WP-Safety

Order Bump for WooCommerce Security & Risk Analysis

wordpress.org/plugins/molongui-bump-offer

Boost sales by promoting products as upsells before payment. Customers can accept the deal from the Checkout page with just one click

700 active installs v2.6.4 PHP 5.5.0+ WP 5.2.0+ Updated Nov 25, 2025
bump-offerone-time-offerorder-bumpsale-funnelsupsell
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Order Bump for WooCommerce Safe to Use in 2026?

Generally Safe

Score 100/100

Order Bump for WooCommerce has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 5mo ago
Risk Assessment

The molongui-bump-offer plugin v2.6.4 exhibits a mixed security posture. While it has a clean vulnerability history with no known CVEs, the static analysis reveals several areas of concern. A significant portion of its attack surface, specifically 4 out of 8 AJAX handlers, lack proper authentication checks. This presents a direct pathway for unauthenticated users to interact with potentially sensitive functionalities. The presence of 7 instances of the `unserialize` function is a notable risk, as it can lead to remote code execution if not handled with extreme caution and strict input validation. Furthermore, while most SQL queries utilize prepared statements, the 20% not doing so, coupled with the 57% of outputs that are not properly escaped, suggest potential for injection vulnerabilities and cross-site scripting (XSS).

The plugin's absence of any recorded vulnerabilities in its history could indicate a history of secure development or simply that past issues have not been publicly disclosed or discovered. However, the static analysis findings, particularly the unprotected AJAX endpoints and the use of `unserialize`, represent immediate risks that should be addressed. The overall security can be improved by implementing robust authentication and authorization checks on all AJAX handlers and ensuring strict sanitization and escaping for all user-supplied data, especially before unserialization or inclusion in SQL queries. While the plugin has strengths like a lack of bundled outdated libraries and a decent number of capability checks, the identified entry points and dangerous functions require attention to mitigate potential exploitation.

Key Concerns

  • Unprotected AJAX handlers
  • Dangerous function: unserialize
  • SQL queries without prepared statements
  • Output escaping not properly done
Vulnerabilities
None known

Order Bump for WooCommerce Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Order Bump for WooCommerce Release Timeline

v2.6.4Current
v2.6.3
v2.6.2
v2.6.1
v2.6.0
v2.5.2
v2.5.1
v2.4.9
v2.4.8
v2.4.7
v2.4.6
v2.4.5
v2.4.4
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.1
v2.3.0
v2.2.2
Code Analysis
Analyzed Mar 16, 2026

Order Bump for WooCommerce Code Analysis

Dangerous Functions
7
Raw SQL Queries
16
4 prepared
Unescaped Output
344
455 escaped
Nonce Checks
10
Capability Checks
32
File Operations
10
External Requests
5
Bundled Libraries
0

Dangerous Functions Found

unserializeif ( is_serialized( $value[0] ) ) $meta[$key] = unserialize( $value[0] );includes\helpers\bump\getters.php:20
unserializeif ( is_serialized( $value[0] ) ) $meta[$key] = unserialize( $value[0] );includes\helpers\bump\getters.php:32
unserialize$response = unserialize( wp_remote_retrieve_body( $response ) );includes\helpers\common\legacy\fw-helper-functions.php:68
unserialize$response = unserialize( wp_remote_retrieve_body( $response ) );includes\helpers\utils.php:181
unserializeif ( is_serialized( $value[0] ) ) $meta[$key] = unserialize( $value[0] );trunk\includes\helpers\bump\getters.php:20
unserializeif ( is_serialized( $value[0] ) ) $meta[$key] = unserialize( $value[0] );trunk\includes\helpers\bump\getters.php:32
unserialize$response = unserialize( wp_remote_retrieve_body( $response ) );trunk\includes\helpers\common\legacy\fw-helper-functions.php:68

SQL Query Safety

20% prepared20 total queries

Output Escaping

57% escaped799 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

10 flows2 with unsanitized paths
mbo_save_options (includes\hooks\common\options\ajax.php:3)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Order Bump for WooCommerce Attack Surface

