Does Vendus have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Vendus compatible with WordPress 6.2.9?

According to WordPress.org data, Vendus 2.0 has been tested up to WordPress 6.2.9. Check the plugin's changelog for the latest compatibility information.

Is Vendus compatible with PHP 5.6+?

Vendus requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Vendus updated?

Vendus was last updated on Apr 18, 2023. Frequent updates are generally a positive security signal.

What is Vendus's security score?

Vendus has a WP-Safety security score of 85/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Vendus Security & Risk Analysis

wordpress.org/plugins/vendus

Faturação 100% online, sem dores de cabeça e sem sair da sua loja online! Programa nº 2230 certificado pela AT a partir de 4€ / mês.

200 active installs v2.0 PHP 5.6+ WP 4.5+ Updated Apr 18, 2023

billinginvoiceinvoicingorders

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Vendus Safe to Use in 2026?

Generally Safe

Score 85/100

Vendus has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 3yr ago

Risk Assessment

The "vendus" plugin v2.0 demonstrates a generally good security posture in several key areas, notably its lack of known vulnerabilities and robust handling of SQL queries with prepared statements. The plugin also excels in output escaping, with a high percentage of outputs properly sanitized. However, the static analysis reveals significant concerns that introduce potential risks.

The presence of the `unserialize` function twice without any apparent capability or nonce checks is a critical vulnerability. If user-controlled data is passed to `unserialize`, it can lead to Remote Code Execution (RCE) or other severe security issues. Furthermore, all identified taint flows have unsanitized paths, indicating a potential for various injection attacks if user input is not strictly validated and sanitized before being used in sensitive operations. The single external HTTP request also warrants attention, as it could be a vector for SSRF or data exfiltration if not properly secured.

While the vulnerability history is clean, which is a positive indicator, it doesn't negate the risks identified in the static analysis. The absence of historical vulnerabilities could simply mean these specific weaknesses haven't been exploited or discovered yet. In conclusion, "vendus" v2.0 has strengths in SQL handling and output escaping, but the critical risks associated with `unserialize` and unsanitized taint flows, coupled with a lack of authorization checks on these potentially dangerous functions, present a significant security weakness.

Key Concerns

Dangerous function 'unserialize' used twice without auth/nonce
All taint flows have unsanitized paths
External HTTP request without clear security context
No nonce checks on critical functions
No capability checks on critical functions

Vulnerabilities

None known

Vendus Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Vendus Release Timeline

v2.2

v2.1.2

v2.1.1

v2.1

v1.0

Code Analysis

Analyzed Mar 16, 2026

Vendus Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

42 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize$invoice = unserialize($order[Vendus_Plugin_Orders::CUSTOM_FIELD_INVOICES][0]);includes\class-vp-orders.php:46

unserialize$invoice = unserialize($order[Vendus_Plugin_Orders::CUSTOM_FIELD_INVOICES][0]);includes\class-vp-orders.php:80

Output Escaping

86% escaped49 total outputs

Data Flows · Security

6 unsanitized

Data Flow Analysis

6 flows6 with unsanitized paths

_invoiceHook (includes\class-vp.php:207)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Vendus Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 20

filterwoocommerce_billing_fieldsincludes\class-vp-clients.php:24

filterwoocommerce_admin_billing_fieldsincludes\class-vp-clients.php:63

actionadmin_initincludes\class-vp-clients.php:83

filterwoocommerce_ajax_get_customer_detailsincludes\class-vp-clients.php:86

filterwoocommerce_found_customer_detailsincludes\class-vp-clients.php:88

actionwoocommerce_customer_meta_fieldsincludes\class-vp-clients.php:113

actionwoocommerce_order_details_after_customer_detailsincludes\class-vp-clients.php:127

filterwoocommerce_email_customer_details_fieldsincludes\class-vp-clients.php:144

filterwoocommerce_api_order_responseincludes\class-vp-clients.php:159

filterwoocommerce_api_customer_responseincludes\class-vp-clients.php:169

actionwoocommerce_checkout_processincludes\class-vp-clients.php:183

actionwoocommerce_after_save_address_validationincludes\class-vp-clients.php:207

actionadmin_menuincludes\class-vp-menu.php:14

filtermanage_edit-shop_order_columnsincludes\class-vp-orders.php:36

filtermanage_shop_order_posts_custom_columnincludes\class-vp-orders.php:63

actionadd_meta_boxesincludes\class-vp-orders.php:69

actionvendus_plugin_action_view_pdfincludes\class-vp.php:204

actionvendus_plugin_action_invoiceincludes\class-vp.php:268

actionvendus_plugin_action_invoice_ncincludes\class-vp.php:308

actionadmin_noticesincludes\class-vp.php:321

Maintenance & Trust

Vendus Maintenance & Trust

Maintenance Signals

WordPress version tested6.2.9

Last updatedApr 18, 2023

PHP min version5.6

Downloads5K

Community Trust

Rating0/100

Number of ratings0

Active installs200

Alternatives

Vendus Alternatives

Client Invoicing by Sprout Invoices – Easy Estimates and Invoices for WordPress

sprout-invoices

The best invoicing plugin for WordPress. See how you can get paid faster without those hidden service fees.

1K 10 CVEs

WP Forms + Sprout Invoices – Easy Invoice & Quote Submissions

sprout-invoices-wp-forms

100

Dynamic invoicing (and estimates/quotes) from WP Form submissions.

400 No CVEs

Formidable Forms + Sprout Invoices – Easy Invoice & Estimate Submissions

sprout-invoices-formidable-forms

100

Dynamic invoicing (and estimates/quotes) from Formidable Form submissions.

200 No CVEs

TOConline for WooCommerce

toconline-for-woocommerce

100

TOConline for WooCommerce is a WordPress plugin that automates invoicing with TOConline.

100 No CVEs

Gravity Forms + Sprout Invoices – Easy Invoice & Estimate Submissions

sprout-invoices-gravity-forms

100

Dynamic invoicing (and estimates/quotes) from Gravity Form submissions.

90 No CVEs

Developer Profile

Vendus Developer Profile

Vendus

1 plugin · 200 total installs

trust score

Avg Security Score

85/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Vendus

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/vendus/assets/js/frontend.js/wp-content/plugins/vendus/assets/css/frontend.css

Script Paths

/wp-content/plugins/vendus/assets/js/frontend.js

HTML / DOM Fingerprints

Data Attributes

data-nifdata-nif-labeldata-nif-placeholderdata-nif-requireddata-nif-maxlengthdata-nif-validate

JS Globals

vendus_plugin_vars

REST Endpoints

/wp-json/vendus/v1/customers/get

Shortcode Output

<div class="vendus_plugin_wrapper">
		<input type="hidden" name="vendus_plugin_nonce" value="

FAQ