WP-Safety

WC Affiliate – WooCommerce Affiliate Plugin Security & Risk Analysis

wordpress.org/plugins/wc-affiliate

The most complete WooCommerce affiliate plugin - unlimited affiliates, real-time tracking, flexible commissions. Free to start.

200 active installs v3.2 PHP 7.4+ WP 6.0+ Updated Mar 15, 2026
affiliate-marketingaffiliates-for-woocommercereferral-trackingwoocommerce-affiliatewoocommerce-affiliate-plugin
95
A · Safe
CVEs total4
Unpatched0
Last CVEMay 16, 2025
Plugin page Download
Safety Verdict

Is WC Affiliate – WooCommerce Affiliate Plugin Safe to Use in 2026?

Generally Safe

Score 95/100

WC Affiliate – WooCommerce Affiliate Plugin has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: May 16, 2025Updated 2mo ago
Risk Assessment

The "wc-affiliate" plugin version 3.2 presents a mixed security posture. While it demonstrates good practices in its use of prepared statements for SQL queries (92%) and output escaping (91%), and has a significant number of capability checks (56) and nonces (18), several concerning aspects remain. The presence of 3 AJAX handlers without authentication checks and 4 taint flows with unsanitized paths, including 3 of high severity, indicate potential avenues for exploitation. The plugin's vulnerability history, with 4 known CVEs including one high severity issue related to Deserialization of Untrusted Data, Missing Authorization, and Cross-site Scripting, suggests a recurring pattern of security weaknesses. While there are no currently unpatched vulnerabilities, the historical prevalence of certain vulnerability types warrants attention.

Key Concerns

  • AJAX handlers without authentication checks
  • High severity taint flows with unsanitized paths
  • History of high severity vulnerabilities (missing auth, XSS, deserialization)
Vulnerabilities
4 published

WC Affiliate – WooCommerce Affiliate Plugin Security Vulnerabilities

CVEs by Year

4 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2025-47660high · 8.8Deserialization of Untrusted Data

WC Affiliate <= 2.16 - Authenticated (Subscriber+) PHP Object Injection

May 16, 2025 Patched in 2.17 (243d)
CVE-2024-12336medium · 6.5Missing Authorization

WC Affiliate – A Complete WooCommerce Affiliate Plugin <= 2.5.3 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure via wf-export-all

Mar 14, 2025 Patched in 2.6 (4d)
CVE-2024-12334medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WC Affiliate – A Complete WooCommerce Affiliate Plugin <= 2.4 - Reflected Cross-Site Scripting

Jan 25, 2025 Patched in 2.5 (1d)
CVE-2024-12321medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WC Affiliate <= 2.3 - Reflected Cross-Site Scripting

Jan 6, 2025 Patched in 2.4 (25d)
Version History

WC Affiliate – WooCommerce Affiliate Plugin Release Timeline

v3.15.1
v3.2Current
v3.1
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.17
v2.161 CVE
CVE-2025-47660
v2.151 CVE
CVE-2025-47660
v2.14.11 CVE
CVE-2025-47660
v2.141 CVE
CVE-2025-47660
v2.131 CVE
CVE-2025-47660
v2.121 CVE
CVE-2025-47660
v2.111 CVE
CVE-2025-47660
v2.101 CVE
CVE-2025-47660
v2.9.61 CVE
CVE-2025-47660
v2.9.51 CVE
CVE-2025-47660
Code Analysis
Analyzed Mar 16, 2026

WC Affiliate – WooCommerce Affiliate Plugin Code Analysis

Dangerous Functions
0
Raw SQL Queries
15
179 prepared
Unescaped Output
108
1113 escaped
Nonce Checks
18
Capability Checks
56
File Operations
17
External Requests
8
Bundled Libraries
1

Bundled Libraries

jQuery

SQL Query Safety

92% prepared194 total queries

Output Escaping

91% escaped1221 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

16 flows4 with unsanitized paths
export_table_report (legacy\src\AJAX.php:606)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

WC Affiliate – WooCommerce Affiliate Plugin Attack Surface

Entry Points8
Unprotected3

AJAX Handlers 3

authwp_ajax_wc_affiliate_download_exportapp\Controllers\Common\API.php:57
noprivwp_ajax_wc_affiliate_download_exportapp\Controllers\Common\API.php:58
authwp_ajax_wc_bfcm_hide_noticelegacy\src\Notice.php:35