Entry Points8
Unprotected4

AJAX Handlers 8

noprivwp_ajax_mbo_ajax_add_to_cartincludes\hooks\bump\add-to-cart.php:71
authwp_ajax_mbo_ajax_add_to_cartincludes\hooks\bump\add-to-cart.php:72
authwp_ajax_molongui_send_mailincludes\hooks\common\support\form.php:56
authwp_ajax_molongui_notice_dismissincludes\hooks\common\wordpress\notices.php:218
noprivwp_ajax_mbo_ajax_add_to_carttrunk\includes\hooks\bump\add-to-cart.php:46
authwp_ajax_mbo_ajax_add_to_carttrunk\includes\hooks\bump\add-to-cart.php:47
authwp_ajax_molongui_send_mailtrunk\includes\hooks\common\support\form.php:56
authwp_ajax_molongui_notice_dismisstrunk\includes\hooks\common\wordpress\notices.php:218
WordPress Hooks 180
actioncustomize_registercustomizer\common\customizer.php:18
actioncustomize_controls_enqueue_scriptscustomizer\common\customizer.php:19
actioncustomize_preview_initcustomizer\common\customizer.php:20
actionadmin_noticesincludes\helpers\common\debug\print_r.php:35
actionadmin_noticesincludes\helpers\common\legacy\deprecated.php:54
filterwoocommerce_add_cart_item_dataincludes\hooks\bump\add-to-cart.php:100
actionwoocommerce_before_calculate_totalsincludes\hooks\bump\add-to-cart.php:129
filterwoocommerce_cart_item_priceincludes\hooks\bump\add-to-cart.php:140
actionwp_loadedincludes\hooks\bump\cookies.php:18
actioninitincludes\hooks\bump\cpt.php:47
filterpost_updated_messagesincludes\hooks\bump\cpt.php:68
actionadmin_head-post-new.phpincludes\hooks\bump\edit.php:12
actionadmin_head-post.phpincludes\hooks\bump\edit.php:13
actionadd_meta_boxesincludes\hooks\bump\edit.php:63
filteruser_has_capincludes\hooks\bump\list.php:227
filterpost_row_actionsincludes\hooks\bump\list.php:253
filterbulk_actions-edit-molongui_bumpincludes\hooks\bump\list.php:275
actionquick_edit_custom_boxincludes\hooks\bump\quick-edit.php:119
actionadmin_footerincludes\hooks\bump\quick-edit.php:253
actionadmin_enqueue_scriptsincludes\hooks\bump\scripts.php:9
actionadmin_enqueue_scriptsincludes\hooks\bump\scripts.php:18
actionmbo/edit_bump/pre_inline_scriptincludes\hooks\bump\scripts.php:42
actionmbo/edit_bump/pre_enqueue_scriptincludes\hooks\bump\scripts.php:47
actionwp_enqueue_scriptsincludes\hooks\bump\scripts.php:54
actionwp_footerincludes\hooks\bump\scripts.php:71
filterwoocommerce_screen_idsincludes\hooks\bump\styles.php:12
filter_mbo/bump/admin/stylesheetincludes\hooks\bump\styles.php:17
filtermbo/bump/admin/inline/stylesheetincludes\hooks\bump\styles.php:25
actionadmin_enqueue_scriptsincludes\hooks\bump\styles.php:26
filtermbo/bump/admin/inline/stylesheetincludes\hooks\bump\styles.php:30
actionadmin_headincludes\hooks\bump\styles.php:31
filter_mbo/bump/admin/media_stylesincludes\hooks\bump\styles.php:86
filtermbo/bump/admin/inline/media_stylesincludes\hooks\bump\styles.php:91
actionadmin_enqueue_scriptsincludes\hooks\bump\styles.php:92
filtermbo/bump/admin/inline/media_stylesincludes\hooks\bump\styles.php:96
actionadmin_headincludes\hooks\bump\styles.php:97
actionwp_enqueue_scriptsincludes\hooks\bump\styles.php:148
actionwp_footerincludes\hooks\bump\styles.php:174
filtermbo/bump/enqueue_stylesincludes\hooks\bump\styles.php:180
actionwoocommerce_after_cart_item_quantity_updateincludes\hooks\bump\update-cart.php:9
actionadmin_enqueue_scriptsincludes\hooks\common\assets.php:15
actionadmin_enqueue_scriptsincludes\hooks\common\assets.php:33
actionadmin_initincludes\hooks\common\assets.php:54
actionadmin_initincludes\hooks\common\assets.php:72
actionadmin_initincludes\hooks\common\assets.php:93
actionadmin_initincludes\hooks\common\assets.php:114
actionadmin_initincludes\hooks\common\assets.php:132
actionadmin_initincludes\hooks\common\assets.php:150
actionadmin_initincludes\hooks\common\assets.php:171
actioninitincludes\hooks\common\assets.php:195
actionadmin_menuincludes\hooks\common\options\menu.php:22
actionadmin_headincludes\hooks\common\options\menu.php:31
actionadmin_enqueue_scriptsincludes\hooks\common\options\scripts.php:17
actionadmin_footerincludes\hooks\common\options\scripts.php:101
actionadmin_enqueue_scriptsincludes\hooks\common\options\styles.php:11
filter_molongui/plugins/stylesheetincludes\hooks\common\plugins.php:9
filtermolongui/plugins/inline/stylesheetincludes\hooks\common\plugins.php:14
