WP-Safety

Order Splitter for WooCommerce Security & Risk Analysis

wordpress.org/plugins/woo-order-splitter

A great plugin to split WooCommerce orders. You can duplicate orders as well.

300 active installs v5.3.8 PHP 7.0+ WP 4.4+ Updated Mar 8, 2026
clonecombinesplitsplit-fundssplit-orders
98
A · Safe
CVEs total2
Unpatched0
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is Order Splitter for WooCommerce Safe to Use in 2026?

Generally Safe

Score 98/100

Order Splitter for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Feb 17, 2026Updated 26d ago
Risk Assessment

The "woo-order-splitter" plugin version 5.3.8 exhibits a mixed security posture. While it demonstrates good practices like a high percentage of SQL queries using prepared statements and a significant number of nonce and capability checks, several concerns warrant attention. The presence of 24 AJAX handlers, with three lacking authorization checks, creates a notable attack surface. Additionally, the taint analysis revealed 14 high-severity flows with unsanitized paths, indicating a potential for vulnerabilities related to how data is processed. The plugin also utilizes dangerous functions such as 'unserialize', which can be a vector for code injection if not handled with extreme caution, especially when dealing with untrusted input.

The vulnerability history shows two past medium-severity CVEs, specifically related to Missing Authorization and SQL Injection. Although there are no currently unpatched vulnerabilities, the past occurrence of these types of issues, coupled with the current taint analysis findings, suggests a pattern of susceptibility to authorization bypasses and potential SQL injection risks. The plugin's strengths lie in its proactive security measures like prepared statements and checks, but the identified gaps in AJAX handler authorization and the high-severity taint flows present clear risks that need to be addressed to improve its overall security. The last vulnerability being in 2026 is a typo and should not be considered in the current assessment.

Key Concerns

  • AJAX handlers without authentication checks
  • High severity unsanitized taint flows
  • Dangerous function: unserialize
  • Past medium severity CVEs (SQL Injection, Auth)
Vulnerabilities
2

Order Splitter for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-12075medium · 4.3Missing Authorization

Order Splitter for WooCommerce <= 5.3.5 - Missing Authorization to Authenticated (Subscriber+) Order Information Exposure

Feb 17, 2026 Patched in 5.3.6 (1d)
CVE-2025-31089medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Order Splitter for WooCommerce <= 5.3.0 - Authenticated (Subscriber+) SQL Injection

Apr 1, 2025 Patched in 5.3.1 (10d)
Code Analysis
Analyzed Mar 16, 2026

Order Splitter for WooCommerce Code Analysis

Dangerous Functions
2
Raw SQL Queries
21
52 prepared
Unescaped Output
223
668 escaped
Nonce Checks
34
Capability Checks
13
File Operations
3
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize$basedir_html_content_arr = unserialize($basedir_html_content);inc\wos-emails.php:254
unserialize$wc_os_cart_item_meta_keys = unserialize('a:12:{i:0;s:3:"key";i:1;s:10:"product_id";i:2;s:12:"variatindex.php:143

SQL Query Safety

71% prepared73 total queries

Output Escaping

75% escaped891 total outputs
Data Flows
17 unsanitized

Data Flow Analysis

25 flows17 with unsanitized paths
wos_change_order_received_text (inc\functions.php:7252)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Order Splitter for WooCommerce Attack Surface

