WP-Safety

Instantio — Side Cart & One-Page Checkout for WooCommerce Security & Risk Analysis

wordpress.org/plugins/instantio

Instantio adds side cart, popup cart, floating button, and one-page checkout layouts to WooCommerce for a faster, more convenient shopping and checkou …

800 active installs v3.3.32 PHP 7.4+ WP 4.0+ Updated Apr 8, 2026
multistep-checkoutwoocommerce-cartwoocommerce-checkoutwoocommerce-direct-checkoutwoocommerce-side-cart
92
A · Safe
CVEs total4
Unpatched0
Last CVEMar 25, 2026
Plugin page Download
Safety Verdict

Is Instantio — Side Cart & One-Page Checkout for WooCommerce Safe to Use in 2026?

Generally Safe

Score 92/100

Instantio — Side Cart & One-Page Checkout for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Mar 25, 2026Updated 1mo ago
Risk Assessment

The security posture of Instantio v3.3.31 presents a mixed bag of good practices and significant concerns. On the positive side, the plugin demonstrates a strong commitment to secure database interactions, with all SQL queries utilizing prepared statements, and a substantial portion of output being properly escaped. The inclusion of nonce and capability checks in many entry points also indicates an awareness of common security pitfalls. However, a large attack surface is exposed with 17 out of 26 AJAX handlers lacking any authorization checks, presenting a direct avenue for potential unauthorized actions.

The static analysis reveals a notable concern with the presence of the `unserialize` function, which can be a vector for deserialization vulnerabilities if not handled with extreme care. While taint analysis found no flows with unsanitized paths in this specific scan, the presence of `unserialize` warrants careful scrutiny. The vulnerability history is particularly concerning, with 3 known CVEs, including 2 high-severity ones related to Unrestricted File Upload, Missing Authorization, and CSRF. The recency of the last vulnerability (May 2025) suggests ongoing security challenges or a recent patching effort.

In conclusion, Instantio v3.3.31 exhibits strengths in data sanitization and database query security. However, the substantial number of unprotected AJAX endpoints and the historical prevalence of critical vulnerability types like missing authorization and file upload issues, coupled with the presence of `unserialize`, point to significant risks that require immediate attention. Users should be cautious and ensure they are on the latest patched version if available, as the plugin's history indicates a tendency for exploitable weaknesses.

Key Concerns

  • Unprotected AJAX handlers
  • Dangerous function: unserialize
  • High severity vulnerabilities in history
  • Medium severity vulnerabilities in history
  • Bundled library: Select2 (potential outdatedness)
Vulnerabilities
4 published

Instantio — Side Cart & One-Page Checkout for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2024
2024
1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
2
Medium
2

4 total CVEs

CVE-2026-39571medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Instantio <= 3.3.30 - Unauthenticated Information Exposure

Mar 25, 2026 Patched in 3.3.31 (42d)
CVE-2025-47550high · 7.2Unrestricted Upload of File with Dangerous Type

Instantio <= 3.3.16 - Authenticated (Admin+) Arbitrary File Upload

May 7, 2025 Patched in 3.3.17 (6d)
CVE-2025-24581medium · 5.3Missing Authorization

Instantio <= 3.3.7 - Missing Authorization to Unauthenticated Settings Update

Dec 18, 2024 Patched in 3.3.8 (126d)
WF-a7f82847-433d-49b1-815d-b0d9e70068c2-instantiohigh · 8.8Cross-Site Request Forgery (CSRF)

Instantio – WooCommerce Quick Checkout | Instant Checkout, Side Cart & Popup Cart <= 1.2.5 - Cross Site Request Forgery

Jun 30, 2021 Patched in 1.2.6 (937d)
Version History

Instantio — Side Cart & One-Page Checkout for WooCommerce Release Timeline

v3.3.32Current
v3.3.31
v3.3.301 CVE
CVE-2026-39571
v3.3.291 CVE
CVE-2026-39571
v3.3.281 CVE
CVE-2026-39571
v3.3.271 CVE
CVE-2026-39571
v3.3.261 CVE
CVE-2026-39571
v3.3.251 CVE
CVE-2026-39571
v3.3.241 CVE
CVE-2026-39571
v3.3.231 CVE
CVE-2026-39571
v3.3.221 CVE
CVE-2026-39571
v3.3.211 CVE
CVE-2026-39571
v3.3.201 CVE
CVE-2026-39571
v3.3.191 CVE
CVE-2026-39571
v3.3.181 CVE
CVE-2026-39571
v3.3.171 CVE
CVE-2026-39571
v3.3.162 CVEs
CVE-2025-47550 CVE-2026-39571
v3.3.152 CVEs
CVE-2025-47550 CVE-2026-39571
v3.3.142 CVEs
CVE-2025-47550 CVE-2026-39571
v3.3.132 CVEs
CVE-2025-47550 CVE-2026-39571
Code Analysis
Analyzed Mar 16, 2026

