Does Tabby Checkout have any unpatched vulnerabilities?

No. All known vulnerabilities in Tabby Checkout have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Tabby Checkout compatible with WordPress 6.9.4?

According to WordPress.org data, Tabby Checkout 5.9.2 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Tabby Checkout compatible with PHP 7.0+?

Tabby Checkout requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Tabby Checkout updated?

Tabby Checkout was last updated on Jan 28, 2026. Frequent updates are generally a positive security signal.

What is Tabby Checkout's security score?

Tabby Checkout has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Tabby Checkout Security & Risk Analysis

wordpress.org/plugins/tabby-checkout

Boost your business with Tabby

4K active installs v5.9.2 PHP 7.0+ WP 5.7+ Updated Jan 28, 2026

bnpltabbytabby-bnpltabby-checkouttabby-plugin

A · Safe

CVEs total1

Unpatched0

Last CVEJan 21, 2026

Plugin page Download

Safety Verdict

Is Tabby Checkout Safe to Use in 2026?

Generally Safe

Score 99/100

Tabby Checkout has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jan 21, 2026Updated 2mo ago

Risk Assessment

The tabby-checkout plugin v5.9.2 exhibits a generally good security posture in its static analysis, with no identified dangerous functions, all SQL queries using prepared statements, and no taint analysis indicating critical or high severity issues. The absence of a large attack surface through unprotected AJAX handlers, REST API routes, or shortcodes is also a positive sign. However, concerns arise from the relatively low percentage of properly escaped output (68%), suggesting potential for cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled with sufficient care in the remaining 32% of output operations.

The vulnerability history shows one past medium-severity CVE related to the Exposure of Sensitive Information to an Unauthorized Actor. While this specific vulnerability is marked as patched, the pattern indicates a potential area for future weaknesses. The plugin's reliance on capability checks for only one entry point and the complete absence of nonce checks on potential entry points like cron events are significant security gaps. Although no critical issues were found in the static analysis, these missing security controls could be exploited if an attacker can trigger cron events or other actions that bypass standard WordPress security mechanisms.

In conclusion, while the core code demonstrates some good security practices, particularly regarding database interactions, the plugin has notable weaknesses in output escaping and the implementation of security checks like nonces and capability checks on all relevant entry points. The past vulnerability related to information exposure warrants careful monitoring. Addressing the unescaped output and implementing more robust security checks would significantly improve the plugin's overall security.

Key Concerns

Unescaped output detected
Missing nonce checks
Low capability checks coverage
Past medium CVE (Information Exposure)

Vulnerabilities

Tabby Checkout Security Vulnerabilities

CVEs by Year

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-68035medium · 5.3Exposure of Sensitive Information to an Unauthorized Actor

Tabby Checkout <= 5.8.4 - Unauthenticated Information Exposure

Jan 21, 2026 Patched in 5.9.1 (8d)

Code Analysis

Analyzed Mar 16, 2026

Tabby Checkout Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

13 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared4 total queries

Output Escaping

68% escaped19 total outputs

Attack Surface

Tabby Checkout Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 45

actionwoocommerce_order_status_processingincludes\class-wc-gateway-tabby-checkout-base.php:36

actionwoocommerce_order_status_completedincludes\class-wc-gateway-tabby-checkout-base.php:38

actionwoocommerce_order_status_cancelledincludes\class-wc-gateway-tabby-checkout-base.php:39

filterwoocommerce_rest_api_get_rest_namespacesincludes\class-wc-rest-tabby-controller.php:11

filterwoocommerce_settings_tabs_arrayincludes\class-wc-settings-tab-tabby.php:5

actionwoocommerce_settings_tabs_settings_tab_tabbyincludes\class-wc-settings-tab-tabby.php:7

actionwoocommerce_update_options_settings_tab_tabbyincludes\class-wc-settings-tab-tabby.php:8

actionwoocommerce_admin_settings_sanitize_option_tabby_checkout_public_keyincludes\class-wc-settings-tab-tabby.php:11

actionwoocommerce_admin_settings_sanitize_option_tabby_checkout_secret_keyincludes\class-wc-settings-tab-tabby.php:12

actionadmin_noticesincludes\class-wc-settings-tab-tabby.php:47

actionadmin_noticesincludes\class-wc-settings-tab-tabby.php:60

actionwc_ajax_get_prescoring_dataincludes\class-wc-tabby-ajax.php:4

filterquery_varsincludes\class-wc-tabby-ajax.php:5

filterwoocommerce_get_script_dataincludes\class-wc-tabby-ajax.php:6

actionwoocommerce_tabby_cancel_unpaid_ordersincludes\class-wc-tabby-cron.php:6

actionshutdownincludes\class-wc-tabby-feed-sharing.php:21

actionshutdownincludes\class-wc-tabby-feed-sharing.php:25

actionwoocommerce_new_productincludes\class-wc-tabby-feed-sharing.php:26

actionwoocommerce_update_productincludes\class-wc-tabby-feed-sharing.php:27

actionwoocommerce_before_delete_productincludes\class-wc-tabby-feed-sharing.php:28

