Does Purchase Orders for WooCommerce have any unpatched vulnerabilities?

No. All known vulnerabilities in Purchase Orders for WooCommerce have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Purchase Orders for WooCommerce compatible with WordPress 6.8.5?

According to WordPress.org data, Purchase Orders for WooCommerce 1.0.4 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

How often is Purchase Orders for WooCommerce updated?

Purchase Orders for WooCommerce was last updated on Sep 16, 2025. Frequent updates are generally a positive security signal.

What is Purchase Orders for WooCommerce's security score?

Purchase Orders for WooCommerce has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Purchase Orders for WooCommerce Security & Risk Analysis

wordpress.org/plugins/wc-purchase-orders

Enable purchase orders! WooCommerce plugin lets you accept Purchase Orders at checkout, streamlining B2B orders.

30 active installs v1.0.4 PHP + WP 4.7+ Updated Sep 16, 2025

documentsorderspayment-gatewaypurchase-orderswoocommerce

A · Safe

CVEs total1

Unpatched0

Last CVEAug 11, 2025

Plugin page Download

Safety Verdict

Is Purchase Orders for WooCommerce Safe to Use in 2026?

Generally Safe

Score 98/100

Purchase Orders for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Aug 11, 2025Updated 6mo ago

Risk Assessment

The 'wc-purchase-orders' plugin v1.0.4 presents a mixed security posture. On the positive side, the plugin demonstrates good practices by exclusively using prepared statements for SQL queries and having a very high percentage of properly escaped output. The absence of dangerous functions and external HTTP requests is also commendable. Furthermore, there are no reported critical or high severity vulnerabilities currently unpatched, which is a strong indicator of ongoing maintenance and responsiveness.

However, significant concerns arise from the plugin's attack surface. All four identified AJAX handlers lack authentication checks, creating a substantial risk for unauthorized actions if these handlers perform sensitive operations. While taint analysis revealed no immediate critical or high severity issues, the presence of unprotected entry points means that even low-severity vulnerabilities could be easily exploited. The vulnerability history, while currently showing no unpatched issues, does indicate a past high severity vulnerability related to path traversal. This suggests a potential for such vulnerabilities to reappear if not carefully addressed in development practices.

In conclusion, while the plugin excels in secure coding practices for SQL and output handling, the lack of authentication on its AJAX endpoints is a critical oversight that significantly elevates its risk profile. The past path traversal vulnerability also warrants vigilance. A thorough security review of the unprotected AJAX handlers is strongly recommended to mitigate potential risks.

Key Concerns

4 unprotected AJAX handlers
1 past high severity vulnerability (Path Traversal)

Vulnerabilities

Purchase Orders for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

1 total CVE

CVE-2025-5391high · 8.1Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

WooCommerce Purchase Orders <= 1.0.2 - Authenticated (Subscriber+) Arbitrary File Deletion

Aug 11, 2025 Patched in 1.0.3 (25d)

Code Analysis

Analyzed Mar 16, 2026

Purchase Orders for WooCommerce Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

28 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

97% escaped29 total outputs

Attack Surface

4 unprotected

Purchase Orders for WooCommerce Attack Surface

Entry Points4

Unprotected4

AJAX Handlers 4

authwp_ajax_wcpo_dismiss_admin_noticeincludes\class-bbpo-purchase-orders.php:149

authwp_ajax_wcpo_upload_purchase_orderincludes\class-bbpo-purchase-orders.php:150

authwp_ajax_wcpo_delete_purchase_order_fileincludes\class-bbpo-purchase-orders.php:151

authwp_ajax_wcpo_dismiss_new_settings_noticeincludes\class-bbpo-purchase-orders.php:209

WordPress Hooks 18

filterwp_check_filetype_and_extincludes\class-bbpo-purchase-orders.php:147

actionadmin_noticesincludes\class-bbpo-purchase-orders.php:148

filterwoocommerce_payment_gatewaysincludes\class-bbpo-purchase-orders.php:159

filterwoocommerce_available_payment_gatewaysincludes\class-bbpo-purchase-orders.php:160

actionplugins_loadedincludes\class-bbpo-purchase-orders.php:161

actionshow_user_profileincludes\class-bbpo-purchase-orders.php:169

actionedit_user_profileincludes\class-bbpo-purchase-orders.php:170

actionpersonal_options_updateincludes\class-bbpo-purchase-orders.php:171

actionedit_user_profile_updateincludes\class-bbpo-purchase-orders.php:172

actionplugins_loadedincludes\class-bbpo-purchase-orders.php:189

actionadmin_enqueue_scriptsincludes\class-bbpo-purchase-orders.php:203

actionadmin_enqueue_scriptsincludes\class-bbpo-purchase-orders.php:204

actionwoocommerce_admin_order_data_after_order_detailsincludes\class-bbpo-purchase-orders.php:205

actionwoocommerce_email_order_metaincludes\class-bbpo-purchase-orders.php:206

actionwoocommerce_order_details_after_order_table_itemsincludes\class-bbpo-purchase-orders.php:207

actionadmin_noticesincludes\class-bbpo-purchase-orders.php:208

actionwp_enqueue_scriptsincludes\class-bbpo-purchase-orders.php:223

actionwp_enqueue_scriptsincludes\class-bbpo-purchase-orders.php:224

Maintenance & Trust

Purchase Orders for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedSep 16, 2025

PHP min version

Downloads1K

Community Trust

Rating100/100

Number of ratings2

Active installs30

Alternatives

Purchase Orders for WooCommerce Alternatives

ATUM WooCommerce Inventory Management and Stock Tracking

atum-stock-manager-for-woocommerce

100

WooCommerce Full Inventory Management, Purchase Orders, Suppliers, Inbound Stock, Inventory Logs, WooCommerce Sales Statistics, and More.

10K No CVEs

Up2pay e-Transactions WooCommerce Payment Gateway

e-transactions-wc

100

This plugin is a Up2pay e-Transactions payment gateway for WooCommerce 4.x

4K No CVEs

Paybox WooCommerce Payment Gateway

paybox-woocommerce-gateway

100

This plugin is a Paybox payment gateway for WooCommerce 4.x

500 No CVEs

Sofinco 3XCB

wc-sofinco-3xcb

100

This plugin is a Sofinco 3x CB payment gateway for WooCommerce

100 No CVEs

Avify

avify

100

Connect your WooCommerce account to Avify and send all your orders to one centralized inventory.

80 No CVEs

Developer Profile

Purchase Orders for WooCommerce Developer Profile

Ahmad Wael

1 plugin · 30 total installs

trust score

Avg Security Score

98/100

Avg Patch Time

25 days

View full developer profile

Detection Fingerprints

How We Detect Purchase Orders for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wc-purchase-orders/css/wc-purchase-orders-admin.css/wp-content/plugins/wc-purchase-orders/js/wc-purchase-orders-admin.js

Script Paths

js/wc-purchase-orders-admin.js

Version Parameters

wc-purchase-orders/css/wc-purchase-orders-admin.css?ver=wc-purchase-orders/js/wc-purchase-orders-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

purchase-order-document-filepurchase-order-number

Data Attributes

download

JS Globals

wcpo_object

FAQ