WP-Safety

Instantio — Side Cart & One-Page Checkout for WooCommerce Security & Risk Analysis

wordpress.org/plugins/instantio

Instantio adds side cart, popup cart, floating button, and one-page checkout layouts to WooCommerce for a faster, more convenient shopping and checkou …

900 active installs v3.3.31 PHP 7.4+ WP 4.0+ Updated Mar 4, 2026
multistep-checkoutwoocommerce-cartwoocommerce-checkoutwoocommerce-direct-checkoutwoocommerce-side-cart
94
A · Safe
CVEs total3
Unpatched0
Last CVEMay 7, 2025
Plugin page Download
Safety Verdict

Is Instantio — Side Cart & One-Page Checkout for WooCommerce Safe to Use in 2026?

Generally Safe

Score 94/100

Instantio — Side Cart & One-Page Checkout for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: May 7, 2025Updated 1mo ago
Risk Assessment

The security posture of Instantio v3.3.31 presents a mixed bag of good practices and significant concerns. On the positive side, the plugin demonstrates a strong commitment to secure database interactions, with all SQL queries utilizing prepared statements, and a substantial portion of output being properly escaped. The inclusion of nonce and capability checks in many entry points also indicates an awareness of common security pitfalls. However, a large attack surface is exposed with 17 out of 26 AJAX handlers lacking any authorization checks, presenting a direct avenue for potential unauthorized actions.

The static analysis reveals a notable concern with the presence of the `unserialize` function, which can be a vector for deserialization vulnerabilities if not handled with extreme care. While taint analysis found no flows with unsanitized paths in this specific scan, the presence of `unserialize` warrants careful scrutiny. The vulnerability history is particularly concerning, with 3 known CVEs, including 2 high-severity ones related to Unrestricted File Upload, Missing Authorization, and CSRF. The recency of the last vulnerability (May 2025) suggests ongoing security challenges or a recent patching effort.

In conclusion, Instantio v3.3.31 exhibits strengths in data sanitization and database query security. However, the substantial number of unprotected AJAX endpoints and the historical prevalence of critical vulnerability types like missing authorization and file upload issues, coupled with the presence of `unserialize`, point to significant risks that require immediate attention. Users should be cautious and ensure they are on the latest patched version if available, as the plugin's history indicates a tendency for exploitable weaknesses.

Key Concerns

  • Unprotected AJAX handlers
  • Dangerous function: unserialize
  • High severity vulnerabilities in history
  • Medium severity vulnerabilities in history
  • Bundled library: Select2 (potential outdatedness)
Vulnerabilities
3

Instantio — Side Cart & One-Page Checkout for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
1

3 total CVEs

CVE-2025-47550high · 7.2Unrestricted Upload of File with Dangerous Type

Instantio <= 3.3.16 - Authenticated (Admin+) Arbitrary File Upload

May 7, 2025 Patched in 3.3.17 (6d)
CVE-2025-24581medium · 5.3Missing Authorization

Instantio <= 3.3.7 - Missing Authorization to Unauthenticated Settings Update

Dec 18, 2024 Patched in 3.3.8 (126d)
WF-a7f82847-433d-49b1-815d-b0d9e70068c2-instantiohigh · 8.8Cross-Site Request Forgery (CSRF)

Instantio – WooCommerce Quick Checkout | Instant Checkout, Side Cart & Popup Cart <= 1.2.5 - Cross Site Request Forgery

Jun 30, 2021 Patched in 1.2.6 (937d)
Code Analysis
Analyzed Mar 16, 2026

Instantio — Side Cart & One-Page Checkout for WooCommerce Code Analysis

Dangerous Functions
11
Raw SQL Queries
0
2 prepared
Unescaped Output
173
536 escaped
Nonce Checks
14
Capability Checks
12
File Operations
0
External Requests
3
Bundled Libraries
1