Entry Points24
Unprotected3

AJAX Handlers 24

authwp_ajax_wos_delete_order_statusinc\classes\WC_OS_Order_Status.php:42
authwp_ajax_wos_update_status_colorsinc\classes\WC_OS_Order_Status.php:43
authwp_ajax_wos_save_order_statusinc\classes\WC_OS_Order_Status.php:45
authwp_ajax_wc_os_save_shipping_settingsinc\classes\WC_OS_Shipping.php:23
authwp_ajax_wc_os_update_parcel_shipping_costinc\classes\WC_OS_Shipping.php:24
noprivwp_ajax_wc_os_update_parcel_shipping_costinc\classes\WC_OS_Shipping.php:25
authwp_ajax_wc_os_group_cat_meta_postinc\functions-inner.php:192
authwp_ajax_wos_load_paginatedinc\functions-inner.php:2059
authwp_ajax_wos_items_paginatedinc\functions-inner.php:2106
authwp_ajax_wc_os_search_products_ajaxinc\functions-inner.php:3081
authwp_ajax_wos_troubleshootinginc\functions-troubleshooting.php:142
authwp_ajax_wos_auto_settingsinc\functions.php:9220
authwp_ajax_wos_forced_ieinc\functions.php:9238
authwp_ajax_wos_quick_splitinc\functions.php:9365
authwp_ajax_wc_os_customer_permitted_methodinc\functions.php:9482
noprivwp_ajax_wc_os_customer_permitted_methodinc\functions.php:9483
authwp_ajax_wc_os_clear_order_loginc\functions.php:9584
authwp_ajax_wc_os_email_loginc\functions.php:9621
authwp_ajax_wc_os_clear_email_loginc\functions.php:9657
authwp_ajax_wc_os_debug_loginc\functions.php:9684
authwp_ajax_wc_os_order_loginc\functions.php:9732
authwp_ajax_wc_os_save_ie_method_selectioninc\functions.php:10128
authwp_ajax_wc_os_update_speed_optimizationinc\functions.php:10839
authwp_ajax_wc_os_update_vendor_role_selectioninc\wos-taxonomies.php:601
WordPress Hooks 128
filterwc_order_statusesinc\classes\WC_OS_Order_Status.php:26
filterwoocommerce_valid_order_statuses_for_paymentinc\classes\WC_OS_Order_Status.php:28
filterwoocommerce_valid_order_statuses_for_cancelinc\classes\WC_OS_Order_Status.php:29
filterwoocommerce_valid_order_statuses_for_payment_completeinc\classes\WC_OS_Order_Status.php:31
filterwc_order_is_editableinc\classes\WC_OS_Order_Status.php:34
actionwoocommerce_order_status_changedinc\classes\WC_OS_Order_Status.php:37
filterwoocommerce_order_is_paid_statusesinc\classes\WC_OS_Order_Status.php:39
filterwoocommerce_order_is_pending_statusesinc\classes\WC_OS_Order_Status.php:40
filterwc_os_translation_arrayinc\classes\WC_OS_Order_Status.php:41
actioninitinc\classes\WC_OS_Order_Status.php:46
filterwc_os_translation_arrayinc\classes\WC_OS_Shipping.php:22
actionwc_os_after_order_splitinc\classes\WC_OS_Shipping.php:27
actionwc_os_before_order_splitinc\classes\WC_OS_Shipping.php:28
filterwoocommerce_package_ratesinc\classes\WC_OS_Shipping.php:31
actionwoocommerce_cart_calculate_feesinc\classes\WC_OS_Shipping.php:32
actionwc_os_after_group_category_headingsinc\functions-inner.php:10
filterwoocommerce_order_query_argsinc\functions-inner.php:194
actionparse_queryinc\functions-inner.php:224
actionwoocommerce_checkout_after_customer_detailsinc\functions-inner.php:373
actionwc_os_after_order_splitinc\functions-inner.php:511
actionwoocommerce_analytics_update_order_statsinc\functions-inner.php:929
actionwoocommerce_analytics_update_productinc\functions-inner.php:930
actionwoocommerce_analytics_update_couponinc\functions-inner.php:931
actionwoocommerce_analytics_update_taxinc\functions-inner.php:932
actionwc_os_after_order_splitinc\functions-inner.php:1088
actionwoocommerce_reports_get_order_report_queryinc\functions-inner.php:1157
actionwp_trash_postinc\functions-inner.php:1167
actionwc_os_parcels_meta_datainc\functions-inner.php:3176
filterwoocommerce_order_is_vat_exemptinc\functions-inner.php:3342
actionadmin_initinc\functions-inner.php:3383
actionplugins_loadedinc\functions.php:48
actionplugins_loadedinc\functions.php:49
filterwoocommerce_shop_order_list_table_columnsinc\functions.php:64
actionwoocommerce_shop_order_list_table_custom_columninc\functions.php:65
filtermanage_edit-shop_order_columnsinc\functions.php:67
filtermanage_woocommerce_page_wc-orders_columnsinc\functions.php:68
filterwoocommerce_shop_order_list_table_columnsinc\functions.php:78
actionwoocommerce_shop_order_list_table_custom_columninc\functions.php:79
filtermanage_edit-shop_order_columnsinc\functions.php:81
filtermanage_shop_order_posts_custom_columninc\functions.php:82
filterwoocommerce_shop_order_list_table_columnsinc\functions.php:91
