Does WooCommerce Tax (formerly WooCommerce Shipping & Tax) have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is WooCommerce Tax (formerly WooCommerce Shipping & Tax) compatible with WordPress 6.9.4?

According to WordPress.org data, WooCommerce Tax (formerly WooCommerce Shipping & Tax) 3.6.0 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is WooCommerce Tax (formerly WooCommerce Shipping & Tax) compatible with PHP 7.4+?

WooCommerce Tax (formerly WooCommerce Shipping & Tax) requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is WooCommerce Tax (formerly WooCommerce Shipping & Tax)'s security score?

WooCommerce Tax (formerly WooCommerce Shipping & Tax) has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WooCommerce Tax (formerly WooCommerce Shipping & Tax) Security & Risk Analysis

wordpress.org/plugins/woocommerce-services

We’re here to help with tax rates: collect accurate sales tax, automatically.

600K active installs v3.6.0 PHP 7.4+ WP 6.7+ Updated Apr 13, 2026

gstpaymenttaxvatwoocommerce

A · Safe

CVEs total1

Unpatched0

Last CVEMay 23, 2023

Plugin page Download

Safety Verdict

Is WooCommerce Tax (formerly WooCommerce Shipping & Tax) Safe to Use in 2026?

Generally Safe

Score 100/100

WooCommerce Tax (formerly WooCommerce Shipping & Tax) has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: May 23, 2023Updated 1mo ago

Risk Assessment

The WooCommerce Services plugin v3.5.1 exhibits a generally good security posture based on the static analysis. A notable strength is the absence of unprotected entry points across AJAX handlers and REST API routes, with a high percentage of SQL queries utilizing prepared statements and output being properly escaped. The presence of nonce and capability checks on all identified AJAX handlers further bolsters its defenses against common web vulnerabilities.

However, the plugin's vulnerability history is a point of concern. A past medium-severity Cross-Site Scripting (XSS) vulnerability, though currently patched, indicates a potential for input sanitization issues. The presence of external HTTP requests, while not inherently a vulnerability, could be an attack vector if not handled securely. The taint analysis showing no unsanitized paths is positive, but the fact that only two flows were analyzed might suggest a limited scope of the analysis, or that the plugin's complexity is such that fewer potential taint paths exist.

Overall, WooCommerce Services v3.5.1 appears to be a well-defended plugin with strong adherence to secure coding practices. The past XSS vulnerability, however, warrants continued vigilance for any future updates. The limited number of analyzed taint flows could be an area for deeper investigation if more comprehensive security assurance is required.

Key Concerns

Medium severity CVE found in history
Presence of external HTTP requests

Vulnerabilities

1 published

WooCommerce Tax (formerly WooCommerce Shipping & Tax) Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

WF-57156ebc-2858-4295-ba08-57bcab6db229-woocommerce-servicesmedium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WooCommerce Shipping & Tax <= 2.2.4 - Stored Cross-Site Scripting

May 23, 2023 Patched in 2.2.5 (245d)

Version History

WooCommerce Tax (formerly WooCommerce Shipping & Tax) Release Timeline

v3.6.0Current

v3.5.214 files changed

v3.5.1190 files changed

v3.5.035 files changed

v3.4.157 files changed

v3.4.059 files changed

v3.3.138 files changed

v3.3.040 files changed

v3.2.337 files changed

v3.2.240 files changed

v3.2.138 files changed

v3.2.059 files changed

v3.1.150 files changed

v3.1.040 files changed

v3.0.1157 files changed

v3.0.1040 files changed

v3.0.960 files changed

v3.0.837 files changed

v3.0.736 files changed

v3.0.666 files changed

Code Analysis

Analyzed Mar 16, 2026

WooCommerce Tax (formerly WooCommerce Shipping & Tax) Code Analysis

Dangerous Functions

Raw SQL Queries

18 prepared

Unescaped Output

171 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

78% prepared23 total queries

Output Escaping

94% escaped182 total outputs

Data Flows · Security

All sanitized

Data Flow Analysis

2 flows

get_export_button (classes\class-wc-connect-label-reports.php:20)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

