WP-Safety

MH Free Gifts for WooCommerce Security & Risk Analysis

wordpress.org/plugins/mh-free-gifts-for-woocommerce

Offer free gifts automatically in WooCommerce! Set up smart rules based on cart value, items, or user roles — fully supports WooCommerce Blocks.

100 active installs v1.1.1 PHP 7.4+ WP 6.0+ Updated Apr 1, 2026
buy-one-get-onefree-giftfree-gifts-for-woocommercegift-product-woocommercewoocommerce-gift
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is MH Free Gifts for WooCommerce Safe to Use in 2026?

Generally Safe

Score 100/100

MH Free Gifts for WooCommerce has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The "mh-free-gifts-for-woocommerce" plugin version 1.0.12 exhibits a generally positive security posture with several good practices observed. The majority of its SQL queries utilize prepared statements, and a high percentage of output escaping is properly implemented, indicating an effort to prevent common web vulnerabilities like SQL injection and Cross-Site Scripting (XSS). The absence of known vulnerabilities (CVEs) and a clean taint analysis further contribute to this favorable assessment. The plugin also implements nonce and capability checks on a good portion of its entry points.

However, there are notable concerns that warrant attention. The plugin exposes a significant attack surface with 10 AJAX handlers, of which 4 lack any authentication checks. This is a critical oversight that could allow unauthenticated users to trigger potentially sensitive actions within the plugin. While taint analysis didn't reveal specific flows, the lack of authorization on these AJAX endpoints is a glaring weakness that could be exploited. The plugin's vulnerability history being completely clean is a positive sign, suggesting good development practices over time, but it does not mitigate the immediate risks presented by the unprotected AJAX endpoints.

In conclusion, while the plugin demonstrates strengths in secure coding practices like prepared statements and output escaping, the unprotected AJAX handlers represent a significant security risk. The absence of vulnerabilities in its history is encouraging, but the identified attack surface without authentication must be addressed to improve its overall security. It's a case of good core practices being undermined by a critical flaw in access control for a portion of its functionality.

Key Concerns

  • 4 unprotected AJAX handlers
Vulnerabilities
None known

MH Free Gifts for WooCommerce Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

MH Free Gifts for WooCommerce Release Timeline

v1.1.1Current
v1.1.0
v1.0.12
v1.0.11
v1.0.10
v1.0.9
v1.0.8
v1.0.7
v1.0.6
v1.0.5
v1.0.4
Code Analysis
Analyzed Mar 16, 2026

MH Free Gifts for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
13 prepared
Unescaped Output
17
121 escaped
Nonce Checks
9
Capability Checks
9
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

93% prepared14 total queries

Output Escaping

88% escaped138 total outputs
Attack Surface
4 unprotected

MH Free Gifts for WooCommerce Attack Surface

Entry Points10
Unprotected4

AJAX Handlers 10

authwp_ajax_mhfgfwc_search_productsincludes\class-mhfgfwc-admin.php:39
authwp_ajax_mhfgfwc_toggle_statusincludes\class-mhfgfwc-admin.php:40
authwp_ajax_mhfgfwc_search_usersincludes\class-mhfgfwc-admin.php:41
authwp_ajax_mhfgfwc_search_categoriesincludes\class-mhfgfwc-admin.php:42
authwp_ajax_mhfgfwc_render_giftsincludes\class-mhfgfwc-frontend.php:53
noprivwp_ajax_mhfgfwc_render_giftsincludes\class-mhfgfwc-frontend.php:54
authwp_ajax_mhfgfwc_refresh_giftsincludes\class-mhfgfwc-frontend.php:80
noprivwp_ajax_mhfgfwc_refresh_giftsincludes\class-mhfgfwc-frontend.php:81
authwp_ajax_mhfgfwc_get_gift_sectionmh-free-gifts-for-woocommerce.php:108
noprivwp_ajax_mhfgfwc_get_gift_sectionmh-free-gifts-for-woocommerce.php:109
WordPress Hooks 34
actionadmin_menuincludes\class-mhfgfwc-admin.php:29
actionadmin_enqueue_scriptsincludes\class-mhfgfwc-admin.php:30
actionadmin_initincludes\class-mhfgfwc-admin.php:31
actionadmin_enqueue_scriptsincludes\class-mhfgfwc-admin.php:32
actionadmin_post_mhfgfwc_save_ruleincludes\class-mhfgfwc-admin.php:35
actionadmin_post_mhfgfwc_delete_ruleincludes\class-mhfgfwc-admin.php:36
actioninitincludes\class-mhfgfwc-engine.php:49
actionwoocommerce_cart_loaded_from_sessionincludes\class-mhfgfwc-engine.php:60
actionwoocommerce_before_calculate_totalsincludes\class-mhfgfwc-engine.php:66
actionmhfgfwc_after_evaluate_cartincludes\class-mhfgfwc-engine.php:72
actionmhfgfwc_after_evaluate_cartincludes\class-mhfgfwc-engine.php:80
actionwoocommerce_after_calculate_totalsincludes\class-mhfgfwc-engine.php:568
actionwp_enqueue_scriptsincludes\class-mhfgfwc-frontend.php:31
actionwoocommerce_after_cart_tableincludes\class-mhfgfwc-frontend.php:34
actionwoocommerce_checkout_before_order_reviewincludes\class-mhfgfwc-frontend.php:35
actionwoocommerce_before_calculate_totalsincludes\class-mhfgfwc-frontend.php:38
filterwoocommerce_cart_item_quantityincludes\class-mhfgfwc-frontend.php:39
filterwoocommerce_update_cart_validationincludes\class-mhfgfwc-frontend.php:40
actionwoocommerce_before_calculate_totalsincludes\class-mhfgfwc-frontend.php:41
filterwoocommerce_get_item_dataincludes\class-mhfgfwc-frontend.php:44
actionwc_ajax_mhfgfwc_add_giftincludes\class-mhfgfwc-frontend.php:47
actionwc_ajax_nopriv_mhfgfwc_add_giftincludes\class-mhfgfwc-frontend.php:48
actionwc_ajax_mhfgfwc_remove_giftincludes\class-mhfgfwc-frontend.php:49
actionwc_ajax_nopriv_mhfgfwc_remove_giftincludes\class-mhfgfwc-frontend.php:50
actionmhfgfwc_render_gifts_section_innerincludes\class-mhfgfwc-frontend.php:57
actionmhfgfwc_after_evaluate_cartincludes\class-mhfgfwc-frontend.php:60
actionmhfgfwc_after_evaluate_cartincludes\class-mhfgfwc-frontend.php:63
actionwoocommerce_after_calculate_totalsincludes\class-mhfgfwc-frontend.php:65
actionwp_footerincludes\class-mhfgfwc-frontend.php:67
actionwoocommerce_cart_loaded_from_sessionincludes\class-mhfgfwc-frontend.php:560
actionwp_footerincludes\class-mhfgfwc-frontend.php:571
actionadmin_initmh-free-gifts-for-woocommerce.php:69
actionplugins_loadedmh-free-gifts-for-woocommerce.php:85
actionadmin_noticesmh-free-gifts-for-woocommerce.php:87
Maintenance & Trust