Instantio — Side Cart & One-Page Checkout for WooCommerce Code Analysis

Dangerous Functions
11
Raw SQL Queries
0
2 prepared
Unescaped Output
173
536 escaped
Nonce Checks
14
Capability Checks
12
File Operations
0
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$mapdata = unserialize( $mapdata );admin\tf-options\fields\map\INS_map.php:18
unserialize$data = unserialize( $INS_rep_value );admin\tf-options\fields\repeater\INS_Repeater.php:32
unserialize$data = ( ! is_array( $this->value ) ) ? unserialize( $this->value ) : $this->value;admin\tf-options\fields\tab\INS_tab.php:44
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:106
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:140
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:187
unserialize$get_ins_data_add_editor_fl = unserialize($get_ins_add_data);includes\controller\checkout_editor.php:384
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:450
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:527
unserialize$get_ins_data_add_shiping_fl = unserialize($get_ins_add_shipping_data);includes\controller\checkout_editor.php:714
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:764

Bundled Libraries

Select2

SQL Query Safety

100% prepared2 total queries

Output Escaping

76% escaped709 total outputs
Attack Surface
17 unprotected

Instantio — Side Cart & One-Page Checkout for WooCommerce Attack Surface

Entry Points27
Unprotected17

AJAX Handlers 26

authwp_ajax_ins_options_saveadmin\tf-options\classes\Ins_TF_Settings.php:36
authwp_ajax_ins_themefic_manage_pluginadmin\tf-options\classes\Ins_TF_Settings.php:38
authwp_ajax_ins_del_billing_fieldsfunctions.php:49
authwp_ajax_ins_del_shipping_fieldsfunctions.php:50
authwp_ajax_tf_black_friday_notice_dismiss_callbackfunctions.php:218
authwp_ajax_ins_review_notice_callbackincludes\controller\Admin.php:20
noprivwp_ajax_ins_review_notice_callbackincludes\controller\Admin.php:21
noprivwp_ajax_ins_ajax_cart_reloadincludes\controller\App.php:22
authwp_ajax_ins_ajax_cart_reloadincludes\controller\App.php:23
noprivwp_ajax_ins_ajax_cart_singleincludes\controller\App.php:26
authwp_ajax_ins_ajax_cart_singleincludes\controller\App.php:27
noprivwp_ajax_ins_ajax_cart_item_removeincludes\controller\App.php:30
authwp_ajax_ins_ajax_cart_item_removeincludes\controller\App.php:31
noprivwp_ajax_ins_ajax_empty_cartincludes\controller\App.php:34
authwp_ajax_ins_ajax_empty_cartincludes\controller\App.php:35
noprivwp_ajax_ins_ajax_update_cartincludes\controller\App.php:38
authwp_ajax_ins_ajax_update_cartincludes\controller\App.php:39
noprivwp_ajax_ins_ajax_remove_couponincludes\controller\App.php:42
authwp_ajax_ins_ajax_remove_couponincludes\controller\App.php:43
authwp_ajax_tf_admin_notice_dismiss_callbackincludes\controller\class-promo-notice.php:68
authwp_ajax_ins_black_friday_notice_ins_dismiss_callbackincludes\controller\class-promo-notice.php:92
authwp_ajax_ins_dashboard_widget_dismissincludes\controller\class-promo-notice.php:106
authwp_ajax_tf_setup_wizard_submitincludes\controller\class-setup-wizard.php:30
authwp_ajax_ins_ajax_install_woocommerceinstantio.php:58
authwp_ajax_ins_variable_product_quick_viewinstantio.php:114
noprivwp_ajax_ins_variable_product_quick_viewinstantio.php:115

