Does Contact Form 7 – PayPal & Stripe Add-on have any unpatched vulnerabilities?

No. All known vulnerabilities in Contact Form 7 – PayPal & Stripe Add-on have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Contact Form 7 – PayPal & Stripe Add-on compatible with WordPress 6.9.4?

According to WordPress.org data, Contact Form 7 – PayPal & Stripe Add-on 2.4.6 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Contact Form 7 – PayPal & Stripe Add-on compatible with PHP 5.5+?

Contact Form 7 – PayPal & Stripe Add-on requires PHP 5.5 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Contact Form 7 – PayPal & Stripe Add-on updated?

Contact Form 7 – PayPal & Stripe Add-on was last updated on Jan 19, 2026. Frequent updates are generally a positive security signal.

What is Contact Form 7 – PayPal & Stripe Add-on's security score?

Contact Form 7 – PayPal & Stripe Add-on has a WP-Safety security score of 96/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Contact Form 7 – PayPal & Stripe Add-on Security & Risk Analysis

wordpress.org/plugins/contact-form-7-paypal-add-on

Easily add PayPal and Stripe to Contact Form 7. Accept credit card payments with Stripe & PayPal on your site today. Offical PayPal & Stripe Partner.

8K active installs v2.4.6 PHP 5.5+ WP 3.0+ Updated Jan 19, 2026

credit-cardecommercepaymentspaypalstripe

A · Safe

CVEs total5

Unpatched0

Last CVEMay 7, 2025

Plugin page Download

Safety Verdict

Is Contact Form 7 – PayPal & Stripe Add-on Safe to Use in 2026?

Generally Safe

Score 96/100

Contact Form 7 – PayPal & Stripe Add-on has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: May 7, 2025Updated 2mo ago

Risk Assessment

The 'contact-form-7-paypal-add-on' v2.4.6 plugin presents a mixed security posture. While it shows some good practices such as a reasonable number of nonce and capability checks relative to its entry points, and a complete lack of critical or high-severity vulnerabilities in its history, there are significant concerns arising from the static analysis. The presence of 6 AJAX handlers and 2 REST API routes, with a concerning 4 and 2 respectively lacking authentication checks, creates a substantial attack surface that is not adequately protected. Furthermore, 3 out of 8 analyzed taint flows having unsanitized paths, although not leading to critical or high severity issues in this scan, suggest a potential for vulnerability if exploited in conjunction with the unprotected entry points.

The plugin's vulnerability history reveals 5 medium-severity CVEs, primarily related to Cross-Site Scripting and Cross-Site Request Forgery. The fact that all previously known vulnerabilities are patched is positive. However, the recurring nature of these vulnerability types, especially XSS and CSRF, in conjunction with the identified unprotected entry points and unsanitized taint flows, indicates a historical tendency towards input validation and output escaping weaknesses that could be re-introduced or exploited. The last vulnerability was dated in 2025, implying it's a recent issue that has been addressed.

In conclusion, while the plugin has addressed past vulnerabilities and incorporates some security features, the significant number of unprotected AJAX and REST API endpoints, coupled with identified unsanitized taint flows, makes it a notable risk. The potential for attackers to leverage these unprotected entry points to trigger vulnerabilities, even if currently medium in severity, is a primary concern. Organizations using this plugin should prioritize securing these exposed endpoints or consider alternatives if further mitigation is not feasible.

Key Concerns

Unprotected AJAX handlers (4)
Unprotected REST API routes (2)
Taint flows with unsanitized paths (3)
SQL queries without prepared statements (50%)
Output escaping (34% not properly escaped)
Medium severity CVEs (5)

Vulnerabilities

Contact Form 7 – PayPal & Stripe Add-on Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

3 CVEs in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

5 total CVEs

CVE-2025-47518medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form 7 – PayPal & Stripe Add-on <= 2.3.4 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 7, 2025 Patched in 2.4.1 (7d)

CVE-2024-10683medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form 7 - PayPal & Stripe Add-on <= 2.3.1 - Reflected Cross-Site Scripting

Nov 8, 2024 Patched in 2.3.2 (1d)

CVE-2024-48021medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form 7 – PayPal & Stripe Add-on <= 2.3 - Reflected Cross-Site Scripting

Oct 8, 2024 Patched in 2.3.1 (9d)

CVE-2024-29130medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Contact Form 7 – PayPal & Stripe Add-on <= 2.0 - Reflected Cross-Site Scripting

Mar 16, 2024 Patched in 2.1 (5d)

CVE-2023-24405medium · 4.3Cross-Site Request Forgery (CSRF)

Contact Form 7 – PayPal & Stripe Add-on <= 1.9.3 - Cross-Site Request Forgery

Mar 17, 2023 Patched in 1.9.4 (312d)

Code Analysis

Analyzed Mar 16, 2026

Contact Form 7 – PayPal & Stripe Add-on Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

94 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

50% prepared4 total queries

Output Escaping

66% escaped143 total outputs

Data Flows

3 unsanitized

Data Flow Analysis

8 flows3 with unsanitized paths

cf7pp_admin_after_additional_settings (includes\admin\tabs_page.php:24)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

