WP-Safety

Commerce7 for WordPress Security & Risk Analysis

wordpress.org/plugins/wp-commerce7

Add Commerce7 to your WordPress site easily!

900 active installs v1.6.3 PHP 7.4+ WP 6.0+ Updated Jan 27, 2026
commerce7
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Commerce7 for WordPress Safe to Use in 2026?

Generally Safe

Score 100/100

Commerce7 for WordPress has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "wp-commerce7" v1.6.3 plugin exhibits a generally strong security posture based on the static analysis. The absence of critical or high severity taint flows, dangerous functions, file operations, and external HTTP requests are positive indicators. The plugin also implements a reasonable number of capability checks and nonce checks, suggesting an awareness of security best practices for user authorization and request verification.

However, the analysis reveals a significant concern regarding SQL query handling. All three identified SQL queries are executed without prepared statements, presenting a substantial risk of SQL injection vulnerabilities. While no known CVEs exist for this plugin, this practice is a fundamental security flaw that could be easily exploited. The output escaping is good, but the lack of prepared statements is a critical oversight that outweighs the other positive aspects.

In conclusion, while "wp-commerce7" v1.6.3 has a low apparent vulnerability history and good output escaping, the unmitigated SQL queries pose a significant and direct security risk. This needs immediate attention to prevent potential data breaches or system compromise. The plugin has strengths in its limited attack surface and some authorization checks, but the SQL vulnerability is a major weakness.

Key Concerns

  • SQL queries without prepared statements
Vulnerabilities
None known

Commerce7 for WordPress Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 16, 2026

Commerce7 for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
0 prepared
Unescaped Output
35
176 escaped
Nonce Checks
1
Capability Checks
4
File Operations
0
External Requests
2
Bundled Libraries
0

SQL Query Safety

0% prepared3 total queries

Output Escaping

83% escaped211 total outputs
Attack Surface

Commerce7 for WordPress Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[c7wp] includes\class-c7wp.php:113
WordPress Hooks 36
actionupgrader_process_completecommerce7-for-wordpress.php:139
actionadmin_noticescommerce7-for-wordpress.php:269
actionadmin_noticescommerce7-for-wordpress.php:355
actionc7wp_fetch_remote_noticescommerce7-for-wordpress.php:391
actionadmin_initcommerce7-for-wordpress.php:394
actionadmin_initcommerce7-for-wordpress.php:412
filteraioseo_canonical_urlincludes\aioseo\load.php:20
actionadmin_menuincludes\class-c7wp.php:63
actionadmin_initincludes\class-c7wp.php:66
actioninitincludes\class-c7wp.php:69
filterquery_varsincludes\class-c7wp.php:72
actioninitincludes\class-c7wp.php:75
actionafter_setup_themeincludes\class-c7wp.php:76
actionelementor/widgets/registerincludes\class-c7wp.php:77
actionelementor/elements/categories_registeredincludes\class-c7wp.php:78
filterblock_categories_allincludes\class-c7wp.php:79
actionadmin_enqueue_scriptsincludes\class-c7wp.php:82
actionelementor/editor/before_enqueue_scriptsincludes\class-c7wp.php:83
actionelementor/frontend/after_enqueue_scriptsincludes\class-c7wp.php:84
actionafter_setup_themeincludes\class-c7wp.php:85
filterbody_classincludes\class-c7wp.php:86
actionwp_enqueue_scriptsincludes\class-c7wp.php:89
actionwp_enqueue_scripts_cleanincludes\class-c7wp.php:90
filterscript_loader_tagincludes\class-c7wp.php:91
actionwp_footerincludes\class-c7wp.php:92
filterdisplay_post_statesincludes\class-c7wp.php:95
filtersite_status_testsincludes\health-check.php:19
filterdebug_informationincludes\health-check.php:270
actionrank_math/frontend/canonicalincludes\rankmath\load.php:20
filterseopress_titles_canonicalincludes\seopress\load.php:20
actioncornerstone_register_elementsincludes\themeco\legacy\load.php:24
filtercornerstone_icon_mapincludes\themeco\legacy\load.php:36
actioncornerstone_register_elementsincludes\themeco\load.php:23
filtercornerstone_icon_mapincludes\themeco\load.php:35
filterget_canonical_urlincludes\wordpress\load.php:20
filterwpseo_canonicalincludes\yoast\load.php:20

Scheduled Events 1

c7wp_fetch_remote_notices
Maintenance & Trust

Commerce7 for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 27, 2026
PHP min version7.4
Downloads15K

Community Trust

Rating100/100
Number of ratings1
Active installs900
Alternatives

Commerce7 for WordPress Alternatives

No alternatives data available yet.

Developer Profile

Commerce7 for WordPress Developer Profile

Michael Bourne

2 plugins · 11K total installs

91
trust score
Avg Security Score
95/100
Avg Patch Time
10 days
View full developer profile
Detection Fingerprints

How We Detect Commerce7 for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-commerce7/assets/css/c7wp-frontend.css/wp-content/plugins/wp-commerce7/assets/js/c7wp-frontend.js
Script Paths
/wp-content/plugins/wp-commerce7/assets/js/c7wp-frontend.js
Version Parameters
wp-commerce7/assets/css/c7wp-frontend.css?ver=wp-commerce7/assets/js/c7wp-frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
wp-block-c7wp-default
HTML Comments
<!-- wp:c7wp/default --><!-- /wp:c7wp/default -->
FAQ

Frequently Asked Questions about Commerce7 for WordPress