Does Klaviyo have any unpatched vulnerabilities?

No. All known vulnerabilities in Klaviyo have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Klaviyo compatible with WordPress 6.9.4?

According to WordPress.org data, Klaviyo 3.7.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Klaviyo compatible with PHP 7.0+?

Klaviyo requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Klaviyo updated?

Klaviyo was last updated on Mar 9, 2026. Frequent updates are generally a positive security signal.

What is Klaviyo's security score?

Klaviyo has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Klaviyo Security & Risk Analysis

wordpress.org/plugins/klaviyo

Klaviyo for WooCommerce

100K active installs v3.7.3 PHP 7.0+ WP 5.2+ Updated Mar 9, 2026

analyticsemailklaviyomarketingwoocommerce

A · Safe

CVEs total2

Unpatched0

Last CVEMar 20, 2023

Plugin page Download

Safety Verdict

Is Klaviyo Safe to Use in 2026?

Generally Safe

Score 99/100

Klaviyo has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Mar 20, 2023Updated 25d ago

Risk Assessment

The Klaviyo plugin v3.7.3 presents a mixed security posture. On the positive side, the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and generally performs robust output escaping. The absence of file operations and reliance on secure coding patterns for external HTTP requests are also strengths. However, the presence of an unprotected AJAX handler represents a significant concern, creating a direct entry point for potential attacks without proper authorization checks. The vulnerability history, with two previously identified medium-severity Cross-Site Scripting (XSS) vulnerabilities, indicates a past susceptibility to input manipulation, even though these are currently patched. The pattern of XSS vulnerabilities suggests a need for continued vigilance in sanitizing user-supplied data across all input vectors.

Key Concerns

Unprotected AJAX handler
Two medium severity CVEs historically

Vulnerabilities

Klaviyo Security Vulnerabilities

CVEs by Year

2 CVEs in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2023-0874medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Klaviyo <= 3.0.9 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 20, 2023 Patched in 3.0.10 (309d)

CVE-2023-25456medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Klaviyo <= 3.0.7 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 13, 2023 Patched in 3.0.8 (316d)

Code Analysis

Analyzed Mar 16, 2026

Klaviyo Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

99 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared4 total queries

Output Escaping

93% escaped107 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

handle_feedback_response (includes\class-wck-install.php:151)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Klaviyo Attack Surface

Entry Points2

Unprotected1

AJAX Handlers 2

authwp_ajax_klaviyo_handle_feedback_responseincludes\class-wck-install.php:29

authwp_ajax_klaviyo_dismiss_review_promptincludes\class-wck-install.php:30

WordPress Hooks 34

actioninitinc\kla-admin.php:46

actionplugins_loadedinc\kla-admin.php:47

actionadmin_menuinc\kla-admin.php:98

actionadmin_noticesinc\kla-admin.php:100

actionadmin_noticesinc\kla-admin.php:102

actionadmin_menuinc\kla-admin.php:104

actionwp_enqueue_scriptsinc\kla-analytics.php:35

actionwp_enqueue_scriptsinc\kla-analytics.php:41

filterscript_loader_taginc\kla-analytics.php:88

actionin_plugin_update_message-klaviyo/klaviyo.phpincludes\admin\class-kl-plugins-screen-updates.php:39

actionwoocommerce_store_api_checkout_order_processedincludes\blocks\StoreApi.php:45

actionwoocommerce_store_api_checkout_update_order_from_requestincludes\blocks\StoreApi.php:53