Shortcodes 1

[instantio-cart-icon] includes\controller\App.php:59
WordPress Hooks 70
actionadd_meta_boxesadmin\tf-options\classes\INS_Metabox.php:42
actionsave_postadmin\tf-options\classes\INS_Metabox.php:43
actionadmin_menuadmin\tf-options\classes\Ins_TF_Settings.php:30
actionadmin_initadmin\tf-options\classes\Ins_TF_Settings.php:33
actionadmin_footeradmin\tf-options\fields\icon\INS_icon.php:15
actionadmin_enqueue_scriptsadmin\tf-options\Ins_TF_Options.php:39
actionwp_enqueue_scriptsadmin\tf-options\Ins_TF_Options.php:41
filterplugin_row_metafunctions.php:3
actionadd_meta_boxesfunctions.php:231
filterget_user_option_meta-box-order_productfunctions.php:293
actionswitch_themeincludes\app\src\Insights.php:140
actionswitch_themeincludes\app\src\Insights.php:141
actionadmin_footerincludes\app\src\Insights.php:158
actionadmin_noticesincludes\app\src\Insights.php:175
actionadmin_initincludes\app\src\Insights.php:178
filtercron_schedulesincludes\app\src\Insights.php:184
actionadmin_menuincludes\app\src\License.php:219
actionafter_switch_themeincludes\app\src\License.php:781
actionswitch_themeincludes\app\src\License.php:782
filterpre_set_site_transient_update_pluginsincludes\app\src\Updater.php:51
filterplugins_apiincludes\app\src\Updater.php:52
filterpre_set_site_transient_update_themesincludes\app\src\Updater.php:61
actioninitincludes\controller\Admin.php:9
actioninitincludes\controller\Admin.php:10
actionadmin_noticesincludes\controller\Admin.php:31
actionadmin_noticesincludes\controller\Admin.php:48
actionadmin_noticesincludes\controller\Admin.php:49
actionwp_body_openincludes\controller\App.php:17
actionins_cart_toggleincludes\controller\App.php:47
actionins_cart_headerincludes\controller\App.php:50
actionins_cart_buttonsincludes\controller\App.php:53
actionins_cart_contentincludes\controller\App.php:56
actionins_cart_content_singleincludes\controller\App.php:57
actionwoocommerce_checkout_shippingincludes\controller\App.php:359
actionwoocommerce_checkout_shippingincludes\controller\App.php:671
actionwp_enqueue_scriptsincludes\controller\Assets.php:7
actionwp_enqueue_scriptsincludes\controller\Assets.php:8
actionwp_enqueue_scriptsincludes\controller\Assets.php:9
actionadmin_enqueue_scriptsincludes\controller\Assets.php:10
filterwoocommerce_billing_fieldsincludes\controller\checkout_editor.php:4
filterwoocommerce_shipping_fieldsincludes\controller\checkout_editor.php:5
filterwoocommerce_checkout_fieldsincludes\controller\checkout_editor.php:6
actionwoocommerce_admin_order_data_after_billing_addressincludes\controller\checkout_editor.php:9
actionwoocommerce_admin_order_data_after_shipping_addressincludes\controller\checkout_editor.php:11
actionwoocommerce_checkout_create_orderincludes\controller\checkout_editor.php:14
actionplugins_loadedincludes\controller\class-helper-banner.php:10
filterins_dashboard_helper_bannerincludes\controller\class-helper-banner.php:16
actionadmin_footerincludes\controller\class-helper-banner.php:17
filtercron_schedulesincludes\controller\class-promo-notice.php:48
actionins_promo__schudleincludes\controller\class-promo-notice.php:54
actionadmin_noticesincludes\controller\class-promo-notice.php:67
actionadd_meta_boxesincludes\controller\class-promo-notice.php:89
filterget_user_option_meta-box-order_productincludes\controller\class-promo-notice.php:91
actionwp_dashboard_setupincludes\controller\class-promo-notice.php:105
actionadmin_menuincludes\controller\class-setup-wizard.php:27
filterwoocommerce_enable_setup_wizardincludes\controller\class-setup-wizard.php:28
actionadmin_initincludes\controller\class-setup-wizard.php:29
actionin_admin_headerincludes\controller\class-setup-wizard.php:31
actioninitincludes\controller\ins-checkout-editor.php:9
actioninitincludes\controller\ins-checkout-editor.php:10
actionadmin_enqueue_scriptsinstantio.php:29
actioninitinstantio.php:89
actioninitinstantio.php:98
actionwcqv_product_datainstantio.php:145
actionafter_setup_themeinstantio.php:197
filterwoocommerce_default_address_fieldsinstantio.php:204
filterwoocommerce_checkout_fieldsinstantio.php:205
filterwoocommerce_checkout_fieldsinstantio.php:206
actionadmin_enqueue_scriptsinstantio.php:236
actionbefore_woocommerce_initinstantio.php:237

