Does Tamara Checkout have any unpatched vulnerabilities?

No. All known vulnerabilities in Tamara Checkout have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Tamara Checkout compatible with WordPress 6.9.4?

According to WordPress.org data, Tamara Checkout 1.9.9.16 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Tamara Checkout compatible with PHP 7.3.0+?

Tamara Checkout requires PHP 7.3.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Tamara Checkout updated?

Tamara Checkout was last updated on Dec 8, 2025. Frequent updates are generally a positive security signal.

What is Tamara Checkout's security score?

Tamara Checkout has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Tamara Checkout Security & Risk Analysis

wordpress.org/plugins/tamara-checkout

With Tamara Buy Now Pay Later, you can split your payments – totally interest-free. Accepts payments from Mada, Apple Pay, or Credit Cards.

2K active installs v1.9.9.16 PHP 7.3.0+ WP 5.0+ Updated Dec 8, 2025

bnple-commercepay-by-installmentspay-in-3

A · Safe

CVEs total1

Unpatched0

Last CVEJan 20, 2025

Plugin page Download

Safety Verdict

Is Tamara Checkout Safe to Use in 2026?

Generally Safe

Score 99/100

Tamara Checkout has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Jan 20, 2025Updated 3mo ago

Risk Assessment

The "tamara-checkout" plugin version 1.9.9.16 exhibits a mixed security posture. On the positive side, it demonstrates good practices with 100% of SQL queries using prepared statements and a high percentage of properly escaped output. The presence of nonce and capability checks, while limited, is also a good sign. However, significant concerns arise from the substantial attack surface exposed by unprotected AJAX handlers. Six out of seven AJAX handlers lack authentication checks, presenting a substantial risk of unauthorized actions if these endpoints can be exploited.

The static analysis also flags the use of dangerous functions like `passthru` and `unserialize`, which are notorious for their potential to introduce vulnerabilities if not handled with extreme care. While the taint analysis shows no critical or high severity flows, the presence of one flow with unsanitized paths is a point of concern that warrants further investigation. The vulnerability history, with one medium severity CVE related to Cross-Site Scripting (XSS), indicates that the plugin has had security flaws in the past, though it is currently unpatched, which is a positive sign for this specific version.

Overall, while the plugin employs some secure coding practices, the large number of unprotected AJAX endpoints and the presence of dangerous functions create a significant risk profile. The past XSS vulnerability suggests a need for vigilance regarding input sanitization and output escaping, especially for the unprotected entry points. Addressing the unprotected AJAX handlers should be a priority to mitigate the most immediate and impactful risks.

Key Concerns

Unprotected AJAX handlers
Use of dangerous functions (passthru, unserialize)
Flow with unsanitized paths
Limited nonce checks
Bundled library (Guzzle)

Vulnerabilities

Tamara Checkout Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-23997medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Tamara Checkout <= 1.9.9 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 20, 2025 Patched in 1.9.9.1 (9d)

Code Analysis

Analyzed Mar 16, 2026

Tamara Checkout Code Analysis

Dangerous Functions

Raw SQL Queries

16 prepared

Unescaped Output

100 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

passthrupassthru('command -v file', $exitStatus);src\Dependencies\Symfony\Component\HttpFoundation\File\MimeType\FileBinaryMimeTypeGuesser.php:62

passthrupassthru(sprintf($this->cmd, escapeshellarg((str_starts_with($path, '-') ? './' : '').$path)), $retusrc\Dependencies\Symfony\Component\HttpFoundation\File\MimeType\FileBinaryMimeTypeGuesser.php:88

unserialize$this->data = $data ? unserialize($data) : [];src\Dependencies\Symfony\Component\HttpFoundation\Session\Storage\MockFileSessionStorage.php:157

passthrupassthru('command -v file', $exitStatus);src\Dependencies\Symfony\Component\Mime\FileBinaryMimeTypeGuesser.php:55

passthrupassthru(sprintf($this->cmd, escapeshellarg((str_starts_with($path, '-') ? './' : '').$path)), $retusrc\Dependencies\Symfony\Component\Mime\FileBinaryMimeTypeGuesser.php:77

unserialize$this->__unserialize(unserialize($serialized));src\Dependencies\Symfony\Component\Mime\RawMessage.php:79

