WP-Safety

XL NMI Gateway for WooCommerce Security & Risk Analysis

wordpress.org/plugins/woofunnels-woocommerce-nmi-gateway

Receive credit card payments using NMI (Network Merchants) Gateway with subscription support. Built with love by XLPlugins.

1K active installs v2.4.0 PHP 7.0+ WP 5.0+ Updated Jan 10, 2025
nminmi-gatewaynmi-paymentpayment-gatewaywoocommerce
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is XL NMI Gateway for WooCommerce Safe to Use in 2026?

Generally Safe

Score 92/100

XL NMI Gateway for WooCommerce has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The woofunnels-woocommerce-nmi-gateway plugin, in version 2.4.0, exhibits a mixed security posture. On the positive side, it demonstrates good practices with a high percentage of SQL queries using prepared statements and a substantial number of nonce and capability checks. The lack of known CVEs and a clean vulnerability history are also strong indicators of a generally well-maintained codebase.

However, the static analysis reveals significant areas of concern. A notable number of entry points, specifically 6 out of 18, are not protected by authentication or permission checks. This includes 1 AJAX handler and all 5 REST API routes lacking proper callbacks. Furthermore, the presence of the `assert` dangerous function, even if only one instance, warrants attention. The taint analysis also identified 2 flows with unsanitized paths, which could lead to security vulnerabilities if exploited, despite currently being categorized as low severity.

In conclusion, while the plugin has a solid foundation with good security practices in place and no prior critical vulnerabilities, the unprotected entry points and the identified unsanitized paths present clear risks that need immediate attention. Addressing these unprotected endpoints and reviewing the tainted flows should be prioritized to strengthen the plugin's overall security.

Key Concerns

  • Unprotected REST API routes
  • Unprotected AJAX handler
  • Flows with unsanitized paths
  • Presence of dangerous function 'assert'
Vulnerabilities
None known

XL NMI Gateway for WooCommerce Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

XL NMI Gateway for WooCommerce Code Analysis

Dangerous Functions
1
Raw SQL Queries
5
99 prepared
Unescaped Output
128
218 escaped
Nonce Checks
24
Capability Checks
11
File Operations
5
External Requests
15
Bundled Libraries
0

Dangerous Functions Found

assertassert( $this->supports_tokenization() );includes\class-nmi-gateway-woocommerce-credit-card.php:328

SQL Query Safety

95% prepared104 total queries

Output Escaping

63% escaped346 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
update_general_settings (woofunnels\includes\class-bwf-admin-general-settings.php:367)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
6 unprotected

XL NMI Gateway for WooCommerce Attack Surface

Entry Points18
Unprotected6

AJAX Handlers 13

authwp_ajax_nextmove_upsells_dismissadmin\upsell\class-xlnmi-upsell.php:47
authwp_ajax_bwf_save_connectorwoofunnels\connector\class-wfco-ajax-controller.php:19
authwp_ajax_bwf_sync_connectorwoofunnels\connector\class-wfco-ajax-controller.php:20
authwp_ajax_bwf_delete_connectorwoofunnels\connector\class-wfco-ajax-controller.php:21
authwp_ajax_bwf_update_connectorwoofunnels\connector\class-wfco-ajax-controller.php:22
authwp_ajax_bwf_connector_installwoofunnels\connector\class-wfco-ajax-controller.php:23
authwp_ajax_bwf_create_connector_licensewoofunnels\connector\class-wfco-ajax-controller.php:24
authwp_ajax_bwf_general_settings_updatewoofunnels\includes\class-bwf-admin-general-settings.php:26
authwp_ajax_woofunnels_submit_uninstall_reasonwoofunnels\includes\class-woofunnels-deactivate.php:22
authwp_ajax_wf_dismiss_linkwoofunnels\includes\class-woofunnels-notifications.php:19
authwp_ajax_woofunnelso_optin_callwoofunnels\includes\class-woofunnels-optin-manager.php:32
authwp_ajax_bwf_thankyou_ajaxwoofunnels\includes\class-woofunnels-process.php:28
noprivwp_ajax_bwf_thankyou_ajaxwoofunnels\includes\class-woofunnels-process.php:29

