collectively point to a moderate to high-risk profile that requires ongoing vigilance.

Key Concerns

Dangerous functions used (unserialize, proc_open, shell_exec)
SQL queries not using prepared statements
High severity taint flows (2)
Flows with unsanitized paths (4)
Past high severity CVE
Past medium severity CVE
Recent vulnerability (2024-04-05)

Vulnerabilities

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Security Vulnerabilities

CVEs by Year

1 CVE in 2020

2020

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2024-31267medium · 4.3Missing Authorization

Flexible Checkout Fields for WooCommerce <= 4.1.2 - Missing Authorization

Apr 5, 2024 Patched in 4.1.3 (7d)

CVE-2020-36731high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Flexible Checkout Fields for WooCommerce <= 2.3.1 - Unauthenticated Arbitrary Plugin Settings Update

Feb 26, 2020 Patched in 2.3.2 (1427d)

Code Analysis

Analyzed Mar 16, 2026

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

407 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$all_sections = unserialize( serialize( $sections ) );classes\plugin.php:360

proc_open$this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);vendor_prefixed\monolog\monolog\src\Monolog\Handler\ProcessHandler.php:104

shell_exec$branches = shell_exec('git branch -v --no-abbrev');vendor_prefixed\monolog\monolog\src\Monolog\Processor\GitProcessor.php:60

shell_exec$result = explode(' ', trim((string) shell_exec('hg id -nb')));vendor_prefixed\monolog\monolog\src\Monolog\Processor\MercurialProcessor.php:59

SQL Query Safety

0% prepared2 total queries

Output Escaping

82% escaped496 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

6 flows4 with unsanitized paths

handle_ajax_request (vendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\RequestSenderService.php:61)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Attack Surface

Entry Points1

Unprotected0

AJAX Handlers 1

authwp_ajax_wpdesk_notice_dismissvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:42

WordPress Hooks 103

filterwoocommerce_localisation_address_formatsclasses\display-options.php:37

filterwoocommerce_formatted_address_replacementsclasses\display-options.php:38

filterwoocommerce_order_formatted_billing_addressclasses\display-options.php:39

filterwoocommerce_order_formatted_shipping_addressclasses\display-options.php:40

filterwoocommerce_my_account_my_address_formatted_addressclasses\display-options.php:43

actionwoocommerce_billing_fieldsclasses\display-options.php:45

actionwoocommerce_shipping_fieldsclasses\display-options.php:46

actionwoocommerce_email_customer_detailsclasses\display-options.php:48

actionwoocommerce_email_customer_detailsclasses\display-options.php:50

actionwoocommerce_thankyouclasses\display-options.php:53

actionwoocommerce_email_order_metaclasses\display-options.php:54

actionwoocommerce_view_orderclasses\display-options.php:55

actionwoocommerce_after_checkout_validationclasses\filed-validation.php:32

filterwoocommerce_checkout_required_field_noticeclasses\filed-validation.php:33

filterwoocommerce_address_to_editclasses\myaccount-edit-address.php:29

actionwp_loadedclasses\myaccount-field-processor.php:45

actioninitclasses\plugin.php:131

actionwoocommerce_checkout_fieldsclasses\plugin.php:133

actionwoocommerce_checkout_create_orderclasses\plugin.php:134

actionwoocommerce_admin_order_data_after_billing_addressclasses\plugin.php:136

actionwoocommerce_admin_order_data_after_shipping_addressclasses\plugin.php:143

actionwoocommerce_admin_order_data_after_shipping_addressclasses\plugin.php:150

actionwoocommerce_billing_fieldsclasses\plugin.php:158

actionwoocommerce_shipping_fieldsclasses\plugin.php:159

actionwoocommerce_order_fieldsclasses\plugin.php:160

actionwoocommerce_before_checkout_formclasses\plugin.php:162

actionwoocommerce_before_edit_address_form_shippingclasses\plugin.php:163

actionwoocommerce_before_edit_address_form_billingclasses\plugin.php:171

filterflexible_checkout_fields_section_fieldsclasses\plugin.php:180

actionwoocommerce_default_address_fieldsclasses\plugin.php:182

filterwoocommerce_get_country_localeclasses\plugin.php:183

filterwoocommerce_get_country_locale_baseclasses\plugin.php:184

actionwoocommerce_get_country_locale_defaultclasses\plugin.php:186

filterwoocommerce_screen_idsclasses\plugin.php:188

filterflexible_checkout_fieldsclasses\plugin.php:210

actionwp_enqueue_scriptsclasses\plugin.php:897

actioninitclasses\settings.php:24

actionadmin_initclasses\settings.php:25

filterwpdesk_tracker_dataclasses\tracker.php:19

filterwpdesk_tracker_notice_screensclasses\tracker.php:20

filterplugin_action_links_flexible-checkout-fields/flexible-checkout-fields.phpclasses\tracker.php:22

