Does Additional Fees For WooCommerce Checkout have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Additional Fees For WooCommerce Checkout compatible with WordPress 6.9.4?

According to WordPress.org data, Additional Fees For WooCommerce Checkout 1.5.3 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Additional Fees For WooCommerce Checkout updated?

Additional Fees For WooCommerce Checkout was last updated on Dec 21, 2025. Frequent updates are generally a positive security signal.

What is Additional Fees For WooCommerce Checkout's security score?

Additional Fees For WooCommerce Checkout has a WP-Safety security score of 98/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Additional Fees For WooCommerce Checkout Security & Risk Analysis

wordpress.org/plugins/woo-additional-fees-on-checkout-wordpress

Create required/non-required multiple fees for WooCommerce checkout, apply as fixed/percentage cost upon cart quantity/amount/product/category/type.

200 active installs v1.5.3 PHP + WP 6.3+ Updated Dec 21, 2025

woocommerce-additional-costwoocommerce-checkout-costwoocommerce-extra-costwoocommerce-surcharge

A · Safe

CVEs total2

Unpatched0

Last CVESep 22, 2025

Plugin page Download

Safety Verdict

Is Additional Fees For WooCommerce Checkout Safe to Use in 2026?

Generally Safe

Score 98/100

Additional Fees For WooCommerce Checkout has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Sep 22, 2025Updated 4mo ago

Risk Assessment

The "woo-additional-fees-on-checkout-wordpress" plugin version 1.5.3 presents a mixed security posture. On the positive side, the code demonstrates good practices regarding SQL queries, exclusively using prepared statements, and a high percentage of output escaping. It also avoids dangerous functions, file operations, and external HTTP requests, which are common sources of vulnerabilities. However, a significant concern is the presence of an unprotected AJAX handler, which constitutes the entire attack surface exposed via this mechanism. This lack of authentication or authorization on an entry point significantly increases the risk of unauthorized actions or information disclosure.

The vulnerability history indicates past medium-severity Cross-Site Scripting (XSS) issues, suggesting a recurring pattern of input sanitization weaknesses. While there are currently no unpatched CVEs, the history implies that the plugin has had vulnerabilities requiring developer attention. The taint analysis shows flows with unsanitized paths, although they are not categorized as critical or high severity in this analysis, they warrant attention due to the potential for exploitation given the unprotected AJAX endpoint.

In conclusion, while the plugin has strengths in its handling of database queries and output, the unprotected AJAX handler is a critical weakness that could be exploited. The past XSS vulnerabilities also highlight a need for continued vigilance in input validation. The plugin is functional and has addressed past security issues, but the current attack surface via the unprotected AJAX handler is a notable risk that needs mitigation.

Key Concerns

Unprotected AJAX handler
Flows with unsanitized paths
Bundled Select2 library

Vulnerabilities

2 published

Additional Fees For WooCommerce Checkout Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2025-57903medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WooCommerce Additional Fees On Checkout (Free) <= 1.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 22, 2025 Patched in 1.5.3 (107d)

CVE-2024-12395medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WooCommerce Additional Fees On Checkout (Free) <= 1.4.7 - Reflected Cross-Site Scripting via 'number'

Dec 16, 2024 Patched in 1.4.8 (1d)

Version History

Additional Fees For WooCommerce Checkout Release Timeline

v1.5.3Current

v1.5.21 CVE

CVE-2025-57903

Code Analysis

Analyzed Mar 16, 2026

Additional Fees For WooCommerce Checkout Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

180 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

Output Escaping

85% escaped212 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

wps_generate_new_fees (classes\wps-ext-cst-admin.php:26)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Additional Fees For WooCommerce Checkout Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_wps_generate_new_feesclasses\wps-ext-cst-admin.php:6

WordPress Hooks 15

actionadmin_menuclasses\wps-ext-cst-admin.php:9

actionadmin_initclasses\wps-ext-cst-admin.php:10

actionadmin_enqueue_scriptsclasses\wps-ext-cst-admin.php:11

actionwoocommerce_after_order_notesclasses\wps-ext-cst-extra-fees-frontend.php:11

actionwp_footerclasses\wps-ext-cst-extra-fees-frontend.php:12

actionwoocommerce_cart_calculate_feesclasses\wps-ext-cst-extra-fees-frontend.php:13

actionwoocommerce_after_order_notesclasses\wps-ext-cst-frontend.php:8

actionwp_footerclasses\wps-ext-cst-frontend.php:9

actionwoocommerce_cart_calculate_feesclasses\wps-ext-cst-frontend.php:10

actionwoocommerce_initclasses\wps-ext-cst-main.php:6

actionadmin_enqueue_scriptsclasses\wps-ext-cst-main.php:7

actionadmin_initwoo-additional-fees-checkout.php:21

actionadmin_noticeswoo-additional-fees-checkout.php:25

actionwp_footerwoo-additional-fees-checkout.php:68

filterwc_get_templatewoo-additional-fees-checkout.php:82

Maintenance & Trust

Additional Fees For WooCommerce Checkout Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 21, 2025

PHP min version

Downloads32K

Community Trust

Rating62/100

Number of ratings35

Active installs200

Alternatives

Additional Fees For WooCommerce Checkout Alternatives

WooCommerce Product Fees

woocommerce-product-fees

WooCommerce Product Fees allows you to add additional fees at checkout based on products that are in the cart.

2K No CVEs

Product Fees Toolkit for WooCommerce

product-fees-toolkit-for-woocommerce

100

Add product-level fees in WooCommerce. Fixed or percentage per product or variation, with tax, quantity and coupon support.

20 No CVEs

Developer Profile

Additional Fees For WooCommerce Checkout Developer Profile

WPSuperiors Developer

6 plugins · 260 total installs

trust score

Avg Security Score

97/100

Avg Patch Time

54 days

View full developer profile

Detection Fingerprints

How We Detect Additional Fees For WooCommerce Checkout

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/woo-additional-fees-on-checkout-wordpress/assets/CSS/wafc-select2.min.css/wp-content/plugins/woo-additional-fees-on-checkout-wordpress/assets/CSS/admin-style.css

Version Parameters

woo-additional-fees-on-checkout-wordpress/assets/CSS/wafc-select2.min.css?ver=woo-additional-fees-on-checkout-wordpress/assets/CSS/admin-style.css?ver=

HTML / DOM Fingerprints

CSS Classes

wps-ext-cst-feesfees-title

HTML Comments

+246 more

Data Attributes

id="feesclass="wps-ext-cst-fees"class="fees-title"class="dashicons dashicons-trash"onclick="remove_fees(name="ext_cst_extra[+418 more

JS Globals

WAFOCW_active_checkWAFOCW_active_failed_noticeWPS_EXT_CSTWPS_EXT_CST_BASEWPS_EXT_CST_DIRWPS_EXT_CST_URL+21 more

FAQ