Honey doesn’t just help shoppers find coupons — on many WooCommerce stores, it also overwrites the affiliate cookie at checkout and charges your program commission on sales your own creators, newsletters, and ad campaigns actually drove. PayPal paid $4 billion to acquire Honey in 2020 (Keller Rohrback legal filings), and the extension now sits in roughly 17 million browsers (Richmond JOLT, 2025) — including the browsers of your converting customers. In one recorded test, Honey claimed a $35 affiliate commission while rewarding the shopper $0.89 in cashback (MegaLag investigation, 2024). The structural fix isn’t a takedown. It’s server-side session attribution.
How a Coupon Extension Takes Credit for Your Own Traffic
Here’s the mechanic. A customer clicks your creator’s affiliate link, lands on your store, and the affiliate cookie drops. Twenty minutes later, they load the checkout page. Honey detects the checkout, offers to “find coupons”, and when the shopper accepts, the extension silently injects its own affiliate link into the page. That injection overwrites the existing affiliate cookie. On a last-click attribution model — which most WooCommerce affiliate plugins use by default — whoever owns the most recent cookie wins the commission.
The creator who actually drove the sale loses the commission. The extension that added nothing to the purchase decision claims it.
PayPal’s own defense of the practice is, read carefully, the clearest admission of what’s happening. When pressed, a PayPal executive pointed to standard industry attribution conventions — specifically last-click — as the justification (via myip.foo coverage). Translation: the overwrite is considered legitimate precisely because the prevailing attribution model awards the sale to whoever touched the cookie last.
The scope matters. Investigations by MegaLag, reported by myip.foo, found that Honey had added 181,000 merchant domains to its database while only 35,000 of those merchants had actual affiliate partnerships — meaning roughly 146,000 online stores were included without their consent. If your WooCommerce store is one of them, Honey is brokering affiliate links on your traffic whether you signed up or not.
Why AffiliateWP and Affiliate for WooCommerce Can’t Stop This
Cookie stuffing is the practice of dropping an affiliate cookie without a real click, in order to claim commission on sales the stuffer did not drive. Last-click attribution is the model that makes it profitable — the final affiliate touchpoint before purchase receives 100% of the credit, regardless of who actually earned the sale.
Here’s the architectural problem: plugin-based affiliate trackers (AffiliateWP, Affiliate for WooCommerce, and similar) read the same browser cookie Honey overwrites. The plugin is not doing anything wrong — it’s doing exactly what the last-click model tells it to do. It has no way to know the cookie it’s reading was injected at checkout rather than earned at the top of the funnel.
Zuzana Riglerova of the Dognet affiliate network has put the merchant view plainly: retailers end up funding payouts on purchases that would have closed without any extension in the mix, and at rates well above what the same retailer pays its vetted publishers. That’s the quiet cost nobody sees on the plugin dashboard.
You may be interested in: Your WooCommerce Affiliate Program Is Paying Commission on Sales Your Google Ads Already Claimed
What to Look For in Your Commission Report This Week
You don’t need a forensic audit to check whether your program is being hit. Three signals in your affiliate reporting will tell you most of what you need to know:
- Concentration on a single “referrer”: Look for volume attributed to “Honey”, “PayPal Honey”, or raw
paypal.comreferrers. A healthy affiliate program has commission spread across dozens of creators. A hijacked one shows a fat slug of volume on one referrer the merchant never onboarded. - Short session duration before the winning click: If the final affiliate click landed seconds before the order, the “affiliate” didn’t drive the traffic. They intercepted it.
- Creators complaining about missing commissions: When your best partners tell you their tracked sales don’t match their content performance, believe them. The gap is usually an extension.
If one referrer is winning double-digit percentages of your commissions, your program is already paying for sales it did not drive.
The Lawsuit Landscape (Briefly)
The legal exposure is a useful proof of scale, not the core argument. After MegaLag’s December 2024 investigation, Honey reportedly lost approximately 8 million users (Law News UK, 2026). Plaintiffs in the active class action In re PayPal Honey Browser Extension Litigation filed a Monte Carlo simulation estimating a 97.2% probability that Honey stole at least one commission from each named plaintiff creator (Case 5:24-cv-09470-BLF, 2025). Microsoft discontinued its Shopping coupon feature in May 2025 as similar lawsuits mounted (Affiverse, 2025).