actionactivated_pluginclasses\tracker.php:23

filterwoocommerce_checkout_update_user_metaclasses\user-meta-checkout.php:42

actionshow_user_profileclasses\user-profile.php:52

actionedit_user_profileclasses\user-profile.php:53

actionpersonal_options_updateclasses\user-profile.php:55

actionedit_user_profile_updateclasses\user-profile.php:56

actionbefore_woocommerce_initflexible-checkout-fields.php:77

actionactivated_plugininc\wpdesk-woo27-functions.php:12

actionplugins_loadedinc\wpdesk-woo27-functions.php:91

actionenqueue_block_editor_assetssrc\Blocks\Editor.php:17

filterwoocommerce_form_fieldsrc\Field\FieldTemplateLoader.php:33

filterflexible_checkout_fields_form_fieldsrc\Field\FieldTemplateLoader.php:34

filterwoocommerce_form_field_argssrc\Field\FieldTemplateLoader.php:35

filterwoocommerce_form_fieldsrc\Field\FieldTemplateLoader.php:77

filterflexible_checkout_fields_field_argssrc\Field\FieldTranslator.php:16

filterflexible_checkout_fields/field_typessrc\Field\Type\TypeIntegration.php:30

actionwp_enqueue_scriptssrc\Form\Assets.php:28

actionadmin_print_scripts-post.phpsrc\Form\Assets.php:29

actionadmin_print_scripts-post-new.phpsrc\Form\Assets.php:30

actionadmin_print_scripts-profile.phpsrc\Form\Assets.php:31

actionwoocommerce_before_order_notessrc\Form\FormModifier.php:13

filterwoocommerce_enable_order_notes_fieldsrc\Form\FormModifier.php:30

actioninitsrc\Integration\IntegratorIntegration.php:36

actionflexible_checkout_fields/after_settingssrc\Marketing\SupportPage.php:26

actionadmin_enqueue_scriptssrc\Marketing\SupportPage.php:27

filteradmin_initsrc\Notice\NoticeIntegration.php:40

filteradmin_noticessrc\Notice\NoticeIntegration.php:53

actionadmin_enqueue_scriptssrc\Notice\NoticeIntegration.php:54

actionadmin_enqueue_scriptssrc\Notice\NoticeIntegration.php:55

filterflexible_checkout_fields/short_urlsrc\Service\ShortLinksGenerator.php:24

actioninitsrc\Settings\MigrationsManager.php:38

actionadmin_menusrc\Settings\Page.php:49

actionadmin_enqueue_scriptssrc\Settings\Page.php:50

filteradmin_footer_textsrc\Settings\Page.php:79

actionrest_api_initsrc\Settings\Route\RouteIntegration.php:35

filterflexible_checkout_fields/field_settings_tabssrc\Settings\Tab\TabIntegration.php:30

actionadmin_initsrc\Tracker\DeactivationTracker.php:35

filterflexible_checkout_fields_field_argssrc\Validator\ValidationClassGenerator.php:19

filterflexible_checkout_fields_field_argssrc\Validator\ValidationClassGenerator.php:20

actionwp_dashboard_setupvendor_prefixed\wpdesk\ltv-dashboard-widget\src\DashboardWidget.php:102

actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:148

actionwp_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:149

actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:41

actionadmin_noticesvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:144

actionadmin_footervendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:145

filterwp_autoloader_loader_loaders_to_loadvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:45

filterwp_autoloader_loader_loaders_to_createvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:46

actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\Simple\SimplePaidStrategy.php:58

actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:81

actionbefore_woocommerce_initvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:88

actionactivated_pluginvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:102

filterdoing_it_wrong_trigger_errorvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:123

actionadmin_print_styles-plugins.phpvendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\AssetsPrinterService.php:26

actionadmin_print_footer_scripts-plugins.phpvendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\AssetsPrinterService.php:27

actionadmin_print_footer_scripts-plugins.phpvendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\TemplateGeneratorService.php:43

actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-marketing\src\Boxes\Assets.php:16

actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-marketing\src\Boxes\Assets.php:30

actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\Assets.php:28

actionadmin_menuvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:35

actionadmin_initvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:36

actionadmin_noticesvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptOut.php:28

filterplugin_row_metavendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\PluginActionLinks.php:36

