Does Salesfire have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Salesfire compatible with WordPress 6.7.5?

According to WordPress.org data, Salesfire 1.0.16 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is Salesfire updated?

Salesfire was last updated on Mar 9, 2026. Frequent updates are generally a positive security signal.

What is Salesfire's security score?

Salesfire has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Salesfire Security & Risk Analysis

wordpress.org/plugins/salesfire

Boost the conversion rate of your WordPress or WooCommerce store with Salesfire's suite of intelligent CRO tools.

50 active installs v1.0.16 PHP + WP + Updated Mar 9, 2026

croecommercepopupsrecommendationssearch

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Salesfire Safe to Use in 2026?

Generally Safe

Score 100/100

Salesfire has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago

Risk Assessment

The SalesFire plugin v1.0.16 demonstrates some strong security practices, notably the absence of dangerous functions, proper use of prepared statements for all SQL queries, and no file operations or external HTTP requests. The vulnerability history is clean, with no known CVEs, which suggests a generally well-maintained codebase.

However, significant concerns arise from the static analysis. The plugin exposes one unprotected REST API route, which is a critical oversight. This unprotected endpoint represents a direct attack vector. Furthermore, the lack of nonce checks and capability checks across the board is a major weakness, especially when combined with an unprotected entry point. While taint analysis and output escaping are not showing immediate critical issues (50% proper escaping is concerning but not critical on its own), the overall lack of authentication and authorization on its REST API route creates a substantial risk.

In conclusion, while the absence of known vulnerabilities and the use of prepared statements are positive, the unprotected REST API route is a severe flaw that drastically lowers the plugin's security posture. The lack of fundamental security checks like nonces and capability checks on any potential entry points exacerbates this risk. Immediate attention is required to secure the exposed REST API route.

Key Concerns

Unprotected REST API route
Zero nonce checks
Zero capability checks
Only 50% of outputs properly escaped

Vulnerabilities

None known

Salesfire Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Salesfire Release Timeline

v1.0.16Current

v1.0.15

v1.0.14

v1.0.13

v1.0.12

v1.0.11

v1.0.10

v1.0.9

v1.0.8

v1.0.7

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

Code Analysis

Analyzed Mar 16, 2026

Salesfire Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

3 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

50% escaped6 total outputs

Attack Surface

1 unprotected

Salesfire Attack Surface

Entry Points1

Unprotected1

REST API Routes 1

GET/wp-json/salesfire/v1/sfgetidsrc\Tracking.php:60

WordPress Hooks 11

actioninitsalesfire.php:28

actionadmin_initsalesfire.php:29

actionadmin_menusalesfire.php:30

actionwpsrc\Tracking.php:33

actionwoocommerce_before_thankyousrc\Tracking.php:36

actionwoocommerce_add_to_cartsrc\Tracking.php:37

actionwoocommerce_remove_cart_itemsrc\Tracking.php:38

actionwoocommerce_after_cart_item_quantity_updatesrc\Tracking.php:39

actionwp_enqueue_scriptssrc\Tracking.php:42

actionrest_api_initsrc\Tracking.php:43

actionwp_headsrc\Tracking.php:46

Maintenance & Trust

Salesfire Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMar 9, 2026

PHP min version

Downloads3K

Community Trust

Rating0/100

Number of ratings0

Active installs50

Alternatives

Salesfire Alternatives

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

optinmonster

🤩 Make popups & optin forms to get more email newsletter subscribers, leads, and sales - #1 most popular popup builder plugin! 🚀

1.0M 6 CVEs

Search by SKU for Woocommerce

search-by-sku-for-woocommerce

Extend the search functionality of woocommerce to include searching of sku

10K No CVEs

Slickstream: Engagement and Conversions

slick-engagement

Use Slickstream to upgrade your site search. Get beautiful as-you-type search, relevant content recommendations, user favorites and more!

2K 2 CVEs

Beeketing for WooCommerce – Marketing Automation to Boost Sales

beeketing-for-woocommerce

Help WooCommerce stores convert traffic into sales, upsell & cross-sell, recover abandoned carts with 10+ powerful marketing & sales features.

700 No CVEs

Clerk

clerkio

Clerk.io is a software that helps your customers buy more from your webshop, through 4 amazing feature:

300 1 CVE

Developer Profile

Salesfire Developer Profile

salesfire

1 plugin · 50 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Salesfire

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/salesfire/js/sfgetid.js

Script Paths

https://cdn.salesfire.co.uk/code/.js

Version Parameters

sf-cuid-script?ver=1.0.16

HTML / DOM Fingerprints

Data Attributes

sfTracking

JS Globals