Does CTCL Phone Pay have any unpatched vulnerabilities?

No. All known vulnerabilities in CTCL Phone Pay have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is CTCL Phone Pay compatible with WordPress 6.8.5?

According to WordPress.org data, CTCL Phone Pay 1.1.0 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is CTCL Phone Pay compatible with PHP 7.4.9+?

CTCL Phone Pay requires PHP 7.4.9 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is CTCL Phone Pay updated?

CTCL Phone Pay was last updated on Apr 18, 2025. Frequent updates are generally a positive security signal.

What is CTCL Phone Pay's security score?

CTCL Phone Pay has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

CTCL Phone Pay Security & Risk Analysis

wordpress.org/plugins/ctcl-phone-pay

CTC Lite add-on to charge customer with phone call

0 active installs v1.1.0 PHP 7.4.9+ WP 5.5.2+ Updated Apr 18, 2025

ctc-liteecommercepay-by-phonephone-pay

A · Safe

CVEs total0

Unpatched0

Last CVENever

Download

Safety Verdict

Is CTCL Phone Pay Safe to Use in 2026?

Generally Safe

Score 100/100

CTCL Phone Pay has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 11mo ago

Risk Assessment

The "ctcl-phone-pay" v1.1.0 plugin exhibits a concerning security posture due to significant weaknesses in its access control mechanisms. The static analysis reveals an attack surface primarily composed of two AJAX handlers, both of which lack any authentication checks. This means that any unauthenticated user can trigger these actions, presenting a direct pathway for exploitation.

While the plugin doesn't have a history of publicly disclosed vulnerabilities (CVEs), this is likely a false sense of security given the readily apparent flaws in its code. The absence of capability checks, nonce checks, and the use of SQL queries without prepared statements further exacerbate the risks. Although no critical taint flows were identified, the unescaped output on 17% of outputs indicates a potential for Cross-Site Scripting (XSS) vulnerabilities. The lack of prepared statements for the single SQL query also points towards a SQL injection risk.

In conclusion, despite the clean vulnerability history, the "ctcl-phone-pay" plugin has critical security deficiencies, particularly in its unprotected AJAX endpoints and the absence of robust input validation and sanitization. These issues create a high risk of unauthorized actions, data manipulation, and potential XSS attacks, outweighing the positive aspects of a clean vulnerability history.

Key Concerns

AJAX handlers without auth checks
SQL queries without prepared statements
Unescaped output
No nonce checks
No capability checks

Vulnerabilities

None known

CTCL Phone Pay Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 17, 2026

CTCL Phone Pay Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

3 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared1 total queries

Output Escaping

17% escaped18 total outputs

Attack Surface

2 unprotected

CTCL Phone Pay Attack Surface

Entry Points2

Unprotected2

AJAX Handlers 2

authwp_ajax_getPhoneOrderDetailctcl-phone-pay.php:76

authwp_ajax_phonePaymarkPaidctcl-phone-pay.php:77

WordPress Hooks 9

filterctcl_additional_tabctcl-phone-pay.php:65

filterctcl_custom_email_bodyctcl-phone-pay.php:66

filterctcl_payment_optionsctcl-phone-pay.php:260

actionadmin_enqueue_scriptsctcl-phone-pay.php:275

actionadmin_enqueue_scriptsctcl-phone-pay.php:276

actionwp_enqueue_scriptsctcl-phone-pay.php:277

actionwp_enqueue_scriptsctcl-phone-pay.php:278

filterctcl_admin_billings_htmlctcl-phone-pay.php:328

actionadmin_noticesctcl-phone-pay.php:379

Maintenance & Trust

CTCL Phone Pay Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedApr 18, 2025

PHP min version7.4.9

Downloads1K

Community Trust

Rating0/100

Number of ratings0

Active installs0

Alternatives

CTCL Phone Pay Alternatives

CTCL Floating Cart

ctcl-floating-cart

100

🚀 Floating Cart for CT Commerce Lite 🛒

70 No CVEs

CTCL Analytics

ctcl-analytics

100

CT Commerce Lite addon to display store analytics

0 No CVEs

WooCommerce

woocommerce

Everything you need to launch an online store in days and keep it growing for years. From your first sale to millions in revenue, Woo is with you.

7.0M 42 CVEs

Popup Builder & Popup Maker for WordPress – OptinMonster Email Marketing and Lead Generation

optinmonster

🤩 Make popups & optin forms to get more email newsletter subscribers, leads, and sales - #1 most popular popup builder plugin! 🚀

1.0M 6 CVEs

WooCommerce PayPal Payments

woocommerce-paypal-payments

100

PayPal's latest payment processing solution. Accept PayPal, Pay Later, credit/debit cards, alternative digital wallets and bank accounts.

800K 1 CVE

Developer Profile

CTCL Phone Pay Developer Profile

UjW0L

17 plugins · 2K total installs

trust score

Avg Security Score

99/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect CTCL Phone Pay

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/ctcl-phone-pay/ctcl-phone-pay.php

HTML / DOM Fingerprints

CSS Classes

ctcl-phone-pay-detailctcl-pay-phone-order-idctcl-phone-pay-rowctcl-phone-pay-button-rowctcl-pay-phone-open-detailctcl-pay-phone-mark-paid

Data Attributes

id='ctcl-pay-phone-order-id'

REST Endpoints

/wp-json/ctcl/v1/phonePay

FAQ