REST API Routes 5

GET/wp-json/woofunnels/v1/workerwoofunnels\as-data-store\class-woofunnels-as-ds.php:178
GET/wp-json/woofunnel_customer/v1/offer_acceptedwoofunnels\contact\class-woofunnels-db-updater.php:432
GET/wp-json/woofunnel_customer/v1/order_status_changedwoofunnels\contact\class-woofunnels-db-updater.php:439
GET/wp-json/woofunnel_customer/v1/wp_user_loginwoofunnels\contact\class-woofunnels-db-updater.php:446
GET/wp-json/woofunnel_customer/v1/wp_profile_updatewoofunnels\contact\class-woofunnels-db-updater.php:453
WordPress Hooks 138
actionadmin_initadmin\upsell\class-xlnmi-upsell.php:45
actionadmin_enqueue_scriptsadmin\upsell\class-xlnmi-upsell.php:46
actionadmin_noticesadmin\upsell\class-xlnmi-upsell.php:54
actionadmin_noticesadmin\upsell\class-xlnmi-upsell.php:56
actionadmin_menuclass-nmi-gateway-woocommerce-woofunnels-support.php:19
actionadmin_initclass-nmi-gateway-woocommerce-woofunnels-support.php:21
filterwoofunnels_default_reason_defaultclass-nmi-gateway-woocommerce-woofunnels-support.php:25
filterwoofunnels_optin_urlclass-nmi-gateway-woocommerce-woofunnels-support.php:31
actioninitclass-nmi-gateway-woocommerce.php:124
filterwfocu_wc_get_supported_gatewaysclass-nmi-gateway-woocommerce.php:138
filterscript_loader_tagincludes\class-nmi-gateway-woocommerce-base.php:88
actionadmin_noticesincludes\class-nmi-gateway-woocommerce-credit-card.php:252
filterwoocommerce_payment_gateway_get_saved_payment_method_option_htmlincludes\class-nmi-gateway-woocommerce-credit-card.php:259
filtersv_wc_payment_gateway_payment_form_js_localized_script_paramsincludes\class-nmi-gateway-woocommerce-credit-card.php:265
filterwoocommerce_payment_complete_reduce_order_stockincludes\class-nmi-gateway-woocommerce-credit-card.php:619
filterwfocu_subscriptions_get_supported_gatewaysincludes\class-nmi-gateway-woocommerce-upstroke-compatibility.php:50
filterwfocu_order_copy_meta_keysincludes\class-nmi-gateway-woocommerce-upstroke-compatibility.php:53
actionwfocu_subscription_created_for_upsellincludes\class-nmi-gateway-woocommerce-upstroke-compatibility.php:55
filterbwf_logs_allowedwoofunnels\as-data-store\asct\class-bwf-as-action-store.php:634
actionplugins_loadedwoofunnels\as-data-store\asct\class-bwf-as.php:28
filteraction_scheduler_store_classwoofunnels\as-data-store\asct\class-bwf-as.php:32
filteraction_scheduler_logger_classwoofunnels\as-data-store\asct\class-bwf-as.php:36
filteraction_scheduler_memory_exceededwoofunnels\as-data-store\asct\class-bwf-as.php:40
actionaction_scheduler_pre_initwoofunnels\as-data-store\class-woofunnels-as-ds.php:21
actionrest_api_initwoofunnels\as-data-store\class-woofunnels-as-ds.php:24
actionbwf_as_run_queuewoofunnels\as-data-store\class-woofunnels-as-ds.php:27
actionaction_scheduler_pre_initwoofunnels\as-data-store\class-woofunnels-as-ds.php:28
actionaction_scheduler_pre_initwoofunnels\as-data-store\class-woofunnels-as-ds.php:31
actionbwf_after_action_scheduler_loadwoofunnels\as-data-store\class-woofunnels-as-ds.php:34
filterbwf_add_db_table_schemawoofunnels\as-data-store\class-woofunnels-as-ds.php:92
actionadmin_initwoofunnels\as-data-store\class-woofunnels-as-ds.php:95
filtercron_scheduleswoofunnels\as-data-store\class-woofunnels-as-ds.php:98
filterbwf_logs_allowedwoofunnels\as-data-store\class-woofunnels-as-ds.php:275
filteraction_scheduler_queue_runner_time_limitwoofunnels\as-data-store\class-woofunnels-as-ds.php:309
filteraction_scheduler_queue_runner_batch_sizewoofunnels\as-data-store\class-woofunnels-as-ds.php:312
filteraction_scheduler_queue_runner_concurrent_batcheswoofunnels\as-data-store\class-woofunnels-as-ds.php:315
filteraction_scheduler_timeout_periodwoofunnels\as-data-store\class-woofunnels-as-ds.php:318
filteraction_scheduler_cleanup_batch_sizewoofunnels\as-data-store\class-woofunnels-as-ds.php:321
filteraction_scheduler_maximum_execution_time_likely_to_be_exceededwoofunnels\as-data-store\class-woofunnels-as-ds.php:324
