WP-Safety

Direct Payments WP Security & Risk Analysis

wordpress.org/plugins/direct-payments-wp

Direct Payments WP lets you easily accept payments via bank transfers, mobile money, and P2P platforms on your WordPress website.

40 active installs v1.3.2 PHP 7.0+ WP 6.2+ Updated Mar 6, 2026
bank-transferformsmobile-moneyp2ppayments
56
C · Use Caution
CVEs total2
Unpatched2
Last CVEDec 31, 2025
Download
Safety Verdict

Is Direct Payments WP Safe to Use in 2026?

Use With Caution

Score 56/100

Direct Payments WP has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

2 known CVEs 2 unpatched Last CVE: Dec 31, 2025Updated 28d ago
Risk Assessment

The 'direct-payments-wp' plugin v1.3.2 presents a mixed security posture. While it demonstrates good practices in areas like prepared SQL statements (98%) and output escaping (96%), significant concerns arise from its attack surface and vulnerability history.

The static analysis reveals 64 AJAX handlers, with a worrying 4 lacking authentication checks. This directly translates to potential unauthorized access to plugin functionalities. Furthermore, taint analysis identified 2 high-severity flows with unsanitized paths, indicating potential vulnerabilities that could be exploited if not properly addressed. The presence of 'unserialize' is also a known risk factor, especially when handling user-supplied data, though its specific usage and impact are not detailed in the provided data.

The plugin's vulnerability history, with 2 known medium-severity CVEs that remain unpatched, is a critical concern. The recurring themes of 'Exposure of Sensitive Information to an Unauthorized Actor' and 'Missing Authorization' align with the static analysis findings, suggesting a pattern of authorization and data leakage issues. The recent unpatched CVEs, even at medium severity, necessitate immediate attention to prevent exploitation. While the plugin has strengths in general coding hygiene, the specific areas of unauthenticated entry points and unpatched vulnerabilities significantly elevate its risk profile.

Key Concerns

  • Unpatched CVEs (2 medium)
  • High severity taint flows (2)
  • Unprotected AJAX handlers (4)
  • Dangerous function: unserialize
  • Vulnerability history: Missing Authorization
  • Vulnerability history: Exposure of Sensitive Information
Vulnerabilities
2

Direct Payments WP Security Vulnerabilities

CVEs by Year

2 CVEs in 2025 · unpatched
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-49340medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Direct Payments WP <= 1.3.0 - Authenticated (Subscriber+) Sensitive Information Exposure

Dec 31, 2025Unpatched
CVE-2025-49339medium · 4.3Missing Authorization

Direct Payments WP <= 1.3.0 - Missing Authorization

Dec 31, 2025Unpatched
Code Analysis
Analyzed Mar 16, 2026

Direct Payments WP Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
55 prepared
Unescaped Output
71
1702 escaped
Nonce Checks
73
Capability Checks
2
File Operations
0
External Requests
8
Bundled Libraries
2

Dangerous Functions Found

unserialize$data = is_serialized($input) ? unserialize($input) : $input;functions\register-settings.php:16

Bundled Libraries

jQuerySelect2

SQL Query Safety

98% prepared56 total queries

Output Escaping

96% escaped1773 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

25 flows4 with unsanitized paths
digages_dp_crypto_get_price_ajax (functions\cryptpopamount.php:57)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Direct Payments WP Attack Surface

