Does TheForge Smart COD Control & Fraud Blocker for WooCommerce have any unpatched vulnerabilities?

No. All known vulnerabilities in TheForge Smart COD Control & Fraud Blocker for WooCommerce have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is TheForge Smart COD Control & Fraud Blocker for WooCommerce compatible with WordPress 6.9.4?

According to WordPress.org data, TheForge Smart COD Control & Fraud Blocker for WooCommerce 1.1.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is TheForge Smart COD Control & Fraud Blocker for WooCommerce compatible with PHP 7.4+?

TheForge Smart COD Control & Fraud Blocker for WooCommerce requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

TheForge Smart COD Control & Fraud Blocker for WooCommerce Security & Risk Analysis

wordpress.org/plugins/theforge-smart-cod-control-fraud-blocker-for-woocommerce

Stop COD fraud with intelligent controls - reduce fake orders, prevent fraud, and save money on failed deliveries with advanced risk assessment.

0 active installs v1.1.0 PHP 7.4+ WP 5.8+ Updated Unknown

cash-on-deliverycodfraudpayment-gatewaywoocommerce

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is TheForge Smart COD Control & Fraud Blocker for WooCommerce Safe to Use in 2026?

Generally Safe

Score 100/100

TheForge Smart COD Control & Fraud Blocker for WooCommerce has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs

Risk Assessment

The security posture of theforge-smart-cod-control-fraud-blocker-for-woocommerce v1.1.3 appears to be a mixed bag, with some strong security practices in place but significant areas of concern. The plugin excels in output escaping and nonce usage, with 99% of outputs properly escaped and a good number of nonce checks, indicating developer awareness of common web vulnerabilities. The absence of known CVEs and a clean vulnerability history is a positive sign, suggesting the plugin has historically been maintained with security in mind.

However, the most significant risk lies in the substantial attack surface presented by the 8 AJAX handlers, all of which lack authentication checks. This means any authenticated user, regardless of their role or permissions, could potentially trigger these handlers, opening the door for various exploits depending on the functionality they expose. While taint analysis showed no critical or high severity flows, the lack of authorization on a significant portion of the entry points creates a large potential for privilege escalation or unauthorized actions if the AJAX handlers perform sensitive operations.

In conclusion, while the plugin demonstrates good practices in output handling and has a clean vulnerability history, the unprotected AJAX handlers represent a critical security weakness that requires immediate attention. The plugin's strengths in other areas are overshadowed by this single, high-risk vulnerability. Addressing the authentication for all AJAX endpoints is paramount to securing this plugin.

Key Concerns

8 unprotected AJAX handlers

Vulnerabilities

None known

TheForge Smart COD Control & Fraud Blocker for WooCommerce Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

TheForge Smart COD Control & Fraud Blocker for WooCommerce Code Analysis

Dangerous Functions

Raw SQL Queries

12 prepared

Unescaped Output

269 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

63% prepared19 total queries

Output Escaping

99% escaped273 total outputs

Attack Surface

8 unprotected

TheForge Smart COD Control & Fraud Blocker for WooCommerce Attack Surface

Entry Points8

Unprotected8

AJAX Handlers 8

authwp_ajax_wcsf_add_blacklist_itemincludes\class-wcsf-admin-settings.php:50

authwp_ajax_wcsf_remove_blacklist_itemincludes\class-wcsf-admin-settings.php:51

authwp_ajax_wcsf_delete_logincludes\class-wcsf-admin-settings.php:52

authwp_ajax_wcsf_clear_logsincludes\class-wcsf-admin-settings.php:53

authwp_ajax_wcsf_search_productsincludes\class-wcsf-admin-settings.php:54

authwp_ajax_wcsf_check_cod_availabilityincludes\class-wcsf-cod-controller.php:79

noprivwp_ajax_wcsf_check_cod_availabilityincludes\class-wcsf-cod-controller.php:80

authwp_ajax_wcsf_simulate_codincludes\class-wcsf-test-simulator.php:53

WordPress Hooks 31

actionwoocommerce_process_shop_order_metaincludes\class-wcsf-admin-approval.php:53

actionadd_meta_boxesincludes\class-wcsf-admin-approval.php:54

actionadmin_post_wcsf_approve_cod_orderincludes\class-wcsf-admin-approval.php:55

actionadmin_post_wcsf_reject_cod_orderincludes\class-wcsf-admin-approval.php:56

actionadmin_noticesincludes\class-wcsf-admin-approval.php:57

actionwoocommerce_checkout_order_processedincludes\class-wcsf-admin-approval.php:58

actionadmin_menuincludes\class-wcsf-admin-settings.php:41

actionadmin_enqueue_scriptsincludes\class-wcsf-admin-settings.php:44

actionadmin_initincludes\class-wcsf-admin-settings.php:47

actionwoocommerce_order_status_failedincludes\class-wcsf-auto-blacklist.php:53

actionwoocommerce_order_status_cancelledincludes\class-wcsf-auto-blacklist.php:54