These cases are about the creator side of the triangle — the content creators whose commissions were taken. The merchant side has not been the subject of coordinated litigation yet, and that’s the more interesting part. The merchant is funding the hijack. The merchant is also the only party with the technical ability to stop it, because the merchant owns the server the sale happens on.
The Real Fix: Record Attribution Before Checkout Loads
A browser extension operates in the browser. It can read cookies, modify DOM elements, inject links, and overwrite local storage. What it cannot do is reach into the merchant’s server and change records that are already there. That asymmetry is the fix.
The attribution source of truth should not be a browser cookie. It should be a session record written to your server the moment the visitor arrives.
A server-side attribution pipeline captures the real affiliate signal early — UTM parameters, referring URL, landing page, click timestamp — and writes them to a session record keyed to the visitor. That record lives on your infrastructure, not on the shopper’s machine. When the order is placed, your commission logic references the server record, not the last cookie standing. Honey can still overwrite the cookie. It simply no longer matters.
You may be interested in: How to Run a WooCommerce Marketing Attribution Audit
This is the same category of defense required for ad-blocker filter lists stripping your UTM parameters. When the browser is the weak point, moving the source of truth off the browser is the only durable answer.
Transmute Engine™ is a first-party Node.js server that runs on your own subdomain (e.g. data.yourstore.com), fed by the inPIPE WordPress plugin that captures the full session on arrival — referrer, UTM, landing page, and timestamp — before any checkout script, third-party pixel, or browser extension can intervene. Because the attribution record is stored on your server, not in the visitor’s browser, cookie-stuffing extensions have nothing to overwrite.
Key Takeaways
- Honey overwrites affiliate cookies at checkout, and last-click attribution then credits Honey for sales your own creators, ads, or email drove.
- Plugin-based affiliate trackers cannot detect the hijack because they read the same cookie the extension overwrites.
- PayPal paid $4 billion for Honey in 2020; the extension reaches roughly 17 million browsers and included 146,000 merchants in its database without consent.
- Check your commission report for concentrated volume on “Honey”, “PayPal Honey”, or
paypal.comreferrers as the fastest diagnostic. - Server-side session attribution on your own subdomain is the structural fix — extensions cannot overwrite records stored on your server.
Frequently Asked Questions
Plugin-based affiliate trackers cannot stop it because they read the same last-click cookie the extension overwrites at checkout. The durable fix is server-side session attribution — record the original referrer, UTM, landing page, and click timestamp on your own first-party subdomain when the visitor arrives, before any checkout script loads. A browser extension can overwrite a cookie in a browser it controls, but it cannot overwrite a session record already stored on your server.
Yes. Server-side session attribution captures the attribution signal on the merchant’s server the moment a visitor lands, not at checkout. Because the record is stored outside the browser, a browser extension running on the shopper’s machine has no way to overwrite it. Your commission logic can then reference the server record instead of the browser cookie.
Most affiliate plugins, including AffiliateWP and Affiliate for WooCommerce, use last-click attribution. When Honey injects its own affiliate link at checkout, that link overwrites any earlier affiliate cookie. The plugin reads the latest cookie and credits Honey, even if the original visit came from one of your creators, a paid ad, or an email campaign.
Look at three signals in your affiliate reporting: first, an unexpected concentration of commissions attributed to “Honey”, “PayPal Honey”, or “paypal.com” as the referrer; second, a rising share of conversions with very short time-on-site before the last click; third, creators reporting lost commissions on sales they personally drove. Any one of these suggests last-click hijack.
The class action In re PayPal Honey Browser Extension Litigation survived a motion to dismiss and remains in active litigation. Microsoft discontinued its Shopping coupon feature in May 2025 as similar lawsuits mounted (Affiverse, 2025). Honey itself remains available and still injects affiliate links on WooCommerce checkouts unless the merchant has changed how attribution is recorded.
Move the attribution source of truth off the browser — start with first-party server-side tracking at seresa.io.