actionwoocommerce_shop_order_list_table_custom_columninc\functions.php:92
filtermanage_edit-shop_order_columnsinc\functions.php:95
filtermanage_shop_order_posts_custom_columninc\functions.php:96
actioninitinc\functions.php:238
actioninitinc\functions.php:302
actioninitinc\functions.php:304
actionadmin_noticesinc\functions.php:374
actionadmin_noticesinc\functions.php:934
actionadmin_noticesinc\functions.php:1005
actionadmin_noticesinc\functions.php:1090
actionadmin_noticesinc\functions.php:1164
actionadmin_noticesinc\functions.php:1240
actionadmin_noticesinc\functions.php:1292
actionadmin_noticesinc\functions.php:1354
actionadmin_noticesinc\functions.php:1555
actionadmin_noticesinc\functions.php:1701
actionadmin_noticesinc\functions.php:1807
actionadmin_noticesinc\functions.php:2085
actionadmin_noticesinc\functions.php:2113
actionadmin_noticesinc\functions.php:2354
actionadmin_noticesinc\functions.php:3171
actionadmin_noticesinc\functions.php:3227
actionadmin_noticesinc\functions.php:3529
actionadmin_noticesinc\functions.php:3610
filterwoocommerce_can_reduce_order_stockinc\functions.php:3751
actionadmin_noticesinc\functions.php:3874
actionadmin_noticesinc\functions.php:4399
filterwoocommerce_order_numberinc\functions.php:7235
filterwoocommerce_thankyou_order_received_textinc\functions.php:7250
actionwoocommerce_thankyouinc\functions.php:7312
actionsave_postinc\functions.php:7828
filterwoocommerce_checkout_fieldsinc\functions.php:8457
filterbulk_actions-edit-shop_orderinc\functions.php:8498
filterbulk_actions-woocommerce_page_wc-ordersinc\functions.php:8499
actionpre_get_postsinc\functions.php:8723
actionwoocommerce_my_account_my_orders_queryinc\functions.php:8770
filterpost_row_actionsinc\functions.php:8881
actionwoocommerce_order_actionsinc\functions.php:8915
filterwoocommerce_admin_order_actionsinc\functions.php:8938
filterwp_titleinc\functions.php:9261
filterthe_contentinc\functions.php:9303
filterwoocommerce_before_main_contentinc\functions.php:9305
filterwoocommerce_before_single_productinc\functions.php:9307
filterwoocommerce_order_item_get_formatted_meta_datainc\functions.php:9533
actionwc_os_ie_options_subscription_splitinc\functions.php:10871
actiontransition_post_statusinc\functions.php:11198
filterwoocommerce_order_needs_shipping_addressinc\functions.php:11244
actionwoocommerce_account_contentinc\functions.php:11346
filterwoocommerce_can_reduce_order_stockinc\functions.php:11357
filterwoocommerce_prevent_adjust_line_item_product_stockinc\functions.php:11757
actionwp_headinc\functions.php:11862
actionadmin_headinc\functions.php:11863
actionadmin_initinc\functions.php:11864
actioninitinc\functions.php:11865
filterwp_mailinc\wos-emails.php:1216
actionwoocommerce_emailinc\wos-emails.php:1461
actioninitinc\wos-essentials.php:504
actionwoocommerce_reduce_order_stockinc\wos-stocks.php:198
actionwoocommerce_product_set_stockinc\wos-stocks.php:200
actionwoocommerce_variation_set_stockinc\wos-stocks.php:201
actioninitinc\wos-taxonomies.php:47
actionadmin_menuinc\wos-taxonomies.php:76
filtermanage_edit-vendors_columnsinc\wos-taxonomies.php:89
filtermanage_vendors_custom_columninc\wos-taxonomies.php:103
actionshow_user_profileinc\wos-taxonomies.php:194
actionedit_user_profileinc\wos-taxonomies.php:195
actionuser_new_forminc\wos-taxonomies.php:196
actionpersonal_options_updateinc\wos-taxonomies.php:266
actionedit_user_profile_updateinc\wos-taxonomies.php:267
actionuser_registerinc\wos-taxonomies.php:268
filtersanitize_userinc\wos-taxonomies.php:280
filterparent_fileinc\wos-taxonomies.php:298
actionadd_meta_boxesinc\wos-taxonomies.php:309
actionwc-os-vendor_add_form_fieldsinc\wos-taxonomies.php:311
actionwc-os-vendor_edit_form_fieldsinc\wos-taxonomies.php:329
actioncreated_wc-os-vendorinc\wos-taxonomies.php:352
actionedited_wc-os-vendorinc\wos-taxonomies.php:353
actionsave_postinc\wos-taxonomies.php:448
filterwoocommerce_account_menu_itemsinc\wos-taxonomies.php:675
actioninitinc\wos-taxonomies.php:688
filterquery_varsinc\wos-taxonomies.php:698
actionwoocommerce_account_wc_os_shipstation_endpointinc\wos-taxonomies.php:708
actionphpmailer_initinc\wos_mailer.php:35
actionadmin_menuindex.php:461
filteracf/settings/remove_wp_meta_boxindex.php:466
actionadmin_enqueue_scriptsindex.php:474
actionwp_enqueue_scriptsindex.php:478
Maintenance & Trust