REST API Routes 1

GET/wp-json/wc-affiliate/v1/notices/dismisswc-affiliate-migrate.php:286

Shortcodes 4

[wc-affiliate-dashboard] app\Controllers\Front\Shortcode.php:44
[wc-affiliate-application-form] app\Controllers\Front\Shortcode.php:45
[wc-affiliate-registration] app\Controllers\Front\Shortcode.php:48
[wc-affiliate-login] app\Controllers\Front\Shortcode.php:49
WordPress Hooks 67
filterplugin_row_metaapp\Controllers\Admin\Init.php:50
actionadmin_initapp\Controllers\Admin\Init.php:51
actionadmin_initapp\Controllers\Admin\Init.php:53
actionadmin_noticesapp\Controllers\Admin\Init.php:54
actionwc_affiliate_dailyapp\Controllers\Admin\Init.php:55
actionwp_dashboard_setupapp\Controllers\Admin\Init.php:56
filterwp_kses_allowed_htmlapp\Controllers\Admin\Init.php:58
filterdisplay_post_statesapp\Controllers\Admin\Init.php:59
actionshow_user_profileapp\Controllers\Admin\Init.php:62
actionedit_user_profileapp\Controllers\Admin\Init.php:63
actionpersonal_options_updateapp\Controllers\Admin\Init.php:64
actionedit_user_profile_updateapp\Controllers\Admin\Init.php:65
actionwoocommerce_product_options_general_product_dataapp\Controllers\Admin\Init.php:68
actionwoocommerce_process_product_metaapp\Controllers\Admin\Init.php:69
actionwoocommerce_product_after_variable_attributesapp\Controllers\Admin\Init.php:70
actionwoocommerce_save_product_variationapp\Controllers\Admin\Init.php:71
actionwoocommerce_order_status_changedapp\Controllers\Admin\Init.php:74
actionwoocommerce_subscription_renewal_payment_completeapp\Controllers\Admin\Init.php:77
actionadmin_menuapp\Controllers\Admin\Menu.php:32
actionrest_api_initapp\Controllers\Common\API.php:56
actioninitapp\Controllers\Common\Asset.php:34
actionadmin_enqueue_scriptsapp\Controllers\Common\Asset.php:35
actionwp_enqueue_scriptsapp\Controllers\Common\Asset.php:36
actionwc_affiliate_affiliate_appliedapp\Controllers\Common\Email.php:55
actionwc_affiliate_affiliate_updatedapp\Controllers\Common\Email.php:56
actionwc_affiliate_account_reviewedapp\Controllers\Common\Email.php:57
actionwc_affiliate_payout_request_createdapp\Controllers\Common\Email.php:58
actionwc_affiliate_add_creditapp\Controllers\Common\Email.php:59
actionwc_affiliate_payout_processedapp\Controllers\Common\Email.php:60
filterwc_affiliate_resend_verification_emailapp\Controllers\Common\Email.php:61
actionwc_affiliate_transaction_after_createapp\Controllers\Common\Email.php:64
actionwc_affiliate_referral_has_paidapp\Controllers\Common\Email.php:65
actioninitapp\Controllers\Common\Init.php:36
actioninitapp\Controllers\Common\Init.php:37
actionafter_setup_themeapp\Controllers\Common\Init.php:38
actionadmin_initapp\Controllers\Common\Init.php:39
filterwc_affiliate_legacy_option_valueapp\Controllers\Common\Init.php:41
filterwc_affiliate_setup_wizard_updated_valuesapp\Controllers\Common\Init.php:42
actionwc_affiliate_complete_wizardapp\Controllers\Common\Init.php:43
actionwc_affiliate_payout_paidapp\Controllers\Common\Init.php:53
actionwc_affiliate_notice_dismissedapp\Controllers\Common\Init.php:54
actionwc_affiliate_dailyapp\Controllers\Common\Process.php:37
actionwc_affiliate_weeklyapp\Controllers\Common\Process.php:38
actionwc_affiliate_cleanupapp\Controllers\Common\Process.php:39
actionwpapp\Controllers\Common\Process.php:51
actionwp_footerapp\Controllers\Front\Init.php:41
actioninitapp\Controllers\Front\Init.php:43
actionwpapp\Controllers\Front\Init.php:44
actionwoocommerce_thankyouapp\Controllers\Front\Init.php:49
actioneasycommerce_after_orderapp\Controllers\Front\Init.php:50
actionwcs_renewal_order_createdapp\Controllers\Front\Init.php:52
actioninitapp\Controllers\Front\Shortcode.php:27
filterwc_affiliate_email_greeting_contentapp\Helpers\Email\Mailer.php:29
filterwc_affiliate_email_highlight_contentapp\Helpers\Email\Mailer.php:30
filterwc_affiliate_email_button_contentapp\Helpers\Email\Mailer.php:31
filterwc_affiliate_email_signature_contentapp\Helpers\Email\Mailer.php:32
filterwc_affiliate_email_stats_contentapp\Helpers\Email\Mailer.php:33
filterwp_mail_content_typeapp\Helpers\Email\Mailer.php:36
filteris_year_end_campaign_activelegacy\src\Admin.php:439
actionadmin_noticeslegacy\src\Notice.php:92
actionadmin_footerwc-affiliate-migrate.php:380
actioninitwc-affiliate.php:39
actionadmin_enqueue_scriptswc-affiliate.php:40
actionadmin_noticeswc-affiliate.php:41
actionrest_api_initwc-affiliate.php:42
actionplugins_loadedwc-affiliate.php:161
actioninitwc-affiliate.php:162