actionheartbeat_tickwoofunnels\as-data-store\class-woofunnels-as-ds.php:339
filterpre_option_disable_rest_api_optionswoofunnels\compatibilities\class-bwf-compatibility-with-disable-rest-api.php:17
filterwoocommerce_get_checkout_order_received_urlwoofunnels\compatibilities\class-bwf-compatibility-with-woomulticurrency.php:7
actionadmin_enqueue_scriptswoofunnels\connector\class-wfco-admin.php:22
actionadmin_initwoofunnels\connector\class-wfco-admin.php:45
filteradmin_footer_textwoofunnels\connector\class-wfco-admin.php:50
filterupdate_footerwoofunnels\connector\class-wfco-admin.php:51
actionin_admin_headerwoofunnels\connector\class-wfco-admin.php:52
actionwp_loadedwoofunnels\connector\class-wfco-common.php:11
filterbwf_add_db_table_schemawoofunnels\connector\class-wfco-common.php:12
actionplugins_loadedwoofunnels\connector\class-wfco-db.php:19
actionplugins_loadedwoofunnels\connector\class-wfco-load-connectors.php:17
actionwfco_connector_screenwoofunnels\connector\class-wfco-load-connectors.php:60
filterbwf_add_db_table_schemawoofunnels\contact\class-woofunnels-db-tables.php:22
actionadmin_noticeswoofunnels\contact\class-woofunnels-db-updater.php:51
actionadmin_initwoofunnels\contact\class-woofunnels-db-updater.php:53
actioninitwoofunnels\contact\class-woofunnels-db-updater.php:56
actioninitwoofunnels\contact\class-woofunnels-db-updater.php:57
actionadmin_initwoofunnels\contact\class-woofunnels-db-updater.php:58
actionwoocommerce_checkout_order_processedwoofunnels\contact\class-woofunnels-db-updater.php:61
actionwoocommerce_order_status_changedwoofunnels\contact\class-woofunnels-db-updater.php:64
actionwfocu_offer_accepted_and_processedwoofunnels\contact\class-woofunnels-db-updater.php:67
actionprofile_updatewoofunnels\contact\class-woofunnels-db-updater.php:70
actionwoocommerce_save_account_detailswoofunnels\contact\class-woofunnels-db-updater.php:71
actionupdated_user_metawoofunnels\contact\class-woofunnels-db-updater.php:73
actionbwf_order_index_completedwoofunnels\contact\class-woofunnels-db-updater.php:75
actionwoocommerce_refund_createdwoofunnels\contact\class-woofunnels-db-updater.php:77
actionwoocommerce_before_delete_orderwoofunnels\contact\class-woofunnels-db-updater.php:79
actionrest_api_initwoofunnels\contact\class-woofunnels-db-updater.php:81
actionwoofunnels_tools_add_tables_row_startwoofunnels\contact\class-woofunnels-db-updater.php:83
actionshutdownwoofunnels\contact\class-woofunnels-db-updater.php:85
actionadmin_footerwoofunnels\contact\class-woofunnels-db-updater.php:87
actionbwf_reindex_contact_orderswoofunnels\contact\class-woofunnels-db-updater.php:90
actionbwf_reindex_contact_orders_endwoofunnels\contact\class-woofunnels-db-updater.php:91
actioninitwoofunnels\contact\class-woofunnels-db-updater.php:93
actionwoocommerce_order_status_changedwoofunnels\contact\class-woofunnels-db-updater.php:95
actionshutdownwoofunnels\contact\woofunnels-db-updater-functions.php:18
filterbwf_logs_allowedwoofunnels\includes\bwf-functions.php:173
filterwoofunnels_global_settingswoofunnels\includes\class-bwf-admin-general-settings.php:16
actioninitwoofunnels\includes\class-bwf-admin-general-settings.php:27
actionadmin_headwoofunnels\includes\class-bwf-admin-general-settings.php:29
filteradmin_titlewoofunnels\includes\class-bwf-admin-general-settings.php:30
filterwoofunnels_global_settings_fieldswoofunnels\includes\class-bwf-admin-general-settings.php:31
actionbwf_global_save_settings_woofunnels_general_settingswoofunnels\includes\class-bwf-admin-general-settings.php:32
actionwp_headwoofunnels\includes\class-bwf-ecomm-tracking-common.php:16
actionwffn_optin_form_submitwoofunnels\includes\class-bwf-ecomm-tracking-common.php:21
actionwoocommerce_checkout_order_processedwoofunnels\includes\class-bwf-ecomm-tracking-common.php:22
filterbwf_add_db_table_schemawoofunnels\includes\class-bwf-ecomm-tracking-common.php:23
actionadd_meta_boxeswoofunnels\includes\class-bwf-ecomm-tracking-common.php:24