WooCommerce Tax (formerly WooCommerce Shipping & Tax) Attack Surface

Entry Points4

Unprotected0

AJAX Handlers 4

authwp_ajax_wcs_migration_survey_submitclasses\class-wc-connect-migration-survey.php:34

authwp_ajax_wcs_migration_survey_dismissclasses\class-wc-connect-migration-survey.php:35

authwp_ajax_wcs_migration_survey_track_displayclasses\class-wc-connect-migration-survey.php:36

authwp_ajax_wc_connect_dismiss_noticeclasses\class-wc-connect-nux.php:417

WordPress Hooks 118

actionwoocommerce_store_api_cart_errorsclasses\class-wc-connect-cart-validation.php:18

filterwoocommerce_cart_no_shipping_available_htmlclasses\class-wc-connect-cart-validation.php:25

filterwoocommerce_shipping_package_nameclasses\class-wc-connect-cart-validation.php:26

actionwcservices_rest_api_initclasses\class-wc-connect-compatibility-wcshipping-packages.php:88

filteroption_wc_connect_optionsclasses\class-wc-connect-compatibility-wcshipping-packages.php:101

filteroption_wc_connect_optionsclasses\class-wc-connect-compatibility-wcshipping-packages.php:102

actionpre_update_option_wc_connect_optionsclasses\class-wc-connect-compatibility-wcshipping-packages.php:105

actionpre_update_option_wc_connect_optionsclasses\class-wc-connect-compatibility-wcshipping-packages.php:106

actionwoocommerce_cart_calculate_feesclasses\class-wc-connect-custom-surcharge.php:21

filterwoocommerce_debug_toolsclasses\class-wc-connect-debug-tools.php:20

filterwoocommerce_admin_status_tabsclasses\class-wc-connect-help-view.php:44

actionwoocommerce_admin_status_content_connectclasses\class-wc-connect-help-view.php:45

filterjetpack_use_iframe_authorization_flowclasses\class-wc-connect-jetpack.php:140

actionenqueue_wc_connect_scriptclasses\class-wc-connect-migration-survey.php:31

actiongo-to-shipping-zonesclasses\class-wc-connect-note-dhl-live-rates-available.php:44

filterwc_services_pointer_post.phpclasses\class-wc-connect-nux.php:71

filterwc_services_pointer_post.phpclasses\class-wc-connect-nux.php:72

actionadmin_post_register_woocommerce_services_jetpackclasses\class-wc-connect-nux.php:396

actionadmin_noticesclasses\class-wc-connect-nux.php:401

actionadmin_noticesclasses\class-wc-connect-nux.php:405

actionadmin_noticesclasses\class-wc-connect-nux.php:409

actionadmin_noticesclasses\class-wc-connect-nux.php:413

filterwoocommerce_paypal_express_checkout_settingsclasses\class-wc-connect-paypal-ec.php:48

filterwoocommerce_paypal_express_checkout_request_bodyclasses\class-wc-connect-paypal-ec.php:74

filteroption_woocommerce_ppec_paypal_settingsclasses\class-wc-connect-paypal-ec.php:76

filterwoocommerce_payment_gateway_supportsclasses\class-wc-connect-paypal-ec.php:77

actionwoocommerce_order_status_on-holdclasses\class-wc-connect-paypal-ec.php:81

actionwoocommerce_payment_completeclasses\class-wc-connect-paypal-ec.php:82

actionadmin_enqueue_scriptsclasses\class-wc-connect-paypal-ec.php:85

filterwc_services_pointer_post.phpclasses\class-wc-connect-paypal-ec.php:87

filterpre_option_wc_gateway_ppce_prompt_to_connectclasses\class-wc-connect-paypal-ec.php:89

filterpre_http_requestclasses\class-wc-connect-paypal-ec.php:98

actionadmin_noticesclasses\class-wc-connect-paypal-ec.php:204

actionadmin_initclasses\class-wc-connect-privacy.php:22

actionadmin_noticesclasses\class-wc-connect-privacy.php:23

filterwoocommerce_privacy_export_order_personal_dataclasses\class-wc-connect-privacy.php:24

actionwoocommerce_privacy_before_remove_order_personal_dataclasses\class-wc-connect-privacy.php:25