Dangerous Functions Found

unserialize$mapdata = unserialize( $mapdata );admin\tf-options\fields\map\INS_map.php:18
unserialize$data = unserialize( $INS_rep_value );admin\tf-options\fields\repeater\INS_Repeater.php:32
unserialize$data = ( ! is_array( $this->value ) ) ? unserialize( $this->value ) : $this->value;admin\tf-options\fields\tab\INS_tab.php:44
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:106
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:140
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:187
unserialize$get_ins_data_add_editor_fl = unserialize($get_ins_add_data);includes\controller\checkout_editor.php:384
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:450
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:527
unserialize$get_ins_data_add_shiping_fl = unserialize($get_ins_add_shipping_data);includes\controller\checkout_editor.php:714
unserialize$get_ins_data_for_editor_fl = unserialize($get_ins_data);includes\controller\checkout_editor.php:764

Bundled Libraries

Select2

SQL Query Safety

100% prepared2 total queries

Output Escaping

76% escaped709 total outputs
Attack Surface
17 unprotected

Instantio — Side Cart & One-Page Checkout for WooCommerce Attack Surface

Entry Points27
Unprotected17

AJAX Handlers 26

authwp_ajax_ins_options_saveadmin\tf-options\classes\Ins_TF_Settings.php:36
authwp_ajax_ins_themefic_manage_pluginadmin\tf-options\classes\Ins_TF_Settings.php:38
authwp_ajax_ins_del_billing_fieldsfunctions.php:49
authwp_ajax_ins_del_shipping_fieldsfunctions.php:50
authwp_ajax_tf_black_friday_notice_dismiss_callbackfunctions.php:218
authwp_ajax_ins_review_notice_callbackincludes\controller\Admin.php:20
noprivwp_ajax_ins_review_notice_callbackincludes\controller\Admin.php:21
noprivwp_ajax_ins_ajax_cart_reloadincludes\controller\App.php:22
authwp_ajax_ins_ajax_cart_reloadincludes\controller\App.php:23
noprivwp_ajax_ins_ajax_cart_singleincludes\controller\App.php:26
authwp_ajax_ins_ajax_cart_singleincludes\controller\App.php:27
noprivwp_ajax_ins_ajax_cart_item_removeincludes\controller\App.php:30
authwp_ajax_ins_ajax_cart_item_removeincludes\controller\App.php:31
noprivwp_ajax_ins_ajax_empty_cartincludes\controller\App.php:34
authwp_ajax_ins_ajax_empty_cartincludes\controller\App.php:35
noprivwp_ajax_ins_ajax_update_cartincludes\controller\App.php:38
authwp_ajax_ins_ajax_update_cartincludes\controller\App.php:39
noprivwp_ajax_ins_ajax_remove_couponincludes\controller\App.php:42
authwp_ajax_ins_ajax_remove_couponincludes\controller\App.php:43
authwp_ajax_tf_admin_notice_dismiss_callbackincludes\controller\class-promo-notice.php:68
authwp_ajax_ins_black_friday_notice_ins_dismiss_callbackincludes\controller\class-promo-notice.php:92
authwp_ajax_ins_dashboard_widget_dismissincludes\controller\class-promo-notice.php:106
authwp_ajax_tf_setup_wizard_submitincludes\controller\class-setup-wizard.php:30
authwp_ajax_ins_ajax_install_woocommerceinstantio.php:58
authwp_ajax_ins_variable_product_quick_viewinstantio.php:114
noprivwp_ajax_ins_variable_product_quick_viewinstantio.php:115

