WP-Safety

Razorpay for WooCommerce Security & Risk Analysis

wordpress.org/plugins/woo-razorpay

Start accepting payments in minutes with 100% digital onboarding & feature filled Razorpay payment gateway with the WooCommerce plugin.

100K active installs v4.8.2 PHP 7.0+ WP 3.9.2+ Updated Mar 24, 2026
curlecindiapaymentsrazorpaywoocommerce
72
B · Generally Safe
CVEs total4
Unpatched1
Last CVEFeb 18, 2026
Plugin page Download
Safety Verdict

Is Razorpay for WooCommerce Safe to Use in 2026?

Mostly Safe

Score 72/100

Razorpay for WooCommerce is generally safe to use. 4 past CVEs were resolved.

4 known CVEs 1 unpatched Last CVE: Feb 18, 2026Updated 1mo ago
Risk Assessment

The "woo-razorpay" v4.8.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for most SQL queries (95%) and properly escaping a significant portion of its output (74%). The absence of dangerous functions and bundled libraries is also encouraging. However, there are notable areas of concern. The presence of one unprotected AJAX handler significantly increases the attack surface, as this entry point is vulnerable without authentication checks. Taint analysis reveals three high-severity flows with unsanitized paths, indicating potential risks of code injection or data leakage if these flows are triggered by malicious input.

The plugin's vulnerability history, with three known medium-severity CVEs, points to a recurring pattern of security weaknesses, specifically related to missing authentication, CSRF, and authorization issues. While there are currently no unpatched vulnerabilities, the past incidents suggest a need for more robust security implementations. The last reported vulnerability in 2026 is also unusual and might indicate a data anomaly or a forward-looking entry, but it highlights a past trend of issues. Overall, while the plugin has some strong security foundations, the unprotected entry point and high-severity taint flows, coupled with a history of authentication and authorization flaws, warrant careful attention and remediation.

Key Concerns

  • Unprotected AJAX handler identified
  • High severity taint flows found (3)
  • Past medium severity vulnerabilities (3)
  • History of missing auth/authz/CSRF
  • Only 2 nonce checks for 1 entry point
  • Only 2 capability checks for 1 entry point
  • Output escaping below 80% (74%)
Vulnerabilities
4 published

Razorpay for WooCommerce Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
2 CVEs in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2025-14294medium · 5.3Missing Authentication for Critical Function

Razorpay for WooCommerce <= 4.7.8 - Missing Authentication to Unauthenticated Order Modification

Feb 18, 2026 Patched in 4.7.9 (1d)
CVE-2026-39656medium · 5.3Missing Authorization

Razorpay for WooCommerce <= 4.8.2 - Missing Authorization

Feb 16, 2026Unpatched
WF-e6a2b2f6-c648-4755-be24-92c7f287813e-woo-razorpaymedium · 4.3Cross-Site Request Forgery (CSRF)

Razorpay for WooCommerce <= 4.5.6 - Cross-Site Request Forgery

Nov 28, 2023 Patched in 4.5.7 (56d)
WF-f59cf3d6-06a0-42ec-a604-5f59c6b2be40-woo-razorpaymedium · 4.3Missing Authorization

Razorpay for WooCommerce <= 4.5.6 - Missing Authorization

Nov 28, 2023 Patched in 4.5.7 (56d)
Version History

Razorpay for WooCommerce Release Timeline

v4.8.2Current1 CVE
CVE-2026-39656
v4.8.11 CVE
CVE-2026-39656
v4.8.01 CVE
CVE-2026-39656
v4.7.91 CVE
CVE-2026-39656
v4.7.82 CVEs
CVE-2025-14294 CVE-2026-39656
v4.7.72 CVEs
CVE-2025-14294 CVE-2026-39656
v4.7.62 CVEs
CVE-2025-14294 CVE-2026-39656
v4.7.52 CVEs
CVE-2025-14294 CVE-2026-39656
v4.7.42 CVEs
CVE-2025-14294 CVE-2026-39656
v4.7.32 CVEs
CVE-2025-14294 CVE-2026-39656
v4.7.22 CVEs
CVE-2025-14294 CVE-2026-39656
v4.7.12 CVEs
CVE-2025-14294 CVE-2026-39656
v4.7.02 CVEs
CVE-2025-14294 CVE-2026-39656
v4.6.92 CVEs
CVE-2025-14294 CVE-2026-39656
v4.6.82 CVEs
CVE-2025-14294 CVE-2026-39656
v4.6.72 CVEs
CVE-2025-14294 CVE-2026-39656
v4.6.62 CVEs
CVE-2025-14294 CVE-2026-39656
v4.6.52 CVEs
CVE-2025-14294 CVE-2026-39656
v4.6.42 CVEs
CVE-2025-14294 CVE-2026-39656
v4.6.32 CVEs
CVE-2025-14294 CVE-2026-39656
Code Analysis
Analyzed Mar 16, 2026

