WP-Safety

Universal Commerce Protocol (UCP) for WooCommerce Security & Risk Analysis

wordpress.org/plugins/universal-commerce-protocol-ucp-for-woocommerce

Enable the Universal Commerce Protocol (UCP) for WooCommerce. Let AI agents discover, browse, and purchase products for your customers safely.

0 active installs v1.0.4 PHP 7.4+ WP 5.8+ Updated Unknown
aiai-agentcheckoutmcpwoocommerce
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Download
Safety Verdict

Is Universal Commerce Protocol (UCP) for WooCommerce Safe to Use in 2026?

Generally Safe

Score 100/100

Universal Commerce Protocol (UCP) for WooCommerce has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs
Risk Assessment

The plugin exhibits a generally good security posture, with no recorded vulnerabilities or critical issues identified in static analysis or taint flows. The absence of dangerous functions, file operations, and external HTTP requests is a significant strength. Furthermore, the plugin demonstrates strong practices regarding SQL query security, utilizing prepared statements exclusively, and a high percentage of properly escaped output. The presence of nonce and capability checks, while limited, indicates an awareness of common WordPress security mechanisms.

However, there are notable concerns stemming from the attack surface. The plugin exposes 9 REST API routes, with 3 of them lacking explicit permission callbacks. This creates a potential avenue for unauthorized access or data manipulation if these routes are not adequately protected by default WordPress role management or other security measures. While taint analysis found no critical issues, the presence of unsanitized paths would be a more significant concern.

In conclusion, while the plugin has a strong foundation in secure coding practices, the unprotected REST API routes represent a tangible risk that requires further investigation and potential mitigation. The lack of any historical vulnerabilities is positive, but it should not breed complacency, especially given the identified attack surface.

Key Concerns

  • REST API routes without permission callbacks
Vulnerabilities
None known

Universal Commerce Protocol (UCP) for WooCommerce Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Universal Commerce Protocol (UCP) for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
7
76 escaped
Nonce Checks
2
Capability Checks
1
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

92% escaped83 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
handle_auth_request (includes\class-ucp-auth.php:50)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Universal Commerce Protocol (UCP) for WooCommerce Attack Surface

Entry Points9
Unprotected3

REST API Routes 9

POST/wp-json/univcopr/v1/simulatorincludes\class-ucp-admin.php:117
GET/wp-json/univcopr/v1/catalog/productsincludes\class-ucp-api.php:21
POST/wp-json/univcopr/v1/checkout-sessionsincludes\class-ucp-api.php:27
GET/wp-json/univcopr/v1/checkout-sessions/(?P<id>\d+)includes\class-ucp-api.php:33
POST/wp-json/univcopr/v1/mcpincludes\class-ucp-api.php:39
GET/wp-json/univcopr/v1/orders/(?P<id>[a-zA-Z0-9_\-]+)includes\class-ucp-api.php:45
GET/wp-json/univcopr/v1/agent-cardincludes\class-ucp-api.php:51
POST/wp-json/univcopr/v1/tokenincludes\class-ucp-auth.php:33
POST/wp-json/univcopr/v1/token/revokeincludes\class-ucp-auth.php:39
WordPress Hooks 23
actionadmin_menuincludes\class-ucp-admin.php:14
actionadmin_initincludes\class-ucp-admin.php:15
actionadmin_noticesincludes\class-ucp-admin.php:16
actionrest_api_initincludes\class-ucp-admin.php:17
actionadmin_enqueue_scriptsincludes\class-ucp-admin.php:18
actionrest_api_initincludes\class-ucp-api.php:16
actioninitincludes\class-ucp-auth.php:14
filterquery_varsincludes\class-ucp-auth.php:15
actiontemplate_redirectincludes\class-ucp-auth.php:16
actionrest_api_initincludes\class-ucp-auth.php:17
actionadd_meta_boxesincludes\class-ucp-content.php:16
actionsave_post_productincludes\class-ucp-content.php:17
actionwoocommerce_single_product_summaryincludes\class-ucp-content.php:20
actionwoocommerce_after_single_product_summaryincludes\class-ucp-content.php:21
actionwp_headincludes\class-ucp-discovery.php:16
actioninitincludes\class-ucp-discovery.php:19
filterquery_varsincludes\class-ucp-discovery.php:20
actionparse_requestincludes\class-ucp-discovery.php:21
actionwp_footerincludes\class-ucp-ecp.php:16
actionwoocommerce_thankyouincludes\class-ucp-ecp.php:19
actionwp_headincludes\class-ucp-schema.php:15
actionadmin_noticesuniversal-commerce-protocol.php:32
actionplugins_loadeduniversal-commerce-protocol.php:69
Maintenance & Trust

Universal Commerce Protocol (UCP) for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedUnknown
PHP min version7.4
Downloads133

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

Universal Commerce Protocol (UCP) for WooCommerce Alternatives

Saphali Woocommerce Lite

Saphali Woocommerce Lite

saphali-woocommerce-lite

A
100

A set of additions to the WooCommerce online store. Adds localization & special tools in WooCommerce.

10K 1 CVE
Notification for Telegram

Notification for Telegram

notification-for-telegram

C
54

Sends notifications to Telegram users or groups, when some events occur in WordPress.

4K 2 unpatched
F4 Shipping Phone and E-Mail for WooCommerce

F4 Shipping Phone and E-Mail for WooCommerce

f4-woocommerce-shipping-phone-and-e-mail

A
100

Adds fields for e-mail and/or telephone to the WooCommerce shipping address.

800 No CVEs
StoreAgent – WooCommerce AI Chatbot & AI Content Tools

StoreAgent – WooCommerce AI Chatbot & AI Content Tools

storeagent-ai-for-woocommerce

A
100

WooCommerce AI Chatbot for stores with built-in AI content tools. Generate product descriptions, answer customer questions & more with AI.

200 No CVEs
Checkout Fields and File Upload for WooCommerce

Checkout Fields and File Upload for WooCommerce

fields-and-file-upload

A
100

Easily add general or item-specific detail inputs and file uploads to the WooCommerce checkout page's additional information section.

100 No CVEs
Developer Profile

Universal Commerce Protocol (UCP) for WooCommerce Developer Profile

siteupgradepro

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Universal Commerce Protocol (UCP) for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/universal-commerce-protocol-ucp-for-woocommerce/assets/js/ucp-admin-script.js/wp-content/plugins/universal-commerce-protocol-ucp-for-woocommerce/assets/css/ucp-admin-style.css
Script Paths
/wp-content/plugins/universal-commerce-protocol-ucp-for-woocommerce/assets/js/ucp-admin-script.js
Version Parameters
universal-commerce-protocol-ucp-for-woocommerce/assets/css/ucp-admin-style.css?ver=universal-commerce-protocol-ucp-for-woocommerce/assets/js/ucp-admin-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
ucp-sim-griducp-sim-fielducp-sim-identity-boxucp-sim-section-titleucp-sim-carducp-dash-rowucp-dash-col
Data Attributes
id="sim-progress"id="sim-steps"id="start-ucp-sim"id="ucp-sim-transport"id="ucp-sim-coupon"id="ucp-sim-identity"+3 more
JS Globals
UNIVCOPR_VERSIONjQuery
REST Endpoints
/wp-json/univcopr/v1/simulator
FAQ

Frequently Asked Questions about Universal Commerce Protocol (UCP) for WooCommerce