actionadmin_enqueue_scriptsincludes\hooks\common\plugins.php:15
filtermolongui/plugins/inline/stylesheetincludes\hooks\common\plugins.php:19
actionadmin_headincludes\hooks\common\plugins.php:20
filter_molongui/plugins/scriptsincludes\hooks\common\plugins.php:53
filtermolongui/plugins/inline/scriptsincludes\hooks\common\plugins.php:58
actionadmin_enqueue_scriptsincludes\hooks\common\plugins.php:59
filtermolongui/plugins/inline/scriptsincludes\hooks\common\plugins.php:63
actionadmin_footer-toplevel_page_molonguiincludes\hooks\common\plugins.php:64
actionadmin_enqueue_scriptsincludes\hooks\common\support\scripts.php:16
actionadmin_enqueue_scriptsincludes\hooks\common\support\styles.php:10
actionadmin_footer-molongui_page_molongui-supportincludes\hooks\common\support\tidio.php:10
filteradmin_footer_textincludes\hooks\common\wordpress\footer.php:18
actionwp_footerincludes\hooks\common\wordpress\footer.php:29
actionadmin_noticesincludes\hooks\common\wordpress\notices.php:34
actionadmin_noticesincludes\hooks\common\wordpress\notices.php:67
filterupgrader_post_installincludes\hooks\common\wordpress\notices.php:78
actionadmin_noticesincludes\hooks\common\wordpress\notices.php:142
actionadmin_enqueue_scriptsincludes\hooks\common\wordpress\notices.php:227
actionadmin_enqueue_scriptsincludes\hooks\common\wordpress\notices.php:240
filtermbo/default_optionsincludes\hooks\options\defaults.php:90
actionadmin_enqueue_scriptsincludes\hooks\options\scripts.php:9
actionmbo/options/before_footerincludes\hooks\options\scripts.php:16
actionmbo/optionsincludes\hooks\options\validation.php:3
actionwoocommerce_review_order_before_submitincludes\hooks\woocommerce\display.php:7
actioninitincludes\hooks\woocommerce\display.php:10
filterwoocommerce_get_plugins_with_headerincludes\hooks\woocommerce.php:10
filterwoocommerce_check_cart_itemsincludes\hooks\woocommerce.php:27
actioninitincludes\plugin.php:142
actionplugins_loadedmolongui-bump-offer.php:39
actionadmin_noticesmolongui-bump-offer.php:42
actionadmin_noticesmolongui-bump-offer.php:46
actionbefore_woocommerce_initmolongui-bump-offer.php:53
actioncustomize_registertrunk\customizer\common\customizer.php:18
actioncustomize_controls_enqueue_scriptstrunk\customizer\common\customizer.php:19
actioncustomize_preview_inittrunk\customizer\common\customizer.php:20
actionadmin_noticestrunk\includes\helpers\common\debug\print_r.php:35
actionadmin_noticestrunk\includes\helpers\common\legacy\deprecated.php:54
filterwoocommerce_add_cart_item_datatrunk\includes\hooks\bump\add-to-cart.php:69
actionwoocommerce_before_calculate_totalstrunk\includes\hooks\bump\add-to-cart.php:94
filterwoocommerce_cart_item_pricetrunk\includes\hooks\bump\add-to-cart.php:102
actionwp_loadedtrunk\includes\hooks\bump\cookies.php:18
actioninittrunk\includes\hooks\bump\cpt.php:47
filterpost_updated_messagestrunk\includes\hooks\bump\cpt.php:68
actionadmin_head-post-new.phptrunk\includes\hooks\bump\edit.php:12
actionadmin_head-post.phptrunk\includes\hooks\bump\edit.php:13
actionadd_meta_boxestrunk\includes\hooks\bump\edit.php:63
filteruser_has_captrunk\includes\hooks\bump\list.php:207
filterpost_row_actionstrunk\includes\hooks\bump\list.php:233
filterbulk_actions-edit-molongui_bumptrunk\includes\hooks\bump\list.php:255
actionquick_edit_custom_boxtrunk\includes\hooks\bump\quick-edit.php:119
actionadmin_footertrunk\includes\hooks\bump\quick-edit.php:253
actionadmin_enqueue_scriptstrunk\includes\hooks\bump\scripts.php:9
actionadmin_enqueue_scriptstrunk\includes\hooks\bump\scripts.php:18
actionmbo/edit_bump/pre_inline_scripttrunk\includes\hooks\bump\scripts.php:42
actionmbo/edit_bump/pre_enqueue_scripttrunk\includes\hooks\bump\scripts.php:47
actionwp_enqueue_scriptstrunk\includes\hooks\bump\scripts.php:54
actionwp_footertrunk\includes\hooks\bump\scripts.php:71
filterwoocommerce_screen_idstrunk\includes\hooks\bump\styles.php:12
filter_mbo/bump/admin/stylesheettrunk\includes\hooks\bump\styles.php:17
filtermbo/bump/admin/inline/stylesheettrunk\includes\hooks\bump\styles.php:25
actionadmin_enqueue_scriptstrunk\includes\hooks\bump\styles.php:26
filtermbo/bump/admin/inline/stylesheettrunk\includes\hooks\bump\styles.php:30
actionadmin_headtrunk\includes\hooks\bump\styles.php:31
