WP-Safety

HeadlessWC: Ultimate eCommerce Decoupler Security & Risk Analysis

wordpress.org/plugins/headless-wc

The ultimate solution for integrating headless checkout functionalities into your WooCommerce store

0 active installs v1.3.7 PHP 7.4+ WP 5.1+ Updated Oct 11, 2025
cartheadlessrest-apiwoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is HeadlessWC: Ultimate eCommerce Decoupler Safe to Use in 2026?

Generally Safe

Score 100/100

HeadlessWC: Ultimate eCommerce Decoupler has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7mo ago
Risk Assessment

The "headless-wc" plugin version 1.3.7 exhibits a mixed security posture. On the positive side, it demonstrates good practices by not using dangerous functions and exclusively employing prepared statements for SQL queries. The plugin also shows a strong effort towards output escaping, with a high percentage of outputs being properly handled, and a clean vulnerability history with no recorded CVEs. However, significant concerns arise from its attack surface. A notable portion of its entry points, specifically 1 AJAX handler and 3 REST API routes, lack proper authentication or permission checks, creating potential avenues for unauthorized access or actions if exploited. The taint analysis, while limited in scope (2 flows), did reveal flows with unsanitized paths, which, without further context on their criticality or exploitability, represent a potential risk.

Key Concerns

  • AJAX handler without authentication
  • REST API routes without permission callbacks
  • Flows with unsanitized paths
Vulnerabilities
None known

HeadlessWC: Ultimate eCommerce Decoupler Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

HeadlessWC: Ultimate eCommerce Decoupler Release Timeline

No version history available.
Code Analysis
Analyzed Apr 16, 2026

HeadlessWC: Ultimate eCommerce Decoupler Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
41
120 escaped
Nonce Checks
1
Capability Checks
1
File Operations
4
External Requests
1
Bundled Libraries
0

Output Escaping

75% escaped161 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
headlesswc_force_cors_headers (includes/api-security.php:167)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

HeadlessWC: Ultimate eCommerce Decoupler Attack Surface

Entry Points9
Unprotected4

AJAX Handlers 2

authwp_ajax_save-postincludes/cache-revalidation.php:21
authwp_ajax_headlesswc_dismiss_cache_errorincludes/cache-revalidation.php:27

REST API Routes 7

POST/wp-json/headless-wc/v1/cartincludes/api-routes.php:55
POST/wp-json/headless-wc/v1/orderincludes/api-routes.php:64
GET/wp-json/headless-wc/v1/order/(?P<order_id>\d+)includes/api-routes.php:74
GET/wp-json/headless-wc/v1/productsincludes/api-routes.php:96
GET/wp-json/headless-wc/v1/products/(?P<slug>[a-zA-Z0-9-]+)includes/api-routes.php:106
POST/wp-json/headless-wc/v1/registerincludes/api-routes.php:116
GET/wp-json/headless-wc/v1/auth/statusincludes/api-routes.php:129
WordPress Hooks 29
actionplugins_loadedheadless-wc.php:53
actiontemplate_redirectheadless-wc.php:54
actioninitheadless-wc.php:56
actionadmin_menuincludes/admin-settings.php:7
actionadmin_initincludes/admin-settings.php:28
actionrest_api_initincludes/api-routes.php:48
filterrest_pre_dispatchincludes/api-security.php:12
filterrest_pre_dispatchincludes/api-security.php:50
filterrest_send_cors_headersincludes/api-security.php:81
actioninitincludes/api-security.php:131
filterrest_pre_serve_requestincludes/api-security.php:165
actionsave_postincludes/cache-revalidation.php:12
actionwoocommerce_update_productincludes/cache-revalidation.php:13
actionwoocommerce_new_productincludes/cache-revalidation.php:14
actionupdated_postmetaincludes/cache-revalidation.php:17
actionadded_postmetaincludes/cache-revalidation.php:18
actionadmin_noticesincludes/cache-revalidation.php:24
actionshutdownincludes/cache-revalidation.php:39
actionheadlesswc_delayed_cache_revalidationincludes/cache-revalidation.php:135
actionheadlesswc_cache_revalidation_requestincludes/cache-revalidation.php:183
actionadmin_noticesincludes/check-plugin-requirements.php:18
actionplugins_loadedincludes/check-plugin-requirements.php:27
actionwoocommerce_order_status_changedincludes/redirect_after_order.php:85
actionwp_headincludes/redirect_after_order.php:108
actionwp_enqueue_scriptsincludes/redirect_after_order.php:110
actionwp_footerincludes/redirect_after_order.php:225
actiontemplate_redirectincludes/redirect_after_order.php:253
actiontemplate_redirectincludes/redirect_after_order.php:255
actionwp_scheduled_deleteincludes/security-logger.php:124

Scheduled Events 2

headlesswc_delayed_cache_revalidation
headlesswc_cache_revalidation_request
Maintenance & Trust

HeadlessWC: Ultimate eCommerce Decoupler Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 11, 2025
PHP min version7.4
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs0
Alternatives

HeadlessWC: Ultimate eCommerce Decoupler Alternatives

CoCart – Headless REST API for WooCommerce

CoCart – Headless REST API for WooCommerce

cart-rest-api-for-woocommerce

A
100

A developer-first REST API to decouple WooCommerce on the frontend to help build modern and scalable storefronts. Fast, secure, customizable, easy.

1K 1 CVE
CoCart – Cart API Enhanced

CoCart – Cart API Enhanced

cocart-get-cart-enhanced

A
92

Enhances CoCart's cart REST API response.

200 No CVEs
CoCart CORS Support

CoCart CORS Support

cocart-cors

A
92

Enables support for CORS to allow CoCart to work across multiple domains.

400 No CVEs
CoCart JWT Authentication

CoCart JWT Authentication

cocart-jwt-authentication

A
100

JWT Authentication for CoCart API.

200 No CVEs
ContentGecko Connector

ContentGecko Connector

contentgecko-connector

A
100

ContentGecko Connector syncs ContentGecko posts, products, and translations with WordPress securely.

60 No CVEs
Developer Profile

HeadlessWC: Ultimate eCommerce Decoupler Developer Profile

App4You

2 plugins · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect HeadlessWC: Ultimate eCommerce Decoupler

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/headless-wc/build/index.css/wp-content/plugins/headless-wc/build/index.js
Script Paths
/wp-content/plugins/headless-wc/build/index.js
Version Parameters
headless-wc/build/index.css?ver=headless-wc/build/index.js?ver=

HTML / DOM Fingerprints

Data Attributes
data-headlesswc-redirect-url
JS Globals
window.hwcProc
REST Endpoints
/wp-json/headless-wc/v1/products/wp-json/headless-wc/v1/products//wp-json/headless-wc/v1/cart/wp-json/headless-wc/v1/cart//wp-json/headless-wc/v1/customer/wp-json/headless-wc/v1/customer//wp-json/headless-wc/v1/order/wp-json/headless-wc/v1/order/
FAQ

Frequently Asked Questions about HeadlessWC: Ultimate eCommerce Decoupler