Razorpay for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
62 prepared
Unescaped Output
33
95 escaped
Nonce Checks
2
Capability Checks
2
File Operations
4
External Requests
1
Bundled Libraries
0

SQL Query Safety

95% prepared65 total queries

Output Escaping

74% escaped128 total outputs
Data Flows · Security
12 unsanitized

Data Flow Analysis

12 flows12 with unsanitized paths
reverseTransfer (includes\razorpay-route-actions.php:77)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Razorpay for WooCommerce Attack Surface

Entry Points1
Unprotected1

AJAX Handlers 1

authwp_ajax_rzpInstrumentationincludes\plugin-instrumentation.php:329
WordPress Hooks 55
actionrest_api_initincludes\api\api.php:143
actionsetup_extra_setting_fieldsincludes\api\api.php:182
filternonce_user_logged_outincludes\api\api.php:277
filterrest_authentication_errorsincludes\api\api.php:284
actionone_cc_plugin_sync_cronincludes\cron\plugin-fetch.php:8
actionupgrader_process_completeincludes\plugin-instrumentation.php:24
actionsetup_extra_setting_fieldsincludes\razorpay-route.php:11
actioncheck_route_enable_statusincludes\razorpay-route.php:12
actionadmin_post_rzp_direct_transferincludes\razorpay-route.php:15
actionadmin_post_rzp_reverse_transferincludes\razorpay-route.php:21
actionadmin_post_rzp_settlement_changeincludes\razorpay-route.php:27
actionadmin_post_rzp_payment_transferincludes\razorpay-route.php:33
actionadmin_menuincludes\razorpay-route.php:62
actionadmin_enqueue_scriptsincludes\razorpay-route.php:63
filterwoocommerce_product_data_tabsincludes\razorpay-route.php:65
actionwoocommerce_product_data_panelsincludes\razorpay-route.php:66
actionwoocommerce_process_product_metaincludes\razorpay-route.php:67
actionadd_meta_boxesincludes\razorpay-route.php:68
actionplugins_loadedwoo-razorpay.php:44
actionadmin_post_nopriv_rzp_wc_webhookwoo-razorpay.php:45
actionbefore_woocommerce_initwoo-razorpay.php:46
actionbefore_woocommerce_initwoo-razorpay.php:53
actionwoocommerce_blocks_loadedwoo-razorpay.php:60
actionwoocommerce_blocks_payment_method_type_registrationwoo-razorpay.php:68
actionplugins_loadedwoo-razorpay.php:89
actionwoocommerce_update_options_advancedwoo-razorpay.php:161
actionwoocommerce_update_options_payment_gatewayswoo-razorpay.php:441
actionwoocommerce_update_options_payment_gatewayswoo-razorpay.php:442
actionwoocommerce_update_options_payment_gatewayswoo-razorpay.php:443
actionwoocommerce_update_options_payment_gatewayswoo-razorpay.php:444
actionwoocommerce_update_options_payment_gatewayswoo-razorpay.php:445
actionwp_enqueue_scriptswoo-razorpay.php:449
filterscript_loader_tagwoo-razorpay.php:451
filterwoocommerce_thankyou_order_received_textwoo-razorpay.php:453
actionwoocommerce_sections_checkoutwoo-razorpay.php:602
actionwoocommerce_settings_tabs_checkoutwoo-razorpay.php:603
actionwoocommerce_update_options_checkoutwoo-razorpay.php:604
filterwoocommerce_payment_gatewayswoo-razorpay.php:3222
actionwoocommerce_before_single_productwoo-razorpay.php:3242
actionwoocommerce_after_add_to_cart_buttonwoo-razorpay.php:3244
actionwoocommerce_before_add_to_cart_formwoo-razorpay.php:3287
filtercron_scheduleswoo-razorpay.php:3352
actionrzp_webhook_exec_cronwoo-razorpay.php:3452
actionwoocommerce_proceed_to_checkoutwoo-razorpay.php:3559
actionwp_headwoo-razorpay.php:3562
actionwp_headwoo-razorpay.php:3563
actionwp_enqueue_scriptswoo-razorpay.php:3564
actionwp_footerwoo-razorpay.php:3566
actionwoocommerce_widget_shopping_cart_buttonswoo-razorpay.php:3631
actionwoocommerce_widget_shopping_cart_buttonswoo-razorpay.php:3636
actionwoocommerce_after_add_to_cart_buttonwoo-razorpay.php:3659
actionadmin_enqueue_scriptswoo-razorpay.php:3707
filterwoocommerce_coupons_enabledwoo-razorpay.php:3728
filterwoocommerce_order_needs_shipping_addresswoo-razorpay.php:3729
filtercartbounty_automation_button_htmlwoo-razorpay.php:3738

