Does Order Tip for WooCommerce have any unpatched vulnerabilities?

No. All known vulnerabilities in Order Tip for WooCommerce have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Order Tip for WooCommerce compatible with WordPress 6.9.4?

According to WordPress.org data, Order Tip for WooCommerce 1.5.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Order Tip for WooCommerce updated?

Order Tip for WooCommerce was last updated on Jan 2, 2026. Frequent updates are generally a positive security signal.

What is Order Tip for WooCommerce's security score?

Order Tip for WooCommerce has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Order Tip for WooCommerce Security & Risk Analysis

wordpress.org/plugins/order-tip-woo

Order Tip for WooCommerce adds a form to your cart and checkout pages where your customers will be able to add tips or donations

2K active installs v1.5.6 PHP + WP 3.0+ Updated Jan 2, 2026

donationecommerceordertipwoocommerce

A · Safe

CVEs total2

Unpatched0

Last CVEAug 14, 2025

Plugin page Download

Safety Verdict

Is Order Tip for WooCommerce Safe to Use in 2026?

Generally Safe

Score 97/100

Order Tip for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Aug 14, 2025Updated 3mo ago

Risk Assessment

The 'order-tip-woo' plugin v1.5.6 presents a mixed security posture. On the positive side, the static analysis reveals a strong adherence to output escaping practices, with 100% of outputs being properly sanitized. The plugin also demonstrates good use of nonce and capability checks for its entry points, with no directly unprotected AJAX handlers or REST API routes identified. Taint analysis shows no unsanitized paths, indicating a lack of common injection vulnerabilities from this perspective.

However, significant concerns arise from the plugin's historical vulnerability data. It has a history of known CVEs, with one high and one medium severity vulnerability in the past. The common types of vulnerabilities found, such as 'Client-Side Enforcement of Server-Side Security' and 'Missing Authorization,' are particularly worrying, as they often indicate fundamental flaws in how security is implemented. The presence of four dangerous 'unserialize' functions without explicit context about their usage or sanitization is also a potential risk, as unserialization can lead to arbitrary code execution if not handled with extreme care, especially when dealing with untrusted input.

In conclusion, while the current version exhibits some good security practices in output sanitization and entry point protection, the past vulnerability history, coupled with the use of dangerous functions like 'unserialize,' suggests that a thorough review of authorization and input validation, particularly around unserialization, is warranted. The plugin has potential weaknesses that have been exploited in the past and require ongoing vigilance.

Key Concerns

Raw SQL queries without prepared statements
Dangerous function 'unserialize' used
Past high severity vulnerability
Past medium severity vulnerability

Vulnerabilities

Order Tip for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

2 total CVEs

CVE-2025-6025high · 7.5Client-Side Enforcement of Server-Side Security

Order Tip for WooCommerce <= 1.5.4 - Unauthenticated Tip Manipulation to Negative Value Leading to Unauthorized Discounts

Aug 14, 2025 Patched in 1.5.5 (1d)

CVE-2024-1119medium · 5.3Missing Authorization

Order Tip for WooCommerce <= 1.3.1 - Missing Authorization to Unauthenticated Data Export

Mar 19, 2024 Patched in 1.4.0 (1d)

Code Analysis

Analyzed Mar 16, 2026

Order Tip for WooCommerce Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

168 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$session_tip = WOO_Order_Tip_Service::should_use_php_session() ? ( isset( $_SESSION['tip'] ) && ! emfrontend\controllers\main.class.php:113

unserialize$session_tip = isset( $_SESSION ) && isset( $_SESSION['tip'] ) && ! empty( $_SESSION['tip'] ) ? unsefrontend\controllers\main.class.php:238

unserialize$tip = isset( $_SESSION ) && isset( $_SESSION['tip'] ) && ! empty( $_SESSION['tip'] ) ? unserialize(frontend\services\order-tip-woo.service.php:85

unserialize$session_tip = isset( $_SESSION ) && isset( $_SESSION['tip'] ) && ! empty( $_SESSION['tip'] ) ? unsefrontend\services\order-tip-woo.service.php:171

SQL Query Safety

0% prepared1 total queries

Output Escaping

100% escaped168 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

export_tips_to_csv (admin\controllers\reports.class.php:515)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Order Tip for WooCommerce Attack Surface