Bundled Libraries

Guzzle

SQL Query Safety

100% prepared16 total queries

Output Escaping

86% escaped116 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths

addCronJobTriggerScript (src\TamaraCheckout.php:1788)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

6 unprotected

Tamara Checkout Attack Surface

Entry Points10

Unprotected6

AJAX Handlers 7

authwp_ajax_tamara_perform_cronsrc\TamaraCheckout.php:257

authwp_ajax_tamara-authorisesrc\TamaraCheckout.php:258

noprivwp_ajax_tamara-authorisesrc\TamaraCheckout.php:259

authwp_ajax_tamara-get-instalment-plansrc\TamaraCheckout.php:276

noprivwp_ajax_tamara-get-instalment-plansrc\TamaraCheckout.php:277

authwp_ajax_update-tamara-checkout-paramssrc\TamaraCheckout.php:279

noprivwp_ajax_update-tamara-checkout-paramssrc\TamaraCheckout.php:280

Shortcodes 3

[tamara_show_popup] src\TamaraCheckout.php:265

[tamara_show_cart_popup] src\TamaraCheckout.php:266

[tamara_authorise_order] src\TamaraCheckout.php:267

WordPress Hooks 33

filterwoocommerce_gateway_iconsrc\Services\WCTamaraGateway.php:205

actionwoocommerce_order_status_changedsrc\Services\WCTamaraGateway.php:208

actionwoocommerce_order_status_changedsrc\Services\WCTamaraGateway.php:211

filterwoocommerce_available_payment_gatewayssrc\Services\WCTamaraGateway.php:214

filterwoocommerce_payment_gatewayssrc\Services\WCTamaraGateway.php:215

filterwoocommerce_gateway_descriptionsrc\Services\WCTamaraGateway.php:218

filterrest_post_dispatchsrc\Services\WCTamaraGateway.php:510

actioninitsrc\TamaraCheckout.php:222

actioninitsrc\TamaraCheckout.php:228

actioninitsrc\TamaraCheckout.php:231

actionadmin_enqueue_scriptssrc\TamaraCheckout.php:234

actionwoocommerce_create_refundsrc\TamaraCheckout.php:237

filterwc_order_statusessrc\TamaraCheckout.php:240

actionwoocommerce_order_item_add_action_buttonssrc\TamaraCheckout.php:243

filterwoocommerce_rest_prepare_shop_order_objectsrc\TamaraCheckout.php:245

actioninitsrc\TamaraCheckout.php:247

actioninitsrc\TamaraCheckout.php:248

actionparse_requestsrc\TamaraCheckout.php:249

actionwp_enqueue_scriptssrc\TamaraCheckout.php:250

filterwoocommerce_payment_gatewayssrc\TamaraCheckout.php:252

filterwoocommerce_available_payment_gatewayssrc\TamaraCheckout.php:253

actionwp_headsrc\TamaraCheckout.php:260

actionwoocommerce_checkout_update_order_reviewsrc\TamaraCheckout.php:261

actionadmin_footersrc\TamaraCheckout.php:263

filterrest_pre_dispatchsrc\TamaraCheckout.php:270

actionadmin_headsrc\TamaraCheckout.php:273

filterwoocommerce_billing_fieldssrc\TamaraCheckout.php:274

actionwp_loadedsrc\TamaraCheckout.php:282

actionwp_loadedsrc\TamaraCheckout.php:283

filterwoocommerce_thankyou_order_received_textsrc\TamaraCheckout.php:286

filterplugin_action_links_tamara-checkout/tamara-checkout.phpsrc\TamaraCheckout.php:1214

actionadmin_noticessrc\TamaraCheckout.php:1219

actionwoocommerce_inittamara-checkout.php:31

Maintenance & Trust

Tamara Checkout Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 8, 2025

PHP min version7.3.0

Downloads32K

Community Trust

Rating100/100

Number of ratings1

Active installs2K

Alternatives

Tamara Checkout Alternatives

Alma – Pay in installments or later for WooCommerce

alma-gateway-for-woocommerce

100

This plugin adds a new payment method to WooCommerce, which allows you to offer monthly payments to your customer using Alma.