Scheduled Events 1

rzp_webhook_exec_cron
Maintenance & Trust

Razorpay for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 24, 2026
PHP min version7.0
Downloads2.3M

Community Trust

Rating50/100
Number of ratings23
Active installs100K
Alternatives

Razorpay for WooCommerce Alternatives

Razorpay Subscriptions for WooCommerce

Razorpay Subscriptions for WooCommerce

razorpay-subscriptions-for-woocommerce

A
92

Allows you to use Razorpay payment gateway with the WooCommerce Subscriptions plugin. This requires Subscriptions feature to be enabled for your accou &hellip;

600 No CVEs
Razorpay Quick Payments

Razorpay Quick Payments

razorpay-quick-payments

A
92

Allows you to easily sell things using Razorpay on your WordPress website.

3K No CVEs
Razorpay Payment Links for WooCommerce

Razorpay Payment Links for WooCommerce

rzp-woocommerce

A
100

The easiest and most secure solution to collect payments with WooCommerce. Allow customers to securely pay via Razorpay (Credit/Debit Cards, NetBankin &hellip;

1K No CVEs
Razorpay for Gravity Forms

Razorpay for Gravity Forms

razorpay-gravity-forms

A
92

Allows you to use Razorpay payment gateway with the gravity forms plugin.

600 No CVEs
Airpay for WooCommerce

Airpay for WooCommerce

airpay-v3

A
92

Seamlessly integrate Airpay's payment gateway for secure online transactions on your WordPress site.

200 No CVEs
Developer Profile

Razorpay for WooCommerce Developer Profile

Razorpay

10 plugins · 107K total installs

88
trust score
Avg Security Score
91/100
Avg Patch Time
22 days
View full developer profile
Detection Fingerprints

How We Detect Razorpay for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/woo-razorpay/assets/images/razorpay-logo.svg/wp-content/plugins/woo-razorpay/assets/js/razorpay-checkout.js/wp-content/plugins/woo-razorpay/assets/js/razorpay-custom.js/wp-content/plugins/woo-razorpay/assets/css/razorpay-custom.css/wp-content/plugins/woo-razorpay/assets/js/razorpay-order-status.js
Script Paths
/wp-content/plugins/woo-razorpay/assets/js/razorpay-checkout.js/wp-content/plugins/woo-razorpay/assets/js/razorpay-custom.js/wp-content/plugins/woo-razorpay/assets/js/razorpay-order-status.js
Version Parameters
woo-razorpay/assets/css/razorpay-custom.css?ver=woo-razorpay/assets/js/razorpay-checkout.js?ver=woo-razorpay/assets/js/razorpay-custom.js?ver=woo-razorpay/assets/js/razorpay-order-status.js?ver=

HTML / DOM Fingerprints

CSS Classes
razorpay-checkoutrazorpay-method-titlerazorpay-payment-buttonrazorpay-order-status
HTML Comments
<!-- Start of Razorpay checkout button --><!-- End of Razorpay checkout button --><!-- Start of Razorpay Order Status Section --><!-- End of Razorpay Order Status Section -->
Data Attributes
data-razorpay-key-iddata-razorpay-amountdata-razorpay-order-iddata-razorpay-payment-capturedata-razorpay-namedata-razorpay-description+19 more
JS Globals
razorpay_checkout_paramsWooCommerceRazorpayrzp_params
REST Endpoints
/wp-json/woo-razorpay/v1/payment/wp-json/woo-razorpay/v1/webhook
FAQ

Frequently Asked Questions about Razorpay for WooCommerce