Entry Points65
Unprotected4

AJAX Handlers 64

authwp_ajax_digages_dp_woodp_activate_pluginadmin\activate_plugin.php:8
authwp_ajax_digages_dp_save_tumaz_formadmin\forms\formbackend.php:85
authwp_ajax_digages_dp_tumaz_edit_formadmin\forms\formbackend.php:109
authwp_ajax_delete_tumaz_formadmin\forms\formbackend.php:128
authwp_ajax_digages_dp_woodp_install_pluginadmin\install_plugin.php:17
authwp_ajax_fetch_record_detailsadmin\payments\orderdetails.php:4
authwp_ajax_digages_fetch_record_admin_statusadmin\payments\orderdetails.php:168
authwp_ajax_update_record_statusadmin\payments\orderdetails.php:224
authwp_ajax_digages_dp_upload_qr_codeadmin\settings\tabs\banktransfer\bank_transfer_backend.php:7
authwp_ajax_digages_dp_save_bank_accountadmin\settings\tabs\banktransfer\bank_transfer_backend.php:73
authwp_ajax_digages_dp_edit_bank_accountadmin\settings\tabs\banktransfer\bank_transfer_backend.php:121
authwp_ajax_digages_dp_delete_bank_accountadmin\settings\tabs\banktransfer\bank_transfer_backend.php:185
authwp_ajax_digages_dp_update_bank_account_statusadmin\settings\tabs\banktransfer\bank_transfer_backend.php:214
authwp_ajax_digages_dp_crypto_upload_qr_codeadmin\settings\tabs\crypto\crypto_transfer_backend.php:7
authwp_ajax_digages_dp_save_crypto_accountadmin\settings\tabs\crypto\crypto_transfer_backend.php:70
authwp_ajax_digages_dp_edit_crypto_accountadmin\settings\tabs\crypto\crypto_transfer_backend.php:123
authwp_ajax_digages_dp_delete_crypto_accountadmin\settings\tabs\crypto\crypto_transfer_backend.php:190
authwp_ajax_digages_dp_update_crypto_account_statusadmin\settings\tabs\crypto\crypto_transfer_backend.php:216
authwp_ajax_digages_dp_fetch_exchange_rateadmin\settings\tabs\currencies\functions.php:4
authwp_ajax_digages_dp_save_currency_rateadmin\settings\tabs\currencies\functions.php:5
authwp_ajax_digages_dp_fetch_all_ratesadmin\settings\tabs\currencies\functions.php:6
authwp_ajax_digages_dp_update_currency_orderadmin\settings\tabs\currencies\functions.php:7
authwp_ajax_digages_dp_mobile_upload_qr_codeadmin\settings\tabs\mobilemoney\mobile_transfer_backend.php:7
authwp_ajax_digages_dp_save_mobile_accountadmin\settings\tabs\mobilemoney\mobile_transfer_backend.php:72
authwp_ajax_digages_dp_edit_mobile_accountadmin\settings\tabs\mobilemoney\mobile_transfer_backend.php:117
authwp_ajax_digages_dp_delete_mobile_accountadmin\settings\tabs\mobilemoney\mobile_transfer_backend.php:175
authwp_ajax_digages_dp_update_mob_account_statusadmin\settings\tabs\mobilemoney\mobile_transfer_backend.php:204
authwp_ajax_digages_dp_p2p_upload_qr_codeadmin\settings\tabs\p2p\p2p_transfer_backend.php:7
authwp_ajax_digages_dp_save_p2p_accountadmin\settings\tabs\p2p\p2p_transfer_backend.php:72
authwp_ajax_digages_dp_edit_p2p_accountadmin\settings\tabs\p2p\p2p_transfer_backend.php:117
authwp_ajax_digages_dp_delete_p2p_accountadmin\settings\tabs\p2p\p2p_transfer_backend.php:175
authwp_ajax_digages_dp_update_p2p_account_statusadmin\settings\tabs\p2p\p2p_transfer_backend.php:203
authwp_ajax_digages_direct_payment_save_datafrontend\form\form-backend.php:118
noprivwp_ajax_digages_direct_payment_save_datafrontend\form\form-backend.php:119
authwp_ajax_digages_dp_fetch_payment_methodsfrontend\popup\paymethods.php:4
noprivwp_ajax_digages_dp_fetch_payment_methodsfrontend\popup\paymethods.php:5
authwp_ajax_digages_dp_send_p2p_confirmationfrontend\popup\paymethods.php:698
noprivwp_ajax_digages_dp_send_p2p_confirmationfrontend\popup\paymethods.php:699
authwp_ajax_digages_dp_send_p2p_confirmation_skipfrontend\popup\paymethods.php:914
noprivwp_ajax_digages_dp_send_p2p_confirmation_skipfrontend\popup\paymethods.php:915
authwp_ajax_digages_dp_check_currency_availabilityfrontend\popup\realtime-currency.php:86
noprivwp_ajax_digages_dp_check_currency_availabilityfrontend\popup\realtime-currency.php:87
authwp_ajax_digages_dp_crypto_get_price_ajaxfunctions\cryptpopamount.php:86
noprivwp_ajax_digages_dp_crypto_get_price_ajaxfunctions\cryptpopamount.php:87
authwp_ajax_digages_get_payment_datafunctions\payment-handler.php:20
noprivwp_ajax_digages_get_payment_datafunctions\payment-handler.php:22
authwp_ajax_digages_save_payment_sessionfunctions\payment-handler.php:93
noprivwp_ajax_digages_save_payment_sessionfunctions\payment-handler.php:94
authwp_ajax_digages_dp_dismiss_notice_addaccountsmainnotice\addaccountsmain.php:96
authwp_ajax_digages_dp_dismiss_notice_availablenotice\available.php:95
authwp_ajax_digages_dp_dismiss_notice_firstpaynotice\firstpay.php:146
authwp_ajax_digages_dp_dismiss_notice_homenotice\home.php:95
authwp_ajax_digages_dp_dismiss_notice_interestsnotice\interests.php:96
authwp_ajax_digages_dp_dismiss_notice_tenpaynotice\tenpay.php:142
authwp_ajax_digages_load_pageonboarding\allpages.php:6
authwp_ajax_digages_save_pageonboarding\current-page.php:33
authwp_ajax_digages_get_current_pageonboarding\current-page.php:54
authwp_ajax_digages_update_data_usage_woodponboarding\data-usage.php:5
authwp_ajax_digages_update_interest_woodponboarding\save-interests.php:5
authwp_ajax_digages_admin_script_onboaard_methods_updateonboarding\save-methods.php:6
authwp_ajax_digages_dp_upload_screenshot_and_update_orderothers.php:4
noprivwp_ajax_digages_dp_upload_screenshot_and_update_orderothers.php:5
authwp_ajax_digages_direct_payment_reportpayment-records.php:5
noprivwp_ajax_digages_direct_payment_reportpayment-records.php:6

