WP-Safety

Spoki – Chat Buttons and WooCommerce Notifications Security & Risk Analysis

wordpress.org/plugins/spoki

WhatsApp full integration for your website! Recover Abandoned Carts, send Order Notifications and add WhatsApp Buttons.

800 active installs v2.17.0 PHP 7.2+ WP 5.1+ Updated Dec 10, 2025
abandoned-cartswhatsappwhatsapp-buttonwhatsapp-notificationwhatsapp-woocommerce
77
B · Generally Safe
CVEs total2
Unpatched1
Last CVEJun 19, 2025
Download
Safety Verdict

Is Spoki – Chat Buttons and WooCommerce Notifications Safe to Use in 2026?

Mostly Safe

Score 77/100

Spoki – Chat Buttons and WooCommerce Notifications is generally safe to use. 2 past CVEs were resolved. Keep it updated.

2 known CVEs 1 unpatched Last CVE: Jun 19, 2025Updated 3mo ago
Risk Assessment

The "spoki" v2.17.0 plugin exhibits a concerning security posture, primarily due to a significant number of unprotected entry points and a history of medium-severity vulnerabilities, including Cross-Site Scripting (XSS). The static analysis reveals a large attack surface with 6 out of 7 entry points lacking any authentication or permission checks. This means that unauthenticated users could potentially interact with these handlers and routes, leading to unintended consequences. Furthermore, the code analysis highlights the presence of the dangerous `unserialize` function, which, when combined with uncontrolled input, can lead to Remote Code Execution vulnerabilities if not handled with extreme caution and proper input validation. The low percentage of properly escaped output (30%) suggests a high risk of XSS vulnerabilities, further exacerbated by the lack of any nonce checks or capability checks on critical entry points. The plugin's vulnerability history, with a recent medium-severity XSS finding, reinforces these concerns. While the use of prepared statements for SQL queries is a positive sign, it does not mitigate the broader risks presented by the insecure entry points and potential for XSS. Overall, the plugin requires significant security improvements to mitigate the risks of unauthorized access and code injection.

Key Concerns

  • Unprotected AJAX handlers (2)
  • Unprotected REST API routes (4)
  • Dangerous function unserialize used (5 times)
  • Low output escaping percentage (30%)
  • No nonce checks
  • No capability checks
  • 1 currently unpatched medium CVE
  • XSS common vulnerability type
Vulnerabilities
2

Spoki – Chat Buttons and WooCommerce Notifications Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-50026medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Spoki <= 2.16.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Jun 19, 2025Unpatched
CVE-2024-11893medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Spoki – Chat Buttons and WooCommerce Notifications <= 2.15.15 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 19, 2024 Patched in 2.15.16 (22d)
Code Analysis
Analyzed Mar 16, 2026

Spoki – Chat Buttons and WooCommerce Notifications Code Analysis

Dangerous Functions
5
Raw SQL Queries
7
20 prepared
Unescaped Output
216
92 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
4
Bundled Libraries
0

Dangerous Functions Found

unserialize$cart_content = unserialize($result->cart_contents);modules\abandoned-carts\spoki-abandoned-carts.php:342
unserialize$other_fields = unserialize($result->other_fields);modules\abandoned-carts\spoki-abandoned-carts.php:376
unserialize$other_fields = unserialize($checkoutDetails->other_fields);modules\abandoned-carts\spoki-abandoned-carts.php:595
unserialize$other_fields = unserialize($checkoutDetails->other_fields);spoki.php:552
unserialize$other_fields = unserialize($checkout->other_fields);spoki.php:614

SQL Query Safety

74% prepared27 total queries

Output Escaping

30% escaped308 total outputs
Attack Surface
6 unprotected

Spoki – Chat Buttons and WooCommerce Notifications Attack Surface

Entry Points7
Unprotected6

AJAX Handlers 2

authwp_ajax_spoki_cartflows_save_cart_abandonment_datamodules\abandoned-carts\spoki-abandoned-carts.php:28
noprivwp_ajax_spoki_cartflows_save_cart_abandonment_datamodules\abandoned-carts\spoki-abandoned-carts.php:29

REST API Routes 4

GET/wp-json/api/v1/getWoocommerceInfomodules\abandoned-carts\spoki-abandoned-carts.php:32
GET/wp-json/api/v1/getAccessTokenmodules\abandoned-carts\spoki-abandoned-carts.php:39
GET/wp-json/api/v1/getOrderUrlmodules\abandoned-carts\spoki-abandoned-carts.php:47
POST/wp-json/api/v1/setCartAsContactedmodules\abandoned-carts\spoki-abandoned-carts.php:55