6 unprotected

Contact Form 7 – PayPal & Stripe Add-on Attack Surface

Entry Points8

Unprotected6

AJAX Handlers 6

authwp_ajax_cf7pp-ppcp-onboarding-startincludes\ppcp.php:51

authwp_ajax_cf7pp-ppcp-disconnectincludes\ppcp.php:116

authwp_ajax_cf7pp_get_form_stripe_successincludes\redirect_methods.php:106

noprivwp_ajax_cf7pp_get_form_stripe_successincludes\redirect_methods.php:107

authwp_ajax_cf7pp_get_form_postincludes\redirect_methods.php:238

noprivwp_ajax_cf7pp_get_form_postincludes\redirect_methods.php:239

REST API Routes 2

GET/wp-json/cf7pp/v1/cf7pp_get_form_postincludes\enqueue.php:41

GET/wp-json/cf7pp/v1/cf7pp_get_form_stripe_successincludes\enqueue.php:48

WordPress Hooks 50

actioncf7pp_daily_scheduled_eventsincludes\admin\extensions.php:90

actionadmin_menuincludes\admin\menu_links.php:10

filterplugin_action_linksincludes\admin\menu_links.php:27

actionadmin_noticesincludes\admin\notices.php:41

actioninitincludes\admin\notices.php:104

actionadmin_initincludes\admin\notices.php:176

actionadmin_noticesincludes\admin\notices.php:216

actionadmin_initincludes\admin\notices.php:263

filterwpcf7_editor_panelsincludes\admin\tabs_page.php:21

actionwpcf7_after_saveincludes\admin\tabs_page.php:84

actionadmin_enqueue_scriptsincludes\enqueue.php:21

actionrest_api_initincludes\enqueue.php:39

actionwp_enqueue_scriptsincludes\enqueue.php:80

actionadmin_noticesincludes\functions.php:21

filteradmin_footer_textincludes\functions.php:45

actioninitincludes\payments\cpt.php:8

actionedit_form_after_titleincludes\payments\cpt.php:41

actionadmin_menuincludes\payments\cpt.php:56

filterpost_row_actionsincludes\payments\cpt.php:167

actioninitincludes\payments\cpt.php:216

actionadmin_footer-edit.phpincludes\payments\cpt.php:249

filtermanage_cf7pp_payments_posts_columnsincludes\payments\cpt.php:272

actionmanage_cf7pp_payments_posts_custom_columnincludes\payments\cpt.php:291

filterpost_date_column_statusincludes\payments\cpt.php:323

filterpost_date_column_timeincludes\payments\cpt.php:334

actionrestrict_manage_postsincludes\payments\cpt.php:345

actionparse_queryincludes\payments\cpt.php:388

filterwp_untrash_post_statusincludes\payments\cpt.php:421

filterviews_edit-cf7pp_paymentsincludes\payments\cpt.php:434

actionwpincludes\payments\cronjob.php:8

actioncf7pp_payment_check_statusincludes\payments\cronjob.php:19

actionadmin_headincludes\payments\functions.php:167

actionadmin_noticesincludes\payments\functions.php:188

actiontemplate_redirectincludes\payments\paypal_handler.php:10

actionrest_api_initincludes\payments\paypal_handler.php:49

actionwpcf7_before_send_mailincludes\payments\stripe_handler.php:9

actionrest_api_initincludes\payments\stripe_handler.php:135

actionplugins_loadedincludes\payments\stripe_handler.php:223

actionwpincludes\ppcp_frontend.php:64

filterwpcf7_form_elementsincludes\ppcp_frontend.php:108

actiontemplate_redirectincludes\redirect_methods.php:47

actionwpcf7_before_send_mailincludes\redirect_methods.php:138

actionplugins_loadedincludes\stripe-connect.php:130

actionplugins_loadedincludes\stripe-connect.php:183

filterwpcf7_load_jspaypal.php:117

actioninitpaypal.php:120

actioninitpaypal.php:127

actioninitpaypal.php:183

actionadmin_noticespaypal.php:200

actionadmin_enqueue_scriptspaypal.php:233

Scheduled Events 1

cf7pp_payment_check_status

Maintenance & Trust

Contact Form 7 – PayPal & Stripe Add-on Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 19, 2026

PHP min version5.5

Downloads453K

Community Trust

Rating84/100

Number of ratings124

Active installs8K

Alternatives

Contact Form 7 – PayPal & Stripe Add-on Alternatives

WooCommerce PayPal Payments

woocommerce-paypal-payments

100

PayPal's latest payment processing solution. Accept PayPal, Pay Later, credit/debit cards, alternative digital wallets and bank accounts.

800K 1 CVE

WP Stripe Checkout

wp-stripe-checkout

Accept Stripe payments in WordPress without creating any product. Perfect for donations, services, or selling anything. No coding required.

1K 3 CVEs

Buy Now Plus — Payments with Stripe

buy-now-plus

A cloud-backed plugin that lets you securely accept Credit Card payments on your site using Stripe without needing to install an SSL certificate.

20 1 CVE

Braintree Payments For WordPress – Accept Payments WP

accept-payments-wp

Accept Braintree payments on your website with well converting & mobile friendly payment forms. No code or shopping cart required.

10 No CVEs

WooCommerce Stripe Payment Gateway

woocommerce-gateway-stripe

Accept debit and credit cards in 135+ currencies, many local methods like Alipay, ACH, and SEPA, and express checkout with Apple Pay and Google Pay.

700K 4 CVEs

Developer Profile

Contact Form 7 – PayPal & Stripe Add-on Developer Profile

Scott Paterson

12 plugins · 44K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

267 days

View full developer profile

Detection Fingerprints

How We Detect Contact Form 7 – PayPal & Stripe Add-on

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/contact-form-7-paypal-add-on/assets/js/deactivation-survey.js

Script Paths