Shortcodes 1

[instantio-cart-icon] includes\controller\App.php:59
WordPress Hooks 70
actionadd_meta_boxesadmin\tf-options\classes\INS_Metabox.php:42
actionsave_postadmin\tf-options\classes\INS_Metabox.php:43
actionadmin_menuadmin\tf-options\classes\Ins_TF_Settings.php:30
actionadmin_initadmin\tf-options\classes\Ins_TF_Settings.php:33
actionadmin_footeradmin\tf-options\fields\icon\INS_icon.php:15
actionadmin_enqueue_scriptsadmin\tf-options\Ins_TF_Options.php:39
actionwp_enqueue_scriptsadmin\tf-options\Ins_TF_Options.php:41
filterplugin_row_metafunctions.php:3
actionadd_meta_boxesfunctions.php:231
filterget_user_option_meta-box-order_productfunctions.php:293
actionswitch_themeincludes\app\src\Insights.php:140
actionswitch_themeincludes\app\src\Insights.php:141
actionadmin_footerincludes\app\src\Insights.php:158
actionadmin_noticesincludes\app\src\Insights.php:175
actionadmin_initincludes\app\src\Insights.php:178
filtercron_schedulesincludes\app\src\Insights.php:184
actionadmin_menuincludes\app\src\License.php:219
actionafter_switch_themeincludes\app\src\License.php:781
actionswitch_themeincludes\app\src\License.php:782
filterpre_set_site_transient_update_pluginsincludes\app\src\Updater.php:51
filterplugins_apiincludes\app\src\Updater.php:52
filterpre_set_site_transient_update_themesincludes\app\src\Updater.php:61
actioninitincludes\controller\Admin.php:9
actioninitincludes\controller\Admin.php:10
actionadmin_noticesincludes\controller\Admin.php:31
actionadmin_noticesincludes\controller\Admin.php:48
actionadmin_noticesincludes\controller\Admin.php:49
actionwp_body_openincludes\controller\App.php:17
actionins_cart_toggleincludes\controller\App.php:47
actionins_cart_headerincludes\controller\App.php:50
actionins_cart_buttonsincludes\controller\App.php:53
actionins_cart_contentincludes\controller\App.php:56
actionins_cart_content_singleincludes\controller\App.php:57
actionwoocommerce_checkout_shippingincludes\controller\App.php:359
actionwoocommerce_checkout_shippingincludes\controller\App.php:671
actionwp_enqueue_scriptsincludes\controller\Assets.php:7
actionwp_enqueue_scriptsincludes\controller\Assets.php:8
actionwp_enqueue_scriptsincludes\controller\Assets.php:9
actionadmin_enqueue_scriptsincludes\controller\Assets.php:10
filterwoocommerce_billing_fieldsincludes\controller\checkout_editor.php:4
filterwoocommerce_shipping_fieldsincludes\controller\checkout_editor.php:5
filterwoocommerce_checkout_fieldsincludes\controller\checkout_editor.php:6
actionwoocommerce_admin_order_data_after_billing_addressincludes\controller\checkout_editor.php:9
actionwoocommerce_admin_order_data_after_shipping_addressincludes\controller\checkout_editor.php:11
actionwoocommerce_checkout_create_orderincludes\controller\checkout_editor.php:14
actionplugins_loadedincludes\controller\class-helper-banner.php:10
filterins_dashboard_helper_bannerincludes\controller\class-helper-banner.php:16
actionadmin_footerincludes\controller\class-helper-banner.php:17
filtercron_schedulesincludes\controller\class-promo-notice.php:48
actionins_promo__schudleincludes\controller\class-promo-notice.php:54
actionadmin_noticesincludes\controller\class-promo-notice.php:67
actionadd_meta_boxesincludes\controller\class-promo-notice.php:89
filterget_user_option_meta-box-order_productincludes\controller\class-promo-notice.php:91
actionwp_dashboard_setupincludes\controller\class-promo-notice.php:105
actionadmin_menuincludes\controller\class-setup-wizard.php:27
filterwoocommerce_enable_setup_wizardincludes\controller\class-setup-wizard.php:28
actionadmin_initincludes\controller\class-setup-wizard.php:29
actionin_admin_headerincludes\controller\class-setup-wizard.php:31
actioninitincludes\controller\ins-checkout-editor.php:9
actioninitincludes\controller\ins-checkout-editor.php:10
actionadmin_enqueue_scriptsinstantio.php:29
actioninitinstantio.php:89
actioninitinstantio.php:98
actionwcqv_product_datainstantio.php:145
actionafter_setup_themeinstantio.php:197
filterwoocommerce_default_address_fieldsinstantio.php:204
filterwoocommerce_checkout_fieldsinstantio.php:205
filterwoocommerce_checkout_fieldsinstantio.php:206
actionadmin_enqueue_scriptsinstantio.php:236
actionbefore_woocommerce_initinstantio.php:237