filterextra_plugin_headerswoofunnels\includes\class-woofunnels-addons.php:16
actionwoofunnels_tabs_modal_licenseswoofunnels\includes\class-woofunnels-dashboard-loader.php:55
actionwoofunnels_tabs_modal_supportwoofunnels\includes\class-woofunnels-dashboard-loader.php:56
actionwoofunnels_tabs_modal_toolswoofunnels\includes\class-woofunnels-dashboard-loader.php:57
actionwoofunnels_tabs_modal_logswoofunnels\includes\class-woofunnels-dashboard-loader.php:58
actionwoofunnels_tools_right_areawoofunnels\includes\class-woofunnels-dashboard-loader.php:60
filterwoofunnels_additional_tabswoofunnels\includes\class-woofunnels-dashboard-loader.php:62
actioninitwoofunnels\includes\class-woofunnels-dashboard-loader.php:530
actionadmin_headwoofunnels\includes\class-woofunnels-dashboard-loader.php:533
actionshutdownwoofunnels\includes\class-woofunnels-dashboard-loader.php:807
actionadmin_initwoofunnels\includes\class-woofunnels-dashboard-loader.php:808
actionadmin_initwoofunnels\includes\class-woofunnels-dashboard-loader.php:907
actionadmin_initwoofunnels\includes\class-woofunnels-deactivate.php:19
actionadmin_footerwoofunnels\includes\class-woofunnels-deactivate.php:20
actionmanage_shop_order_posts_custom_columnwoofunnels\includes\class-woofunnels-funnel-builder-commons.php:16
actionmanage_woocommerce_page_wc-orders_custom_columnwoofunnels\includes\class-woofunnels-funnel-builder-commons.php:20
actionadmin_initwoofunnels\includes\class-woofunnels-funnel-builder-commons.php:21
filterpre_set_site_transient_update_pluginswoofunnels\includes\class-woofunnels-license-check.php:163
filterplugins_apiwoofunnels\includes\class-woofunnels-license-check.php:165
actionadmin_noticeswoofunnels\includes\class-woofunnels-licenses.php:19
actionadmin_headwoofunnels\includes\class-woofunnels-notifications.php:13
actionadmin_footerwoofunnels\includes\class-woofunnels-notifications.php:16
actionadmin_initwoofunnels\includes\class-woofunnels-optin-manager.php:21
actionadmin_initwoofunnels\includes\class-woofunnels-optin-manager.php:22
actionbwf_maybe_track_usage_scheduledwoofunnels\includes\class-woofunnels-optin-manager.php:24
actionwpwoofunnels\includes\class-woofunnels-optin-manager.php:27
actionwoofunnels_optin_success_track_scheduledwoofunnels\includes\class-woofunnels-optin-manager.php:35
filtercron_scheduleswoofunnels\includes\class-woofunnels-optin-manager.php:37
actionadmin_initwoofunnels\includes\class-woofunnels-process.php:18
filteradmin_noticeswoofunnels\includes\class-woofunnels-process.php:19
actionadmin_headwoofunnels\includes\class-woofunnels-process.php:21
actionadmin_initwoofunnels\includes\class-woofunnels-process.php:23
actionwoofunnels_license_checkwoofunnels\includes\class-woofunnels-process.php:24
actionfunnelkit_license_updatewoofunnels\includes\class-woofunnels-process.php:25
actionfunnelkit_delete_transientswoofunnels\includes\class-woofunnels-process.php:26
actionwoocommerce_thankyouwoofunnels\includes\class-woofunnels-process.php:27
actionadmin_initwoofunnels\includes\class-woofunnels-process.php:30
actionadmin_headwoofunnels\includes\class-woofunnels-process.php:32
actionadmin_headwoofunnels\includes\class-woofunnels-process.php:33
actionadmin_headwoofunnels\includes\class-woofunnels-process.php:35
actionadmin_headwoofunnels\includes\class-woofunnels-process.php:36
actionadmin_initwoofunnels\includes\class-woofunnels-process.php:38
actionadmin_footerwoofunnels\includes\class-woofunnels-process.php:39
actionadmin_initwoofunnels-woocommerce-nmi-gateway.php:89
actionadmin_initwoofunnels-woocommerce-nmi-gateway.php:90
actionadmin_noticeswoofunnels-woocommerce-nmi-gateway.php:92
actionplugins_loadedwoofunnels-woocommerce-nmi-gateway.php:96
actionactivated_pluginwoofunnels-woocommerce-nmi-gateway.php:103
actionplugins_loadedwoofunnels-woocommerce-nmi-gateway.php:108
actionbefore_woocommerce_initwoofunnels-woocommerce-nmi-gateway.php:220