1K 1 CVE

Product Filter for WooCommerce by WBW

woo-product-filter

Filter products by categories, attributes, prices, and more. Elementor Compatibility. Shoppers easily find products with WooCommerce Product Filter

60K 7 CVEs

Klarna for WooCommerce

klarna-payments-for-woocommerce

100

Grow your business for increased sales and enhanced shopping experiences at no extra costs.

30K 1 CVE

WCBoost – Wishlist

wcboost-wishlist

100

WCBoost - Wishlist lets shoppers create wishlists for later purchases, reminding them of desired items, driving repeat visits and boost sales.

30K No CVEs

Ecwid by Lightspeed Ecommerce Shopping Cart

ecwid-shopping-cart

Powerful, easy to use ecommerce shopping cart for WordPress. Sell on Facebook and Instagram. iPhone & Android apps. Superb support.

20K 13 CVEs

Developer Profile

Tamara Checkout Developer Profile

Tamara Solution

1 plugin · 2K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

9 days

View full developer profile

Detection Fingerprints

How We Detect Tamara Checkout

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/tamara-checkout/tamara-checkout.php/wp-content/plugins/tamara-checkout/assets/css/tamara-checkout-frontend.css/wp-content/plugins/tamara-checkout/assets/js/tamara-checkout-frontend.js/wp-content/plugins/tamara-checkout/assets/js/tamara-checkout-gateway.js/wp-content/plugins/tamara-checkout/assets/css/tamara-checkout-admin.css/wp-content/plugins/tamara-checkout/assets/js/tamara-checkout-admin.js

Script Paths

/wp-content/plugins/tamara-checkout/assets/js/tamara-checkout-frontend.js/wp-content/plugins/tamara-checkout/assets/js/tamara-checkout-gateway.js/wp-content/plugins/tamara-checkout/assets/js/tamara-checkout-admin.js

Version Parameters

tamara-checkout/tamara-checkout.php?ver=tamara-checkout/assets/css/tamara-checkout-frontend.css?ver=tamara-checkout/assets/js/tamara-checkout-frontend.js?ver=tamara-checkout/assets/js/tamara-checkout-gateway.js?ver=tamara-checkout/assets/css/tamara-checkout-admin.css?ver=tamara-checkout/assets/js/tamara-checkout-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

tamara-checkout-widget

HTML Comments

Data Attributes

data-tamara-checkout-public-keydata-tamara-checkout-order-iddata-tamara-checkout-order-amountdata-tamara-checkout-order-currency

JS Globals

TamaraCheckoutFrontendtamaraCheckoutGateway

REST Endpoints

/wp-json/tamara-checkout/v1/webhook/wp-json/tamara-checkout/v1/payment-callback

Shortcode Output

[tamara_checkout_payment_form]

FAQ

Tamara Checkout Security & Risk Analysis

Is Tamara Checkout Safe to Use in 2026?

Generally Safe

Key Concerns

Tamara Checkout Security Vulnerabilities

CVEs by Year

Severity Breakdown

Tamara Checkout Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

Tamara Checkout Attack Surface

AJAX Handlers 7

Shortcodes 3

Tamara Checkout Maintenance & Trust

Maintenance Signals

Community Trust

Tamara Checkout Alternatives

Alma – Pay in installments or later for WooCommerce

Product Filter for WooCommerce by WBW

Klarna for WooCommerce

WCBoost – Wishlist

Ecwid by Lightspeed Ecommerce Shopping Cart

Tamara Checkout Developer Profile

How We Detect Tamara Checkout

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Tamara Checkout