Scheduled Events 7

wc_affiliate_process_export
wc_affiliate_process_import
wc_affiliate_daily
wc_affiliate_daily
wc_affiliate_weekly
wc_affiliate_cleanup
wc_affiliate_daily
Maintenance & Trust

WC Affiliate – WooCommerce Affiliate Plugin Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 15, 2026
PHP min version7.4
Downloads15K

Community Trust

Rating92/100
Number of ratings14
Active installs200
Alternatives

WC Affiliate – WooCommerce Affiliate Plugin Alternatives

Affilia – Affiliate Program & Referral Tracking for WordPress

Affilia – Affiliate Program & Referral Tracking for WordPress

affiliaa-affiliate-program-with-mlm

A
100

Launch a powerful, self-hosted affiliate program for WordPress. Track referrals, manage affiliates, and boost sales for WooCommerce, EDD, and Contact &hellip;

600 No CVEs
Affiliates for WooCommerce – Boost your Earnings with Affiliate Marketing Program

Affiliates for WooCommerce – Boost your Earnings with Affiliate Marketing Program

affiliates-for-woocommerce

A
100

Run a WooCommerce affiliate program from your store. Affiliates get referral links, track commissions, and request payouts from their own dashboard.

300 No CVEs
ShoutOut

ShoutOut

shoutout

C
63

ShoutOut is a software as a service (SaaS) and is a popular affiliate and multi level marketing solution that allows tracking of affiliates.

30 1 unpatched
AffiliateX – Amazon Affiliate Plugin

AffiliateX – Amazon Affiliate Plugin

affiliatex

A
96

AffiliateX is the best WordPress Amazon Affiliate Plugin. Create professional affiliate websites with customizable WordPress Amazon Affiliate Blocks.

10K 3 CVEs
Content Egg – Affiliate Product Importer & Price Comparison

Content Egg – Affiliate Product Importer & Price Comparison

content-egg

A
96

Import affiliate products, compare prices, sync to WooCommerce, and auto-generate SEO content with AI — all in one toolkit.

10K 3 CVEs
Developer Profile

WC Affiliate – WooCommerce Affiliate Plugin Developer Profile

Codexpert, Inc

10 plugins · 41K total installs

75
trust score
Avg Security Score
81/100
Avg Patch Time
39 days
View full developer profile
Detection Fingerprints

How We Detect WC Affiliate – WooCommerce Affiliate Plugin

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wc-affiliate/assets/css/admin.css/wp-content/plugins/wc-affiliate/assets/css/frontend.css/wp-content/plugins/wc-affiliate/assets/js/admin.js/wp-content/plugins/wc-affiliate/assets/js/frontend.js
Script Paths
assets/js/admin.jsassets/js/frontend.js
Version Parameters
wc-affiliate/assets/css/admin.css?ver=wc-affiliate/assets/css/frontend.css?ver=wc-affiliate/assets/js/admin.js?ver=wc-affiliate/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
wc-affiliate-admin-pagewc-affiliate-frontend-page
HTML Comments
<!-- Generated by WC Affiliate -->
Data Attributes
data-wc-affiliate-iddata-wc-affiliate-action
JS Globals
window.wc_affiliate_varsvar wc_affiliate_admin_params
REST Endpoints
/wp-json/wc-affiliate/v1/settings/wp-json/wc-affiliate/v1/reports
Shortcode Output
[wc_affiliate_dashboard][wc_affiliate_referral_link]
FAQ

Frequently Asked Questions about WC Affiliate – WooCommerce Affiliate Plugin