actionwoocommerce_trash_productincludes\class-wc-tabby-feed-sharing.php:29

actionwoocommerce_before_delete_product_variationincludes\class-wc-tabby-feed-sharing.php:30

actionwoocommerce_trash_product_variationincludes\class-wc-tabby-feed-sharing.php:31

actiontransition_post_statusincludes\class-wc-tabby-feed-sharing.php:32

actionwoocommerce_proceed_to_checkoutincludes\class-wc-tabby-promo.php:5

actionwoocommerce_before_add_to_cart_formincludes\class-wc-tabby-promo.php:6

actionwp_enqueue_scriptsincludes\class-wc-tabby-promo.php:7

actionadmin_enqueue_scriptsincludes\class-wc-tabby-promo.php:8

actioninitincludes\class-wc-tabby.php:17

filtercron_schedulesincludes\class-wc-tabby.php:23

actionplugins_loadedincludes\class-wc-tabby.php:26

actionwoocommerce_rest_insert_shop_orderincludes\class-wc-tabby.php:33

actionwoocommerce_rest_insert_shop_order_objectincludes\class-wc-tabby.php:35

actionwoocommerce_rest_checkout_process_payment_with_contextincludes\class-wc-tabby.php:37

actionwoocommerce_checkout_order_processedincludes\class-wc-tabby.php:40

actionwoocommerce_store_api_checkout_order_processedincludes\class-wc-tabby.php:42

actionwoocommerce_before_pay_actionincludes\class-wc-tabby.php:44

actionwoocommerce_admin_field_payment_gatewaysincludes\class-wc-tabby.php:47

filterwoocommerce_payment_gatewaysincludes\class-wc-tabby.php:123

actionwoocommerce_blocks_loadedincludes\class-wc-tabby.php:124

actionwoocommerce_blocks_payment_method_type_registrationincludes\class-wc-tabby.php:128

actionwoocommerce_blocks_cart_block_registrationincludes\class-wc-tabby.php:136

filterwoocommerce_cancel_unpaid_orderincludes\functions.php:32

filterwoocommerce_thankyou_order_idincludes\functions.php:35

actionbefore_woocommerce_inittabby-checkout.php:26

Scheduled Events 2

woocommerce_tabby_cancel_unpaid_orders

Maintenance & Trust

Tabby Checkout Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 28, 2026

PHP min version7.0

Downloads56K

Community Trust

Rating100/100

Number of ratings1

Active installs4K

Alternatives

Tabby Checkout Alternatives

Addi – Cuotas que se adaptan a ti

buy-now-pay-later-addi

Addi te permite generar creditos en linea siendo una nueva pasarela de pago de Woocommerce.

2K 1 unpatched

MultiSafepay plugin for WooCommerce

multisafepay

MultiSafepay offers the most comprehensive payment solutions. Easily integrate the payment solutions of MultiSafepay into your webshop.

2K 1 CVE

Tamara Checkout

tamara-checkout

With Tamara Buy Now Pay Later, you can split your payments – totally interest-free. Accepts payments from Mada, Apple Pay, or Credit Cards.

2K 1 CVE

Alma – Pay in installments or later for WooCommerce

alma-gateway-for-woocommerce

100

This plugin adds a new payment method to WooCommerce, which allows you to offer monthly payments to your customer using Alma.

1K 1 CVE

seQura

sequra

100

Flexible payment platform that enhances business conversion and recurrence. The easiest, safest, and quickest way for customers to pay installments.

900 No CVEs

Developer Profile

Tabby Checkout Developer Profile

tabbyai

1 plugin · 4K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

8 days

View full developer profile

Detection Fingerprints

How We Detect Tabby Checkout

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/tabby-checkout/css/tabby.css/wp-content/plugins/tabby-checkout/js/tabby.js/wp-content/plugins/tabby-checkout/assets/blocks/tabby-installments/index.js

Script Paths

https://checkout.tabby.ai/tabby-card.jshttps://checkout.tabby.ai/tabby-promo.js

Version Parameters

tabby-checkout/js/tabby.js?ver=tabby-checkout/assets/blocks/tabby-installments/index.js?ver=

HTML / DOM Fingerprints

CSS Classes

tabbyPromowc-blocks-tabby-installments

HTML Comments

Data Attributes

data-tabby-pricedata-tabby-currencydata-tabby-locale-sourcedata-tabby-selector

JS Globals

WC_Gateway_Tabby_InstallmentsTabbyPromoinitTabbyPromotionsMODULE_TABBY_CHECKOUT_VERSIONTABBY_CHECKOUT_DOMAINWC_Tabby_Config+1 more

Shortcode Output

<div id="tabbyPromoclass="tabbyPromo"style="margin-bottom: 20px"

FAQ