actionklaviyo_schedule_consent_eventincludes\blocks\StoreApi.php:55

actionrest_api_initincludes\class-wck-api.php:501

actionset_site_transient_update_pluginsincludes\class-wck-api.php:616

actionadmin_initincludes\class-wck-install.php:26

actionadmin_noticesincludes\class-wck-install.php:31

actionadmin_noticesincludes\class-wpklaviyo.php:48

actionwidgets_initincludes\class-wpklaviyo.php:50

actionwoocommerce_add_to_cartincludes\wck-added-to-cart.php:13

actionwp_enqueue_scriptsincludes\wck-cart-functions.php:194

actionwp_loadedincludes\wck-cart-functions.php:224

filterwoocommerce_checkout_fieldsincludes\wck-cart-functions.php:351

actionwoocommerce_checkout_update_order_metaincludes\wck-cart-functions.php:354

filterwoocommerce_checkout_fieldsincludes\wck-cart-functions.php:363

filterwoocommerce_after_checkout_billing_formincludes\wck-cart-functions.php:366

actionwoocommerce_checkout_update_order_metaincludes\wck-cart-functions.php:369

actioninitincludes\wck-checkout-block.php:21

actionwoocommerce_blocks_checkout_block_registrationincludes\wck-checkout-block.php:28

actionwp_enqueue_scriptsincludes\wck-viewed-product.php:12

actionbefore_woocommerce_initklaviyo.php:35

actioninitklaviyo.php:187

actionwoocommerce_initklaviyo.php:261

actionadmin_enqueue_scriptsklaviyo.php:276

Maintenance & Trust

Klaviyo Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 9, 2026

PHP min version7.0

Downloads1.5M

Community Trust

Rating56/100

Number of ratings24

Active installs100K

Alternatives

Klaviyo Alternatives

Acoustic Connect integration for WooCommerce

acoustic-connect-woo

100

Integrate Acoustic Connect with WooCommerce. Track customer behavior and send data to your Acoustic Connect Collector for marketing automation.

0 No CVEs

Growffinity CRM for WooCommerce

growffinity-crm-for-woocommerce

100

Connect your WooCommerce store to Growffinity CRM. Automatically sync customers and orders to manage your business better.

0 No CVEs

Segmentflow Connect

segmentflow-connect

100

Connect your WordPress website or WooCommerce store to Segmentflow for AI-powered email marketing, customer segmentation, and revenue attribution.

0 No CVEs

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs

Email Marketing for WooCommerce by Omnisend

omnisend-connect

Email Marketing, Newsletter, Email Automation, Forms, Pop Up, SMS, Abandoned Cart made easy for WordPress & WooCommerce by Omnisend

60K 2 CVEs

Developer Profile

Klaviyo Developer Profile

klaviyo

1 plugin · 100K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

313 days

View full developer profile

Detection Fingerprints

How We Detect Klaviyo

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/klaviyo/assets/css/admin.css/wp-content/plugins/klaviyo/assets/css/frontend.css/wp-content/plugins/klaviyo/assets/js/frontend.js

Script Paths

/wp-content/plugins/klaviyo/assets/js/frontend.js

Version Parameters

klaviyo/assets/css/admin.css?ver=klaviyo/assets/css/frontend.css?ver=klaviyo/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes

klaviyo-widgetklaviyo-modalklaviyo-form

HTML Comments

Data Attributes

data-klaviyo-widgetdata-klaviyo-modaldata-klaviyo-form

JS Globals

Klaviyo

REST Endpoints

/wp-json/klaviyo/v1/webhook

Shortcode Output

[klaviyo_form][klaviyo_widget]

FAQ

Klaviyo Security & Risk Analysis

Is Klaviyo Safe to Use in 2026?

Generally Safe

Key Concerns

Klaviyo Security Vulnerabilities

CVEs by Year

Severity Breakdown

Klaviyo Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

Klaviyo Attack Surface

AJAX Handlers 2

Klaviyo Maintenance & Trust

Maintenance Signals

Community Trust

Klaviyo Alternatives

Acoustic Connect integration for WooCommerce

Growffinity CRM for WooCommerce

Segmentflow Connect

MailPoet – Newsletters, Email Marketing, and Automation

Email Marketing for WooCommerce by Omnisend

Klaviyo Developer Profile

How We Detect Klaviyo

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Klaviyo