Order Splitter for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 8, 2026
PHP min version7.0
Downloads110K

Community Trust

Rating94/100
Number of ratings70
Active installs300
Alternatives

Order Splitter for WooCommerce Alternatives

Order Splitter for WooCommerce – Split / Duplicate / Merge Orders

Order Splitter for WooCommerce – Split / Duplicate / Merge Orders

wc-order-splitter

A
100

A plugin helps you to simply split and duplicate orders.

300 No CVEs
All-in-One WP Migration and Backup

All-in-One WP Migration and Backup

all-in-one-wp-migration

A
90

Trusted by 60M+ sites: The gold standard for WordPress migration and backup. Migrate, backup, and restore your WordPress site with one click.

5.0M 13 CVEs
Yoast Duplicate Post

Yoast Duplicate Post

duplicate-post

A
92

The go-to tool for cloning posts and pages, including the powerful Rewrite & Republish feature.

4.0M 3 CVEs
WPvivid — Backup, Migration & Staging

WPvivid — Backup, Migration & Staging

wpvivid-backuprestore

B
75

Migrate, staging, backup WordPress, all in one.

900K 26 CVEs
Migrate Guru – Site Migration & Cloning

Migrate Guru – Site Migration & Cloning

migrate-guru

A
100

Effortlessly migrate, clone, or transfer your WordPress site to over 5,000 web hosts with Migrate Guru, trusted by Cloudways, Pantheon, and Dreamhost.

200K No CVEs
Developer Profile

Order Splitter for WooCommerce Developer Profile

Fahad Mahmood

40 plugins · 33K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
237 days
View full developer profile
Detection Fingerprints

How We Detect Order Splitter for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/woo-order-splitter/woo-order-splitter.php
Version Parameters
woo-order-splitter/woo-order-splitter.php?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Order Splitter for WooCommerce