MH Free Gifts for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 1, 2026
PHP min version7.4
Downloads1K

Community Trust

Rating100/100
Number of ratings2
Active installs100
Alternatives

MH Free Gifts for WooCommerce Alternatives

GIFTiT – Free Gifts for WooCommerce

GIFTiT – Free Gifts for WooCommerce

ithemeland-free-gifts-for-woo

A
100

Free Gifts for WooCommerce allows you to offer Free Gifts to your customers whenever they make a purchase on your site.

2K No CVEs
Jagif – WooCommerce Free Gift

Jagif – WooCommerce Free Gift

jagif-woo-free-gift

A
100

Offer free gifts with purchases using custom rules. Highlight eligible products with visual gift icons to inform and entice customers

90 No CVEs
Free Gift Product For Woocommerce

Free Gift Product For Woocommerce

free-gifts-product-for-woocommerce

A
100

Free Gifts Product For Woocommerce Set a fee for gift and up your revenue with every order. WooCommerce Multiple Free Gift make to many way to gift p …

800 No CVEs
Free Gift for WooCommerce

Free Gift for WooCommerce

woo-free-gift

A
92

Boost your WooCommerce store's conversions by offering automatic free gifts! This plugin lets you reward customers with free products based on ca …

200 No CVEs
Astro WooCommerce Free Gift

Astro WooCommerce Free Gift

astro-woocommerce-free-gift

A
85

This plugin allows you to create a list of free Gift for any product item

10 No CVEs
Developer Profile

MH Free Gifts for WooCommerce Developer Profile

mediahub

1 plugin · 100 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect MH Free Gifts for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mh-free-gifts-for-woocommerce/assets/css/mhfgfwc-frontend.css/wp-content/plugins/mh-free-gifts-for-woocommerce/assets/js/mhfgfwc-frontend.js/wp-content/plugins/mh-free-gifts-for-woocommerce/assets/css/mhfgfwc-admin.css/wp-content/plugins/mh-free-gifts-for-woocommerce/assets/js/mhfgfwc-admin.js/wp-content/plugins/mh-free-gifts-for-woocommerce/assets/js/mhfgfwc-admin-product-search.js/wp-content/plugins/mh-free-gifts-for-woocommerce/assets/js/mhfgfwc-admin-user-search.js/wp-content/plugins/mh-free-gifts-for-woocommerce/assets/js/mhfgfwc-admin-category-search.js
Version Parameters
mh-free-gifts-for-woocommerce/assets/css/mhfgfwc-frontend.css?ver=mh-free-gifts-for-woocommerce/assets/js/mhfgfwc-frontend.js?ver=mh-free-gifts-for-woocommerce/assets/css/mhfgfwc-admin.css?ver=mh-free-gifts-for-woocommerce/assets/js/mhfgfwc-admin.js?ver=mh-free-gifts-for-woocommerce/assets/js/mhfgfwc-admin-product-search.js?ver=mh-free-gifts-for-woocommerce/assets/js/mhfgfwc-admin-user-search.js?ver=mh-free-gifts-for-woocommerce/assets/js/mhfgfwc-admin-category-search.js?ver=

HTML / DOM Fingerprints

CSS Classes
mhfgfwc-gifts-sectionmhfgfwc-gift-itemmhfgfwc-add-to-cart-buttonmhfgfwc-rule-status-activemhfgfwc-rule-status-inactive
Data Attributes
data-mhfgfwc-rule-iddata-mhfgfwc-product-id
JS Globals
mhfgfwc_admin_paramsmhfgfwc_frontend_params
REST Endpoints
/wp-json/mhfgfwc/v1/products/wp-json/mhfgfwc/v1/users/wp-json/mhfgfwc/v1/categories
FAQ

Frequently Asked Questions about MH Free Gifts for WooCommerce