filter_mbo/bump/admin/media_stylestrunk\includes\hooks\bump\styles.php:86
filtermbo/bump/admin/inline/media_stylestrunk\includes\hooks\bump\styles.php:91
actionadmin_enqueue_scriptstrunk\includes\hooks\bump\styles.php:92
filtermbo/bump/admin/inline/media_stylestrunk\includes\hooks\bump\styles.php:96
actionadmin_headtrunk\includes\hooks\bump\styles.php:97
actionwp_enqueue_scriptstrunk\includes\hooks\bump\styles.php:148
actionwp_footertrunk\includes\hooks\bump\styles.php:174
filtermbo/bump/enqueue_stylestrunk\includes\hooks\bump\styles.php:180
actionwoocommerce_after_cart_item_quantity_updatetrunk\includes\hooks\bump\update-cart.php:9
actionadmin_enqueue_scriptstrunk\includes\hooks\common\assets.php:15
actionadmin_enqueue_scriptstrunk\includes\hooks\common\assets.php:33
actionadmin_inittrunk\includes\hooks\common\assets.php:54
actionadmin_inittrunk\includes\hooks\common\assets.php:72
actionadmin_inittrunk\includes\hooks\common\assets.php:93
actionadmin_inittrunk\includes\hooks\common\assets.php:114
actionadmin_inittrunk\includes\hooks\common\assets.php:132
actionadmin_inittrunk\includes\hooks\common\assets.php:150
actionadmin_inittrunk\includes\hooks\common\assets.php:171
actioninittrunk\includes\hooks\common\assets.php:195
actionadmin_menutrunk\includes\hooks\common\options\menu.php:22
actionadmin_headtrunk\includes\hooks\common\options\menu.php:31
actionadmin_enqueue_scriptstrunk\includes\hooks\common\options\scripts.php:17
actionadmin_footertrunk\includes\hooks\common\options\scripts.php:101
actionadmin_enqueue_scriptstrunk\includes\hooks\common\options\styles.php:11
filter_molongui/plugins/stylesheettrunk\includes\hooks\common\plugins.php:9
filtermolongui/plugins/inline/stylesheettrunk\includes\hooks\common\plugins.php:14
actionadmin_enqueue_scriptstrunk\includes\hooks\common\plugins.php:15
filtermolongui/plugins/inline/stylesheettrunk\includes\hooks\common\plugins.php:19
actionadmin_headtrunk\includes\hooks\common\plugins.php:20
filter_molongui/plugins/scriptstrunk\includes\hooks\common\plugins.php:53
filtermolongui/plugins/inline/scriptstrunk\includes\hooks\common\plugins.php:58
actionadmin_enqueue_scriptstrunk\includes\hooks\common\plugins.php:59
filtermolongui/plugins/inline/scriptstrunk\includes\hooks\common\plugins.php:63
actionadmin_footer-toplevel_page_molonguitrunk\includes\hooks\common\plugins.php:64
actionadmin_enqueue_scriptstrunk\includes\hooks\common\support\scripts.php:16
actionadmin_enqueue_scriptstrunk\includes\hooks\common\support\styles.php:10
actionadmin_footer-molongui_page_molongui-supporttrunk\includes\hooks\common\support\tidio.php:10
filteradmin_footer_texttrunk\includes\hooks\common\wordpress\footer.php:18
actionwp_footertrunk\includes\hooks\common\wordpress\footer.php:29
actionadmin_noticestrunk\includes\hooks\common\wordpress\notices.php:34
actionadmin_noticestrunk\includes\hooks\common\wordpress\notices.php:67
filterupgrader_post_installtrunk\includes\hooks\common\wordpress\notices.php:78
actionadmin_noticestrunk\includes\hooks\common\wordpress\notices.php:142
actionadmin_enqueue_scriptstrunk\includes\hooks\common\wordpress\notices.php:227
actionadmin_enqueue_scriptstrunk\includes\hooks\common\wordpress\notices.php:240
filtermbo/default_optionstrunk\includes\hooks\options\defaults.php:90
actionadmin_enqueue_scriptstrunk\includes\hooks\options\scripts.php:9
actionmbo/options/before_footertrunk\includes\hooks\options\scripts.php:16
actionmbo/optionstrunk\includes\hooks\options\validation.php:3
actionwoocommerce_review_order_before_submittrunk\includes\hooks\woocommerce\display.php:7
actioninittrunk\includes\hooks\woocommerce\display.php:10
filterwoocommerce_get_plugins_with_headertrunk\includes\hooks\woocommerce.php:10
filterwoocommerce_check_cart_itemstrunk\includes\hooks\woocommerce.php:27
actionplugins_loadedtrunk\molongui-bump-offer.php:30
actionadmin_noticestrunk\molongui-bump-offer.php:33
actionadmin_noticestrunk\molongui-bump-offer.php:37
filterbump/is_previewtrunk\views\bump\html-admin-preview-metabox.php:7
filteresc_htmltrunk\views\bump\html-admin-settings-metabox.php:296
filterbump/is_previewviews\bump\html-admin-preview-metabox.php:7
filteresc_htmlviews\bump\html-admin-settings-metabox.php:296
Maintenance & Trust