Entry Points5

Unprotected0

AJAX Handlers 4

authwp_ajax_apply_tipfrontend\controllers\main.class.php:81

noprivwp_ajax_apply_tipfrontend\controllers\main.class.php:82

authwp_ajax_remove_tipfrontend\controllers\main.class.php:83

noprivwp_ajax_remove_tipfrontend\controllers\main.class.php:84

Shortcodes 1

[order_tip_form] frontend\controllers\main.class.php:91

WordPress Hooks 27

actionadmin_enqueue_scriptsadmin\controllers\config.class.php:22

filterplugin_action_linksadmin\controllers\config.class.php:23

actionadmin_initadmin\controllers\config.class.php:24

filterwoocommerce_admin_reportsadmin\controllers\reports.class.php:45

actionorder_tip_settings_reportsadmin\controllers\reports.class.php:46

actionwoocommerce_checkout_update_order_metaadmin\controllers\reports.class.php:47

actionadmin_initadmin\controllers\reports.class.php:59

filterwoocommerce_settings_tabs_arrayadmin\controllers\settings.class.php:37

actionwoocommerce_admin_field_order_tip_reportsadmin\controllers\settings.class.php:41

filterwoocommerce_get_settings_pagesadmin\controllers\settings.class.php:612

actionwp_enqueue_scriptsfrontend\controllers\config.class.php:22

actionwpfrontend\controllers\config.class.php:23

actionwoocommerce_before_cartfrontend\controllers\main.class.php:41

actionwoocommerce_cart_couponfrontend\controllers\main.class.php:44

actionwoocommerce_after_cart_tablefrontend\controllers\main.class.php:47

actionwoocommerce_before_cart_totalsfrontend\controllers\main.class.php:50

actionwoocommerce_after_cartfrontend\controllers\main.class.php:53

actionwoocommerce_before_checkout_formfrontend\controllers\main.class.php:63

actionwoocommerce_before_order_notesfrontend\controllers\main.class.php:66

actionwoocommerce_checkout_after_customer_detailsfrontend\controllers\main.class.php:69

actionwoocommerce_checkout_order_reviewfrontend\controllers\main.class.php:72

actionwoocommerce_after_checkout_formfrontend\controllers\main.class.php:75

actioninitfrontend\controllers\main.class.php:86

actionwoocommerce_cart_calculate_feesfrontend\controllers\main.class.php:87

actionwoocommerce_new_orderfrontend\controllers\main.class.php:88

actionwoocommerce_thankyoufrontend\controllers\main.class.php:89

actionbefore_woocommerce_initorder-tip-for-woocommerce.php:53

Maintenance & Trust

Order Tip for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 2, 2026

PHP min version

Downloads37K

Community Trust

Rating86/100

Number of ratings15

Active installs2K

Alternatives

Order Tip for WooCommerce Alternatives

Scheduled & Automatic Order Status Controller for WooCommerce

order-status-rules-for-woocommerce

Automate WooCommerce order statuses. Beautifully.

2K 1 CVE

WPC Order Tip for WooCommerce

wpc-order-tip

100

WPC Order Tip is a plugin that enables customers to add extra amounts to their order as a tip or donation to the seller or specified recipients.

1K No CVEs

Additional Custom Order Status for WooCommerce

order-status-for-woocommerce

Manage order statuses in WooCommerce. Beautifully.

800 1 CVE

GazChap's WooCommerce Purchase Order Payment Gateway

gazchaps-woocommerce-purchase-order-payment-gateway

100

Adds a Purchase Order offline payment gateway to WooCommerce.

200 No CVEs

Multi Order for WooCommerce

multi-order-for-woocommerce

Split your orders into suborders.

80 No CVEs

Developer Profile

Order Tip for WooCommerce Developer Profile

railmedia

3 plugins · 2K total installs

trust score

Avg Security Score

89/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Order Tip for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/order-tip-woo/admin/css/reports-orders-list.css/wp-content/plugins/order-tip-woo/admin/css/admin-blockui.css/wp-content/plugins/order-tip-woo/admin/js/reports-orders-list.js/wp-content/plugins/order-tip-woo/admin/js/admin-blockui.js

Version Parameters

order-tip-woo/admin/css/reports-orders-list.css?ver=order-tip-woo/admin/css/admin-blockui.css?ver=order-tip-woo/admin/js/reports-orders-list.js?ver=order-tip-woo/admin/js/admin-blockui.js?ver=

HTML / DOM Fingerprints

CSS Classes

woot_tip_amountwoot_order_idwoot_tip_datewoot_order_totalwoot_tip_percentage

HTML Comments

Soon these reports will be removed. For the time being they can still be accessed at the above URL

Data Attributes

data-tip-amountdata-order-iddata-tip-datedata-order-totaldata-tip-percentage

JS Globals

WOOTIPVERWOOOTIPPATHWOOOTIPBASEWOOOTIPURLWOOOTIPSUBwootip_uninstall

FAQ