Scheduled Events 1

ins_promo__schudle
Maintenance & Trust

Instantio — Side Cart & One-Page Checkout for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 8, 2026
PHP min version7.4
Downloads68K

Community Trust

Rating90/100
Number of ratings16
Active installs800
Alternatives

Instantio — Side Cart & One-Page Checkout for WooCommerce Alternatives

Sliding Cart for WooCommerce by FunnelKit – Skip Cart & Reach WooCommerce Checkout Faster

Sliding Cart for WooCommerce by FunnelKit – Skip Cart & Reach WooCommerce Checkout Faster

cart-for-woocommerce

A
100

FunnelKit Cart adds a beautiful sliding cart to your WooCommerce store. Let the buyers add items, edit quantity and add upsells on the side cart.

30K No CVEs
Finest Floating Cart for WooCommerce

Finest Floating Cart for WooCommerce

finest-mini-cart

A
85

Enhance your customers' shopping experience and boost conversions. A powerful plugin for creating a seamless and intuitive checkout process on yo &hellip;

200 No CVEs
One Click Buy Button For WooCommerce

One Click Buy Button For WooCommerce

one-click-buy-button-for-woocommerce

A
85

"One Click Buy Button For WooCommerce" is a plugin to replace the default "Add To Cart" button redirect page and text.

20 No CVEs
MultiStep Checkout

MultiStep Checkout

multistep-checkout

A
92

A MultiStep Checkout plugin for WooCommerce.

10 No CVEs
One Click Order

One Click Order

one-click-order

A
100

One Click Order simplifies your WooCommerce checkout with a single-page form, online/manual payments, receipt uploads, and WooCommerce sync.

10 No CVEs
Developer Profile

Instantio — Side Cart & One-Page Checkout for WooCommerce Developer Profile

Themefic

11 plugins · 97K total installs

83
trust score
Avg Security Score
93/100
Avg Patch Time
85 days
View full developer profile
Detection Fingerprints

How We Detect Instantio — Side Cart & One-Page Checkout for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/instantio/admin/css/instantio-admin-style.css/wp-content/plugins/instantio/admin/js/instantio-admin-script.js/wp-content/plugins/instantio/includes/assets/css/style.css/wp-content/plugins/instantio/includes/assets/css/frontend.css/wp-content/plugins/instantio/includes/assets/js/frontend.js/wp-content/plugins/instantio/includes/assets/js/frontend/instantio-frontend.js/wp-content/plugins/instantio/includes/assets/js/frontend/vendor/fastclick.js/wp-content/plugins/instantio/includes/assets/js/frontend/vendor/nouislider.min.js+10 more
Script Paths
/wp-content/plugins/instantio/admin/js/instantio-admin-script.js
Version Parameters
instantio-admin-style.css?ver=instantio-admin-script.js?ver=style.css?ver=frontend.css?ver=frontend.js?ver=instantio-frontend.js?ver=fastclick.js?ver=nouislider.min.js?ver=sticky-kit.min.js?ver=waypoints.min.js?ver=wow.min.js?ver=owl.carousel.min.js?ver=scrollreveal.min.js?ver=theia-sticky-sidebar.min.js?ver=imagesloaded.pkgd.min.js?ver=moment.min.js?ver=waypoints.js?ver=wow.js?ver=

HTML / DOM Fingerprints

CSS Classes
instantio-cart-popup-buttonins-cart-popup-close-buttonins-mini-cart-item-removeins-mini-cart-checkout-buttoninstantio-checkout-containerinstantio-checkout-sidebarinstantio-floating-cart
HTML Comments
<!-- instantio - instant-variable-product-quick-view --><!-- instantio - product-quick-view --><!-- instantio - quickview --><!-- instantio - quick-view -->+1 more
Data Attributes
data-instantio-cart-iddata-instantio-product-iddata-instantio-pricedata-instantio-add-to-cart-url
JS Globals
ins_admin_paramsinstantio_frontend_paramsins_ajax_nonceins_admin_url
FAQ

Frequently Asked Questions about Instantio — Side Cart & One-Page Checkout for WooCommerce