Order Bump for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 25, 2025
PHP min version5.5.0
Downloads26K

Community Trust

Rating88/100
Number of ratings18
Active installs700
Alternatives

Order Bump for WooCommerce Alternatives

CartFlows – Funnel Builder & Checkout Plugin for WooCommerce

CartFlows – Funnel Builder & Checkout Plugin for WooCommerce

cartflows

A
95

1 WordPress funnel builder & WooCommerce checkout plugin. Boost AOV with one-click upsells, order bumps & high-converting checkout pages.

200K 8 CVEs
WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell

WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell

wpfunnels

A
89

WPFunnels is a powerful funnel builder for WooCommerce that helps store owners create high-converting WooCommerce checkout pages, sales funnels, one-c …

6K 12 CVEs
UpsellWP – WooCommerce Upsell and Related Products Offers

UpsellWP – WooCommerce Upsell and Related Products Offers

checkout-upsell-and-order-bumps

B
76

Best WooCommerce Upsell plugin to create checkout upsells, cross-sells, order bumps and frequently bought together bundles to increase AOV.

5K 1 unpatched
Checkout Upsell Funnel for WooCommerce

Checkout Upsell Funnel for WooCommerce

checkout-upsell-funnel-for-woo

A
100

Elevate your checkout experience with enticing product suggestions and smart order bumps, all featuring attractive discounts

600 No CVEs
Offermative – WooCommerce Discount Rules, Upsells & BOGO Powered by AI

Offermative – WooCommerce Discount Rules, Upsells & BOGO Powered by AI

offermative-discount-pricing-related-products-upsell-funnels-for-woocommerce

A
100

Grow revenue and AOV with targeted and automated WooCommerce discount rules, upsells, cross-sells, order bumps, and dynamic pricing offers.

50 No CVEs
Developer Profile

Order Bump for WooCommerce Developer Profile

Molongui

3 plugins · 11K total installs

88
trust score
Avg Security Score
100/100
Avg Patch Time
79 days
View full developer profile
Detection Fingerprints

How We Detect Order Bump for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/molongui-bump-offer/assets/css/frontend.css/wp-content/plugins/molongui-bump-offer/assets/js/frontend.js/wp-content/plugins/molongui-bump-offer/assets/css/admin.css/wp-content/plugins/molongui-bump-offer/assets/js/admin.js
Script Paths
/wp-content/plugins/molongui-bump-offer/assets/js/frontend.js/wp-content/plugins/molongui-bump-offer/assets/js/admin.js
Version Parameters
molongui-bump-offer/assets/css/frontend.css?ver=molongui-bump-offer/assets/js/frontend.js?ver=molongui-bump-offer/assets/css/admin.css?ver=molongui-bump-offer/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
molongui-bump-offer-popupmolongui-buy-nowmolongui-order-bump-product
HTML Comments
<!-- Molongui Order Bump for WooCommerce -->
Data Attributes
data-molongui-bump-offer-product-iddata-molongui-bump-offer-price
JS Globals
molongui_bump_offer_params
Shortcode Output
[molongui_bump_offer_product
FAQ

Frequently Asked Questions about Order Bump for WooCommerce