Scheduled Events 1

ins_promo__schudle
Maintenance & Trust

Instantio — Side Cart & One-Page Checkout for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 4, 2026
PHP min version7.4
Downloads67K

Community Trust

Rating90/100
Number of ratings16
Active installs900
Alternatives

Instantio — Side Cart & One-Page Checkout for WooCommerce Alternatives

Sliding Cart for WooCommerce by FunnelKit – Skip Cart & Reach WooCommerce Checkout Faster

Sliding Cart for WooCommerce by FunnelKit – Skip Cart & Reach WooCommerce Checkout Faster

cart-for-woocommerce

A
100

FunnelKit Cart adds a beautiful sliding cart to your WooCommerce store. Let the buyers add items, edit quantity and add upsells on the side cart.

30K No CVEs
Finest Floating Cart for WooCommerce

Finest Floating Cart for WooCommerce

finest-mini-cart

A
85

Enhance your customers' shopping experience and boost conversions. A powerful plugin for creating a seamless and intuitive checkout process on yo &hellip;

200 No CVEs
One Click Buy Button For WooCommerce

One Click Buy Button For WooCommerce

one-click-buy-button-for-woocommerce

A
85

"One Click Buy Button For WooCommerce" is a plugin to replace the default "Add To Cart" button redirect page and text.

20 No CVEs
MultiStep Checkout

MultiStep Checkout

multistep-checkout

A
92

A MultiStep Checkout plugin for WooCommerce.

10 No CVEs
side cart plus for woocommerce

side cart plus for woocommerce

side-cart-plus-for-woocommerce

A
85

Side cart for Woocommerce is an interactive Side Cart for your WooCommerce store.

10 No CVEs
Developer Profile

Instantio — Side Cart & One-Page Checkout for WooCommerce Developer Profile

Themefic

11 plugins · 97K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
93 days
View full developer profile
Detection Fingerprints

How We Detect Instantio — Side Cart & One-Page Checkout for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/instantio/admin/css/instantio-admin-style.css/wp-content/plugins/instantio/admin/js/instantio-admin-script.js/wp-content/plugins/instantio/includes/assets/css/style.css/wp-content/plugins/instantio/includes/assets/css/frontend.css/wp-content/plugins/instantio/includes/assets/js/frontend.js/wp-content/plugins/instantio/includes/assets/js/frontend/instantio-frontend.js/wp-content/plugins/instantio/includes/assets/js/frontend/vendor/fastclick.js/wp-content/plugins/instantio/includes/assets/js/frontend/vendor/nouislider.min.js+10 more
Script Paths
/wp-content/plugins/instantio/admin/js/instantio-admin-script.js
Version Parameters
instantio-admin-style.css?ver=instantio-admin-script.js?ver=style.css?ver=frontend.css?ver=frontend.js?ver=instantio-frontend.js?ver=fastclick.js?ver=nouislider.min.js?ver=sticky-kit.min.js?ver=waypoints.min.js?ver=wow.min.js?ver=owl.carousel.min.js?ver=scrollreveal.min.js?ver=theia-sticky-sidebar.min.js?ver=imagesloaded.pkgd.min.js?ver=moment.min.js?ver=waypoints.js?ver=wow.js?ver=

HTML / DOM Fingerprints

CSS Classes
instantio-cart-popup-buttonins-cart-popup-close-buttonins-mini-cart-item-removeins-mini-cart-checkout-buttoninstantio-checkout-containerinstantio-checkout-sidebarinstantio-floating-cart
HTML Comments
<!-- instantio - instant-variable-product-quick-view --><!-- instantio - product-quick-view --><!-- instantio - quickview --><!-- instantio - quick-view -->+1 more
Data Attributes
data-instantio-cart-iddata-instantio-product-iddata-instantio-pricedata-instantio-add-to-cart-url
JS Globals
ins_admin_paramsinstantio_frontend_paramsins_ajax_nonceins_admin_url
FAQ

Frequently Asked Questions about Instantio — Side Cart & One-Page Checkout for WooCommerce