filterwoocommerce_get_sections_shippingclasses\class-wc-connect-settings-pages.php:38

actionwoocommerce_settings_shippingclasses\class-wc-connect-settings-pages.php:39

filterwoocommerce_get_settings_shippingclasses\class-wc-connect-settings-pages.php:71

filterwoocommerce_tax_settingsclasses\class-wc-connect-taxjar-integration.php:179

actionadmin_enqueue_scriptsclasses\class-wc-connect-taxjar-integration.php:183

filterwoocommerce_admin_settings_sanitize_optionclasses\class-wc-connect-taxjar-integration.php:187

actionadmin_enqueue_scriptsclasses\class-wc-connect-taxjar-integration.php:195

actionwoocommerce_after_calculate_totalsclasses\class-wc-connect-taxjar-integration.php:201

actionwoocommerce_calculate_totalsclasses\class-wc-connect-taxjar-integration.php:203

actionwoocommerce_before_save_order_itemsclasses\class-wc-connect-taxjar-integration.php:207

filterwoocommerce_customer_taxable_addressclasses\class-wc-connect-taxjar-integration.php:210

filterwoocommerce_calc_taxclasses\class-wc-connect-taxjar-integration.php:212

filterwoocommerce_matched_ratesclasses\class-wc-connect-taxjar-integration.php:213

filterwoocommerce_cart_totals_get_item_tax_ratesclasses\class-wc-connect-taxjar-integration.php:214

actionwoocommerce_order_item_after_calculate_taxesclasses\class-wc-connect-taxjar-integration.php:215

filterwoocommerce_rate_labelclasses\class-wc-connect-taxjar-integration.php:217

filterwoocommerce_cart_tax_totalsclasses\class-wc-connect-taxjar-integration.php:218

filterwoocommerce_order_get_tax_totalsclasses\class-wc-connect-taxjar-integration.php:219

actionwoocommerce_after_calculate_totalsclasses\class-wc-connect-taxjar-integration.php:586

actionwoocommerce_calculate_totalsclasses\class-wc-connect-taxjar-integration.php:590

actionwoocommerce_before_save_order_itemsclasses\class-wc-connect-taxjar-integration.php:642

actionwc_connect_shipping_zone_method_addedclasses\class-wc-connect-tracks.php:31

actionwc_connect_shipping_zone_method_deletedclasses\class-wc-connect-tracks.php:32

actionwc_connect_shipping_zone_method_status_toggledclasses\class-wc-connect-tracks.php:33

actionwc_connect_saved_service_settingsclasses\class-wc-connect-tracks.php:34

filterrest_post_dispatchclasses\class-wc-rest-connect-base-controller.php:105

actionwoocommerce_after_calculate_totalssrc\StoreNotices\StoreNoticesController.php:37

filterwoocommerce_store_api_cart_errorssrc\StoreNotices\StoreNoticesController.php:38

actionbefore_woocommerce_initwoocommerce-services.php:390

actionplugins_loadedwoocommerce-services.php:399

actionafter_setup_themewoocommerce-services.php:400

filterwc_services_will_handle_coexistence_with_woo_shipping_and_woo_taxwoocommerce-services.php:415