Scheduled Events 3

bwf_maybe_track_usage_scheduled
woofunnels_optin_success_track_scheduled
woofunnels_license_check
Maintenance & Trust

XL NMI Gateway for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedJan 10, 2025
PHP min version7.0
Downloads27K

Community Trust

Rating76/100
Number of ratings8
Active installs1K
Alternatives

XL NMI Gateway for WooCommerce Alternatives

MerchantX Gateway for WooCommerce

MerchantX Gateway for WooCommerce

merchantx

A
85

MerchantX offers the best payments platform for running internet commerce. We build flexible and easy to use tools for ecommerce to help our merchants …

10 No CVEs
AM NMI Gateway for WooCommerce

AM NMI Gateway for WooCommerce

am-nmi-gateway-for-woocommerce

A
92

The AM NMI Gateway for WooCommerce enables secure and efficient credit card payments via the NMI gateway.

0 No CVEs
Pledged Plugins PCI Gateway for NMI and WooCommerce

Pledged Plugins PCI Gateway for NMI and WooCommerce

wp-nmi-gateway-pci-woocommerce

A
100

PCI Compliant NMI payment gateway integration for WooCommerce to accept credit cards directly on WordPress e-commerce websites.

3K No CVEs
WP NMI Payment Gateway for WooCommerce

WP NMI Payment Gateway for WooCommerce

nmi-for-woocommerce

A
100

Integrate NMI with WooCommerce for secure, PCI-compliant payments. Accept credit cards and ACH for smooth WooCommerce transactions.

40 No CVEs
Gain Commerce NMI Payment Gateway for WooCommerce

Gain Commerce NMI Payment Gateway for WooCommerce

gaincommerce-nmi-payment-gateway-for-woocommerce

A
100

PCI-compliant payment gateway integration between NMI and WooCommerce. Seamlessly accept e-commerce credit card payments through WooCommerce stores.

0 No CVEs
Developer Profile

XL NMI Gateway for WooCommerce Developer Profile

XLPlugins

2 plugins · 11K total installs

77
trust score
Avg Security Score
67/100
Avg Patch Time
4 days
View full developer profile
Detection Fingerprints

How We Detect XL NMI Gateway for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/woofunnels-woocommerce-nmi-gateway/assets/css/backend-style.css/wp-content/plugins/woofunnels-woocommerce-nmi-gateway/assets/css/frontend-style.css/wp-content/plugins/woofunnels-woocommerce-nmi-gateway/assets/js/frontend-script.js/wp-content/plugins/woofunnels-woocommerce-nmi-gateway/assets/js/backend-script.js
Script Paths
lib/skyverge/woocommerce/class-sv-wc-plugin.phplib/skyverge/woocommerce/payment-gateway/class-sv-wc-payment-gateway-plugin.phpclass-nmi-gateway-woocommerce.phpwoo-includes/woo-functions.php
Version Parameters
woofunnels-woocommerce-nmi-gateway/assets/css/backend-style.css?ver=woofunnels-woocommerce-nmi-gateway/assets/css/frontend-style.css?ver=woofunnels-woocommerce-nmi-gateway/assets/js/frontend-script.js?ver=woofunnels-woocommerce-nmi-gateway/assets/js/backend-script.js?ver=

HTML / DOM Fingerprints

CSS Classes
woofunnels-nmi-gateway-wrap
HTML Comments
TODO: main plugin class fileTODO: remove this if not a payment gateway
Data Attributes
data-nmi-gateway-urldata-client-token
JS Globals
NMI_Gateway_Frontend
FAQ

Frequently Asked Questions about XL NMI Gateway for WooCommerce