Does Moloni have any unpatched vulnerabilities?

No. All known vulnerabilities in Moloni have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Moloni compatible with WordPress 6.7.5?

According to WordPress.org data, Moloni 5.0.04 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Moloni compatible with PHP 7.2+?

Moloni requires PHP 7.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Moloni updated?

Moloni was last updated on Dec 22, 2025. Frequent updates are generally a positive security signal.

What is Moloni's security score?

Moloni has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Moloni Security & Risk Analysis

wordpress.org/plugins/moloni

Software de faturação inovador que se adapta ao seu negócio! Destinado a profissionais liberais, micro, pequenas e médias empresas.

2K active installs v5.0.04 PHP 7.2+ WP 4.6+ Updated Dec 22, 2025

invoicingorders

A · Safe

CVEs total1

Unpatched0

Last CVEJul 11, 2024

Plugin page Download

Safety Verdict

Is Moloni Safe to Use in 2026?

Generally Safe

Score 99/100

Moloni has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jul 11, 2024Updated 3mo ago

Risk Assessment

The Moloni plugin v5.0.04 exhibits a mixed security posture. On the positive side, the code demonstrates good practices in output escaping, with 93% of outputs being properly escaped. Furthermore, the majority of SQL queries are handled using prepared statements, which is a significant strength in preventing SQL injection vulnerabilities. The absence of critical or high-severity taint analysis findings and the fact that all previously known vulnerabilities are patched are also positive indicators.

However, there are significant security concerns. The plugin has a substantial attack surface with 6 AJAX handlers, all of which are unprotected and lack authentication checks. This is a critical oversight that could allow unauthenticated users to trigger arbitrary actions within the plugin. The complete absence of nonce checks on AJAX handlers exacerbates this risk. While the vulnerability history shows only one medium-severity CVE, and it's patched, the presence of an XSS vulnerability in the past, combined with the current lack of AJAX authentication, suggests a potential for similar vulnerabilities to be introduced or exploited if input is not properly validated and escaped on these unprotected AJAX endpoints.

In conclusion, while the Moloni plugin has strengths in its SQL query handling and output escaping, the unprotected AJAX endpoints represent a critical security weakness. The lack of authentication and nonce checks on these entry points creates a high risk of unauthorized access and potential exploitation. Addressing these unprotected AJAX handlers should be the highest priority.

Key Concerns

6 unprotected AJAX handlers
0 nonce checks on AJAX
1 medium severity CVE (historical)
49% SQL queries not using prepared statements

Vulnerabilities

Moloni Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2024-38694medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Moloni <= 4.7.4 - Reflected Cross-Site Scripting

Jul 11, 2024 Patched in 4.8.0 (7d)

Code Analysis

Analyzed Mar 16, 2026

Moloni Code Analysis

Dangerous Functions

Raw SQL Queries

18 prepared

Unescaped Output

366 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

jQuery3.6.4

SQL Query Safety

49% prepared37 total queries

Output Escaping

93% escaped392 total outputs

Data Flows

All sanitized

Data Flow Analysis

3 flows

<Logs> (src\Templates\Containers\Logs.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

6 unprotected

Moloni Attack Surface

Entry Points6

Unprotected6

AJAX Handlers 6

authwp_ajax_genInvoicesrc\Hooks\Ajax.php:27

authwp_ajax_discardOrdersrc\Hooks\Ajax.php:28

authwp_ajax_toolsCreateWcProductsrc\Hooks\Ajax.php:30

authwp_ajax_toolsUpdateWcStocksrc\Hooks\Ajax.php:31

authwp_ajax_toolsCreateMoloniProductsrc\Hooks\Ajax.php:32

authwp_ajax_toolsUpdateMoloniStocksrc\Hooks\Ajax.php:33

WordPress Hooks 21

actionwp_initialize_sitemoloni.php:54

actionwp_uninitialize_sitemoloni.php:55

actionplugins_loadedmoloni.php:56

actionadmin_enqueue_scriptsmoloni.php:57

actionwoocommerce_order_details_after_customer_detailssrc\Hooks\OrderDetails.php:32

filtermanage_woocommerce_page_wc-orders_columnssrc\Hooks\OrderList.php:50

actionmanage_woocommerce_page_wc-orders_custom_columnsrc\Hooks\OrderList.php:51

filtermanage_edit-shop_order_columnssrc\Hooks\OrderList.php:56

actionmanage_shop_order_posts_custom_columnsrc\Hooks\OrderList.php:57

actionwoocommerce_refund_createdsrc\Hooks\OrderRefunded.php:31

actionwoocommerce_order_status_changedsrc\Hooks\OrderStatusChanged.php:29

actionadd_meta_boxessrc\Hooks\OrderView.php:34

actionwoocommerce_update_productsrc\Hooks\ProductUpdate.php:35

actionwoocommerce_update_product_variationsrc\Hooks\ProductUpdate.php:36

actionadd_meta_boxessrc\Hooks\ProductView.php:37

actionupgrader_process_completesrc\Hooks\UpgradeProcess.php:19

actionbefore_woocommerce_initsrc\Hooks\WoocommerceInitialize.php:22

actionadmin_menusrc\Menus\Admin.php:21

actionadmin_noticessrc\Menus\Admin.php:22

filtercron_schedulessrc\Plugin.php:86

actionmoloniProductsSyncsrc\Plugin.php:87

Scheduled Events 1

moloniProductsSync

Maintenance & Trust

Moloni Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedDec 22, 2025

PHP min version7.2

Downloads94K

Community Trust

Rating96/100

Number of ratings6

Active installs2K

Alternatives

Moloni Alternatives

Contribuinte Checkout

contribuinte-checkout

With this plugin you can add VAT and VIES support to your WooCommerce store. The VAT field will be saved as '_billing_vat'.

1K 1 CVE

Vendus

vendus

Faturação 100% online, sem dores de cabeça e sem sair da sua loja online! Programa nº 2230 certificado pela AT a partir de 4€ / mês.

100 No CVEs

Moloni España

moloni-es

100

Innovative billing software that fits your business.! Intended for professionals, micro, small and medium enterprises.

20 No CVEs

Marvinerp

marvinerp-api

O Marvin ERP é um produto com a qualidade da PONTO 25 – informática lda.

10 No CVEs

LH Woocommerce Invoicing

lh-woocommerce-invoicing

Adds membership functionality to LH Teams.

0 No CVEs

Developer Profile

Moloni Developer Profile

Moloni

2 plugins · 3K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

11 days

View full developer profile

Detection Fingerprints

How We Detect Moloni

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/moloni/assets/css/moloni.min.css/wp-content/plugins/moloni/assets/js/moloni.min.js

Script Paths

/wp-content/plugins/moloni/assets/js/moloni.min.js

Version Parameters

moloni/assets/css/moloni.min.css?ver=moloni/assets/js/moloni.min.js?ver=

HTML / DOM Fingerprints

FAQ