filterwc_services_will_disable_shipping_logicwoocommerce-services.php:419

actionadmin_noticeswoocommerce-services.php:687

actionadmin_noticeswoocommerce-services.php:694

actionwoocommerce_blocks_loadedwoocommerce-services.php:704

actionbefore_woocommerce_initwoocommerce-services.php:705

actionwoocommerce_blocks_checkout_block_registrationwoocommerce-services.php:712

actionwoocommerce_blocks_cart_block_registrationwoocommerce-services.php:718

actionadmin_initwoocommerce-services.php:748

actionadmin_initwoocommerce-services.php:749

filterall_pluginswoocommerce-services.php:750

actionrest_api_initwoocommerce-services.php:756

actionwoocommerce_initwoocommerce-services.php:763

actionadmin_noticeswoocommerce-services.php:913

actionadmin_noticeswoocommerce-services.php:914

actionrest_api_initwoocommerce-services.php:938

actionadmin_enqueue_scriptswoocommerce-services.php:940

actionenqueue_wc_connect_scriptwoocommerce-services.php:943

actionwc_connect_fetch_sift_configwoocommerce-services.php:945

actionrest_api_initwoocommerce-services.php:955

filterwoocommerce_admin_reportswoocommerce-services.php:998

actionupdate_option_woocommerce_store_postcodewoocommerce-services.php:1007

actionupdate_option_woocommerce_currencywoocommerce-services.php:1008

actionupdate_option_woocommerce_weight_unitwoocommerce-services.php:1009

actionupdate_option_woocommerce_dimension_unitwoocommerce-services.php:1010

actionadd_meta_boxeswoocommerce-services.php:1011

actionwoocommerce_admin_shipping_fieldswoocommerce-services.php:1012

filterwoocommerce_shipping_fieldswoocommerce-services.php:1013

filterwoocommerce_get_order_addresswoocommerce-services.php:1014

actionwoocommerce_email_after_order_tablewoocommerce-services.php:1015

actionadmin_print_footer_scriptswoocommerce-services.php:1016

filterwoocommerce_hidden_order_itemmetawoocommerce-services.php:1017

filteris_protected_metawoocommerce-services.php:1018

actioncurrent_screenwoocommerce-services.php:1019

filterwoocommerce_shipping_methodswoocommerce-services.php:1032

actionwoocommerce_load_shipping_methodswoocommerce-services.php:1033

filterwoocommerce_payment_gatewayswoocommerce-services.php:1034

actionwc_connect_service_initwoocommerce-services.php:1035

actionwc_connect_service_admin_optionswoocommerce-services.php:1036

actionwoocommerce_shipping_zone_method_addedwoocommerce-services.php:1037

actionwc_connect_shipping_zone_method_addedwoocommerce-services.php:1038

actionwoocommerce_shipping_zone_method_deletedwoocommerce-services.php:1039

actionwoocommerce_shipping_zone_method_status_toggledwoocommerce-services.php:1040

actionwc_connect_fetch_service_schemaswoocommerce-services.php:1043

filterwc_connect_shipping_service_settingswoocommerce-services.php:1044

actionwoocommerce_checkout_order_processedwoocommerce-services.php:1045

actionshutdownwoocommerce-services.php:1058

filterrest_request_before_callbackswoocommerce-services.php:1218

actionadmin_noticeswoocommerce-services.php:1673

actionadmin_noticeswoocommerce-services.php:1674

Scheduled Events 2

wc_connect_fetch_service_schemas

wc_connect_fetch_sift_config

Maintenance & Trust

WooCommerce Tax (formerly WooCommerce Shipping & Tax) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedApr 13, 2026

PHP min version7.4

Downloads48.9M

Community Trust

Rating40/100

Number of ratings105

Active installs600K

Alternatives

WooCommerce Tax (formerly WooCommerce Shipping & Tax) Alternatives

Rename VAT to GST for WooCommerce

rename-vat-to-gst-for-woocommerce

100

Replaces VAT and Tax terminology with GST throughout WooCommerce (emails, cart, checkout, admin, order pages).

200 No CVEs

EU VAT Assistant for WooCommerce

woocommerce-eu-vat-assistant

100

Extends the standard WooCommerce sale process and assists in achieving compliance with the new EU VAT regime starting on the 1st of January 2015.

5K No CVEs

GST Invoice for WooCommerce

woo-gst

100

This plugin is for GST tax setting. It set all tax including Tax slabs setting for CGST, SGST and IGST automatically.

2K No CVEs

WebPlus Gateway for LiqPay on WooCommerce

webplus-liqpay-woocommerce

100

Плагин LiqPay для WooCommerce

1K No CVEs

Tax Switch for WooCommerce

tax-switch-for-woocommerce

Let customers toggle between inclusive and exclusive VAT pricing in your WooCommerce store.

800 1 CVE

Developer Profile

WooCommerce Tax (formerly WooCommerce Shipping & Tax) Developer Profile

WooCommerce

37 plugins · 4.8M total installs

trust score

Avg Security Score

95/100

Avg Patch Time

221 days

View full developer profile

Detection Fingerprints

How We Detect WooCommerce Tax (formerly WooCommerce Shipping & Tax)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