Shortcodes 1

[spoki_button] spoki.php:896
WordPress Hooks 37
actionwoocommerce_after_checkout_formmodules\abandoned-carts\spoki-abandoned-carts.php:25
actionrest_api_initmodules\abandoned-carts\spoki-abandoned-carts.php:31
actionrest_api_initmodules\abandoned-carts\spoki-abandoned-carts.php:38
actionrest_api_initmodules\abandoned-carts\spoki-abandoned-carts.php:46
actionrest_api_initmodules\abandoned-carts\spoki-abandoned-carts.php:54
filterjwt_auth_whitelistmodules\abandoned-carts\spoki-abandoned-carts.php:62
filterwpmodules\abandoned-carts\spoki-abandoned-carts.php:71
actionwoocommerce_order_status_changedmodules\abandoned-carts\spoki-abandoned-carts.php:72
filtercron_schedulesspoki.php:24
filterhttp_request_timeoutspoki.php:25
actionplugins_loadedspoki.php:41
actioninitspoki.php:131
actionadmin_menuspoki.php:132
actionadmin_menuspoki.php:133
actionwp_enqueue_scriptsspoki.php:135
actionadmin_enqueue_scriptsspoki.php:136
actionadmin_enqueue_scriptsspoki.php:137
actionupdated_optionspoki.php:138
filterauto_update_pluginspoki.php:139
actionspoki_cron_hookspoki.php:140
actionelementor/widgets/widgets_registeredspoki.php:151
actionadmin_initspoki.php:190
actionwoocommerce_checkout_update_order_metaspoki.php:464
actionwoocommerce_order_status_changedspoki.php:465
actionwoocommerce_cancelled_orderspoki.php:466
actionwoocommerce_trash_orderspoki.php:467
actionwoocommerce_order_note_addedspoki.php:468
actionwoocommerce_order_status_completedspoki.php:469
actionwoocommerce_proceed_to_checkoutspoki.php:472
actionwp_footerspoki.php:813
actionwoocommerce_after_shop_loop_itemspoki.php:818
actionwoocommerce_after_cart_totalsspoki.php:823
actionwoocommerce_after_add_to_cart_formspoki.php:831
actionwoocommerce_before_add_to_cart_formspoki.php:834
actionwoocommerce_after_add_to_cart_buttonspoki.php:838
actionwp_footerspoki.php:898
actionadmin_initspoki.php:1435

Scheduled Events 1

spoki_cron_hook
Maintenance & Trust

Spoki – Chat Buttons and WooCommerce Notifications Maintenance & Trust

Maintenance Signals

WordPress version tested6.6.5
Last updatedDec 10, 2025
PHP min version7.2
Downloads29K

Community Trust

Rating100/100
Number of ratings11
Active installs800
Alternatives

Spoki – Chat Buttons and WooCommerce Notifications Alternatives

SendApp Notification – Notifications on Orders and abandoned carts for WooCommerce.

SendApp Notification – Notifications on Orders and abandoned carts for WooCommerce.

sendapp-notification

A
100

WhatsApp full integration for your website! Recover Abandoned Carts, Send Order, Post, Product Notifications and add WhatsApp Buttons.

90 No CVEs
Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist

Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist

bit-assist

A
95

Floating sticky chat button for WhatsApp Chat, Facebook Messenger, Telegram, Instagram, SMS, Call, Discord chat, TikTok, Line & 30+ channels

10K 7 CVEs
Cresta Help Chat

Cresta Help Chat

cresta-whatsapp-chat

A
100

Allow your users and customers to contact you via WhatsApp with a single click.

10K No CVEs
WP Sticky Button – Click to Chat

WP Sticky Button – Click to Chat

wa-sticky-button

A
99

Display the beautiful WhatsApp Sticky Button on the WordPress frontend.

10K 2 CVEs
Add Chat App Button

Add Chat App Button

add-whatsapp-button

A
91

Add Chat App Button enables adding a customizeable click-to-chat button that opens a chat on WhatsApp. This plugin is not affiliated with WhatsApp or &hellip;

2K 1 CVE
Developer Profile

Spoki – Chat Buttons and WooCommerce Notifications Developer Profile

spoki

1 plugin · 800 total installs

78
trust score
Avg Security Score
77/100
Avg Patch Time
22 days
View full developer profile
Detection Fingerprints

How We Detect Spoki – Chat Buttons and WooCommerce Notifications

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/spoki/assets/css/main.css/wp-content/plugins/spoki/assets/js/main.js
Script Paths
/wp-content/plugins/spoki/assets/js/main.js
Version Parameters
spoki/assets/css/main.css?ver=spoki/assets/js/main.js?ver=

HTML / DOM Fingerprints

CSS Classes
spoki-chat-wrapperspoki-chat-widget
HTML Comments
<!-- spoki --><!-- spoki-setting --><!-- spoki-abandoned-carts -->
Data Attributes
data-spoki-settingsdata-spoki-shop-settings
JS Globals
spoki_data
REST Endpoints
/wp-json/spoki/v1/settings/wp-json/spoki/v1/update-settings/wp-json/spoki/v1/abandoned-cart
Shortcode Output
[spoki-chat-button][spoki-whatsapp-button][spoki-abandoned-cart-form]
FAQ

Frequently Asked Questions about Spoki – Chat Buttons and WooCommerce Notifications