Maintenance & Trust

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 7, 2026

PHP min version7.4

Downloads3.5M

Community Trust

Rating94/100

Number of ratings291

Active installs80K

Alternatives

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Alternatives

Custom WooCommerce Checkout Fields Editor

add-fields-to-checkout-page-woocommerce

Custom WooCommerce Checkout Fields Editor

2K 1 unpatched

Checkout Field Editor and Manager for WooCommerce

extra-checkout-fields-for-woocommerce

A simple WooCommerce Checkout Field Editor and Manager plugin to edit WooCommerce checkout fields, add custom checkout fields and more.

200 No CVEs

Checkout Field Editor for WooCommerce – Checkout Page Manager

woo-checkout-regsiter-field-editor

Checkout Field Editor for WooCommerce is the leading plugin for customizing, editing, removing, and managing your WooCommerce checkout fields.

2K 1 CVE

FEWC – Extra Checkout Fields For WooCommerce

fewc-extra-checkout-fields-for-woocommerce

100

Easily customize your checkout page: add custom fields, enable/disable fields, rearrange their positions, and preview changes in the WP Customizer

600 No CVEs

Qodax Checkout Manager – Checkout Field Editor for WooCommerce

qodax-checkout-manager

100

Customize and manage checkout fields in your WooCommerce store with a simple and user-friendly interface.

400 No CVEs

Developer Profile

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Developer Profile

wpdesk

23 plugins · 127K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

135 days

View full developer profile

Detection Fingerprints

How We Detect Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/flexible-checkout-fields/assets/css/backend.css/wp-content/plugins/flexible-checkout-fields/assets/css/frontend.css/wp-content/plugins/flexible-checkout-fields/assets/js/backend.js/wp-content/plugins/flexible-checkout-fields/assets/js/frontend.js/wp-content/plugins/flexible-checkout-fields/classes/settings.php

Script Paths

/wp-content/plugins/flexible-checkout-fields/assets/js/backend.js/wp-content/plugins/flexible-checkout-fields/assets/js/frontend.js

Version Parameters

flexible-checkout-fields/assets/css/backend.css?ver=flexible-checkout-fields/assets/css/frontend.css?ver=flexible-checkout-fields/assets/js/backend.js?ver=flexible-checkout-fields/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

fcf_layout_fieldsfcf_field_wrapperfcf-field-type-textfcf-field-type-textareafcf-field-type-selectfcf-field-type-multi-selectfcf-field-type-radiofcf-field-type-checkbox+18 more

HTML Comments

+2 more

Data Attributes

data-fcf-field-iddata-fcf-field-typedata-fcf-field-namedata-fcf-field-labeldata-fcf-field-placeholderdata-fcf-field-required+8 more

JS Globals

flexible_checkout_fields_paramsfcf_admin_paramsfcf_frontend_params

REST Endpoints

/wp-json/fcf/v1/fields/wp-json/fcf/v1/settings

FAQ

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Security & Risk Analysis

Is Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Safe to Use in 2026?

Generally Safe

Key Concerns

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Security Vulnerabilities

CVEs by Year

Severity Breakdown

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Code Analysis

Dangerous Functions Found

SQL Query Safety

Output Escaping

Data Flow Analysis

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Attack Surface

AJAX Handlers 1

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Maintenance & Trust

Maintenance Signals

Community Trust

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Alternatives

Custom WooCommerce Checkout Fields Editor

Checkout Field Editor and Manager for WooCommerce

Checkout Field Editor for WooCommerce – Checkout Page Manager

FEWC – Extra Checkout Fields For WooCommerce

Qodax Checkout Manager – Checkout Field Editor for WooCommerce

Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager Developer Profile

How We Detect Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Flexible Checkout Fields for WooCommerce – WooCommerce Checkout Manager