Does Checkout for PayPal have any unpatched vulnerabilities?

No. All known vulnerabilities in Checkout for PayPal have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Checkout for PayPal compatible with WordPress 6.9.4?

According to WordPress.org data, Checkout for PayPal 1.0.47 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is Checkout for PayPal updated?

Checkout for PayPal was last updated on Feb 17, 2026. Frequent updates are generally a positive security signal.

What is Checkout for PayPal's security score?

Checkout for PayPal has a WP-Safety security score of 97/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Checkout for PayPal Security & Risk Analysis

wordpress.org/plugins/checkout-for-paypal

Easily accept PayPal payments on your WordPress site using the official PayPal Checkout API. Perfect for eCommerce, donations, and more.

600 active installs v1.0.47 PHP + WP 5.5+ Updated Feb 17, 2026

paypal

A · Safe

CVEs total3

Unpatched0

Last CVEApr 16, 2025

Plugin page Download

Safety Verdict

Is Checkout for PayPal Safe to Use in 2026?

Generally Safe

Score 97/100

Checkout for PayPal has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Apr 16, 2025Updated 1mo ago

Risk Assessment

The "checkout-for-paypal" plugin, version 1.0.47, exhibits a mixed security posture. While it demonstrates good practices such as 100% use of prepared statements for SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface. With 5 total entry points, 4 of which lack authentication checks, there's a considerable risk of unauthorized access and potential manipulation of plugin functionalities. The presence of 4 AJAX handlers without authentication checks is particularly alarming, as these are common vectors for attackers to exploit. The vulnerability history reveals a pattern of 3 known medium-severity Cross-Site Scripting (XSS) vulnerabilities, although currently none are unpatched. This historical trend suggests potential weaknesses in input sanitization and output escaping, despite the static analysis indicating a high rate of proper escaping in the current version. The absence of critical or high severity taint flows in the static analysis is a positive sign, but the unprotected entry points and historical XSS issues warrant careful consideration.

Key Concerns

4 unprotected AJAX handlers
3 medium severity historical XSS vulnerabilities
1 unprotected shortcode

Vulnerabilities

Checkout for PayPal Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-39572medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Checkout for PayPal <= 1.0.38 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 16, 2025 Patched in 1.0.39 (6d)

CVE-2024-13398medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Checkout for PayPal <= 1.0.32 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 16, 2025 Patched in 1.0.33 (1d)

CVE-2022-3983medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Checkout for PayPal <= 1.0.13 - Authenticated (Contributor+) Stored Cross-Site Scripting

Nov 22, 2022 Patched in 1.0.14 (427d)

Code Analysis

Analyzed Mar 16, 2026

Checkout for PayPal Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

143 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

91% escaped158 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

general_settings (checkout-for-paypal.php:327)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

4 unprotected

Checkout for PayPal Attack Surface

Entry Points5

Unprotected4

AJAX Handlers 4

authwp_ajax_coforpaypal_pp_api_create_ordercfp-api.php:2

noprivwp_ajax_coforpaypal_pp_api_create_ordercfp-api.php:3

authwp_ajax_coforpaypal_pp_api_capture_ordercfp-api.php:4

noprivwp_ajax_coforpaypal_pp_api_capture_ordercfp-api.php:5

Shortcodes 1

[checkout_for_paypal] checkout-for-paypal.php:63

WordPress Hooks 16

actioncheckout_for_paypal_process_v2_ordercfp-api.php:6

filterwp_mail_fromcfp-api.php:562

filterwp_mail_from_namecfp-api.php:563

filterwp_mail_content_typecfp-api.php:570

filterwp_mail_content_typecfp-api.php:591

actionsave_post_coforpaypal_ordercheckout-for-paypal-order.php:215

actionplugins_loadedcheckout-for-paypal.php:54

actionadmin_noticescheckout-for-paypal.php:55

actionadmin_enqueue_scriptscheckout-for-paypal.php:56

actionwp_enqueue_scriptscheckout-for-paypal.php:57

actionadmin_menucheckout-for-paypal.php:58

actioninitcheckout-for-paypal.php:59

actionadd_meta_boxes_coforpaypal_ordercheckout-for-paypal.php:60

filtermanage_coforpaypal_order_posts_columnscheckout-for-paypal.php:61

actionmanage_coforpaypal_order_posts_custom_columncheckout-for-paypal.php:62

filterplugin_action_linkscheckout-for-paypal.php:68

Maintenance & Trust

Checkout for PayPal Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 17, 2026

PHP min version

Downloads58K

Community Trust

Rating86/100

Number of ratings6

Active installs600

Alternatives

Checkout for PayPal Alternatives

WooCommerce PayPal Payments

woocommerce-paypal-payments

100

PayPal's latest payment processing solution. Accept PayPal, Pay Later, credit/debit cards, alternative digital wallets and bank accounts.

800K 1 CVE

Redirection for Contact Form 7

wpcf7-redirect

Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.

200K 14 CVEs

Payment Plugins for PayPal WooCommerce

pymntpl-paypal-woocommerce

100

Developed exclusively between Payment Plugins and PayPal, PayPal for WooCommerce integrates with PayPal's newest API's.

90K No CVEs

Donations via PayPal

paypal-donations

100

Easy, simple setup to add a PayPal Donation button as a Widget or with a shortcode.

20K 1 CVE

Accept Donations with PayPal & Stripe

easy-paypal-donation

Add a PayPal or Stripe Donation Button to your website and start collecting donations today. No Coding Required. Official PayPal & Stripe Partner.

10K 8 CVEs

Developer Profile

Checkout for PayPal Developer Profile

Noor Alam

25 plugins · 157K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

450 days

View full developer profile

Detection Fingerprints

How We Detect Checkout for PayPal

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/checkout-for-paypal/addons/checkout-for-paypal-addons-menu.css

Version Parameters

checkout-for-paypal/addons/checkout-for-paypal-addons-menu.css?ver=checkout-for-paypal.js?ver=checkout-for-paypal.css?ver=

HTML / DOM Fingerprints

CSS Classes

checkout-for-paypal-wrapper

HTML Comments

Data Attributes

data-checkout-for-paypal-iddata-checkout-for-paypal-currencydata-checkout-for-paypal-envdata-checkout-for-paypal-client-id

JS Globals

checkout_for_paypal_payment_configcheckout_for_paypal_wc_paypal_settings

REST Endpoints

/wp-json/checkout-for-paypal/v1/capture-payment

Shortcode Output

[checkout_for_paypal]

FAQ