filtermanage_shop_order_posts_columnsincludes\class-wcsf-auto-blacklist.php:55

actionmanage_shop_order_posts_custom_columnincludes\class-wcsf-auto-blacklist.php:56

filtermanage_woocommerce_page_wc-orders_columnsincludes\class-wcsf-auto-blacklist.php:57

actionmanage_woocommerce_page_wc-orders_custom_columnincludes\class-wcsf-auto-blacklist.php:58

filterwoocommerce_available_payment_gatewaysincludes\class-wcsf-cod-controller.php:67

actionwoocommerce_cart_calculate_feesincludes\class-wcsf-cod-controller.php:70

actionwoocommerce_after_checkout_validationincludes\class-wcsf-cod-controller.php:73

actionwp_enqueue_scriptsincludes\class-wcsf-cod-controller.php:76

actionadmin_noticesincludes\class-wcsf-fraud-alerts.php:58

actionwp_dashboard_setupincludes\class-wcsf-fraud-alerts.php:59

actionadmin_initincludes\class-wcsf-fraud-heatmap.php:44

actioninitincludes\class-wcsf-order-status.php:44

filterwc_order_statusesincludes\class-wcsf-order-status.php:45

filterwoocommerce_order_status_pending-cod-approvalincludes\class-wcsf-order-status.php:46

filterbulk_actions-woocommerce_page_wc-ordersincludes\class-wcsf-order-status.php:47

filterbulk_actions-edit-shop_orderincludes\class-wcsf-order-status.php:48

actionplugins_loadedincludes\class-wcsf-plugin.php:150

actionadmin_noticestheforge-smart-cod-control-fraud-blocker-for-woocommerce.php:94

actionbefore_woocommerce_inittheforge-smart-cod-control-fraud-blocker-for-woocommerce.php:124

actionplugins_loadedtheforge-smart-cod-control-fraud-blocker-for-woocommerce.php:141

Maintenance & Trust

TheForge Smart COD Control & Fraud Blocker for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedUnknown

PHP min version7.4

Downloads105

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

TheForge Smart COD Control & Fraud Blocker for WooCommerce Alternatives

CODShield AI – Cash on Delivery (COD) Fraud Shield

codshield-ai

100

Prevent fake COD orders with WhatsApp confirmations, fraud checks, and smart automation to reduce RTO and cancellations.

0 No CVEs

Smart COD for WooCommerce

wc-smart-cod

100

All the COD restrictions and extra fees you'll ever need, in a single plugin.

30K No CVEs

Bangladeshi Payment Gateways – Make Payment Using QR Code

bangladeshi-payment-gateways

100

Bangladeshi Payment Gateways for WooCommerce.

5K 1 CVE

PiWeb Disable payment method / Partial payment for WooCommerce

disable-payment-method-for-woocommerce

100

Disable payment method for WooCommerce, Charge WooCommerce Payment processing FEES, Take Partial payment for Order, Advance COD or Partial payment for …

4K No CVEs

HitPay Payment Gateway for WooCommerce

hitpay-payment-gateway

HitPay Payment Gateway Plugin allows HitPay merchants to accept PayNow QR, Cards, Apple Pay, Google Pay, WeChatPay, AliPay and GrabPay Payments.

4K 1 CVE

Developer Profile

TheForge Smart COD Control & Fraud Blocker for WooCommerce Developer Profile

The Plugin Forge

2 plugins · 0 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect TheForge Smart COD Control & Fraud Blocker for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/theforge-smart-cod-control-fraud-blocker-for-woocommerce/assets/css/wcsf-admin-styles.css/wp-content/plugins/theforge-smart-cod-control-fraud-blocker-for-woocommerce/assets/js/wcsf-admin-scripts.js

Script Paths

/wp-content/plugins/theforge-smart-cod-control-fraud-blocker-for-woocommerce/assets/js/wcsf-admin-scripts.js

Version Parameters

theforge-smart-cod-control-fraud-blocker-for-woocommerce/assets/css/wcsf-admin-styles.css?ver=theforge-smart-cod-control-fraud-blocker-for-woocommerce/assets/js/wcsf-admin-scripts.js?ver=

HTML / DOM Fingerprints

CSS Classes

wcsf-settings-pagewcsf-admin-section

HTML Comments

+3 more

Data Attributes

data-tab='general'data-tab='cod_rules'data-tab='advanced_blocking'data-tab='fraud_logs'data-tab='test_simulator'data-tab='fraud_heatmap'

JS Globals

wcsf_admin_params

REST Endpoints

/wp-json/wcsf/v1/add-blacklist/wp-json/wcsf/v1/remove-blacklist/wp-json/wcsf/v1/delete-log/wp-json/wcsf/v1/clear-logs/wp-json/wcsf/v1/search-products

FAQ