Shortcodes 1

[digagesdp_form] admin\forms\frontend-shortcode.php:150
WordPress Hooks 48
actionadmin_menuadmin\menu.php:5
filterwp_mail_fromadmin\payments\emailsend.php:7
filterwp_mail_from_nameadmin\payments\emailsend.php:12
actionadmin_enqueue_scriptsadmin\settings\settings.php:182
actionadmin_initdirect-payments.php:22
actionadmin_enqueue_scriptsdirect-payments.php:86
actionadmin_enqueue_scriptsdirect-payments.php:99
actionadmin_footerdirect-payments.php:106
actionadmin_enqueue_scriptsdirect-payments.php:131
filterplugin_row_metadirect-payments.php:144
actioninitdirect-payments.php:187
actionadmin_noticesdirect-payments.php:197
actionadmin_initdirect-payments.php:198
actionadmin_noticesdirect-payments.php:202
actionadmin_initdirect-payments.php:203
actionadmin_initdirect-payments.php:272
actionwp_footerfrontend\popup\paymentpopup.php:170
actionwp_footerfrontend\popup\step1.php:599
actionadmin_enqueue_scriptsfunctions\add-new-enqueue.php:2
actionadmin_enqueue_scriptsfunctions\bankenqueue.php:75
actionadmin_enqueue_scriptsfunctions\cryptoqueue.php:75
actionwp_enqueue_scriptsfunctions\cryptpopamount.php:52
actionadmin_enqueue_scriptsfunctions\enqueue.php:19
actionadmin_enqueue_scriptsfunctions\frontadminenqueue.php:144
actionwp_enqueue_scriptsfunctions\frontadminenqueue.php:215
actionadmin_enqueue_scriptsfunctions\frontadminenqueue.php:239
actionadmin_enqueue_scriptsfunctions\mobilequeue.php:75
actionadmin_enqueue_scriptsfunctions\p2penqueue.php:76
actionwp_enqueue_scriptsfunctions\payment-handler.php:8
actioninitfunctions\payment-handler.php:85
actionwp_enqueue_scriptsfunctions\popupenqueue.php:56
actionadmin_initfunctions\register-settings.php:72
actionadmin_initfunctions\register-settings.php:134
actioninitfunctions\sendmail.php:8
actiontemplate_redirectfunctions\sendmail.php:9
filterquery_varsfunctions\sendmail.php:10
filteradmin_titlefunctions\titles.php:39
actionadmin_noticesnotice\addaccountsmain.php:88
actionadmin_noticesnotice\available.php:87
actionadmin_enqueue_scriptsnotice\enqueue.php:15
actionadmin_noticesnotice\firstpay.php:138
actionadmin_noticesnotice\home.php:87
actionadmin_noticesnotice\interests.php:87
actionadmin_noticesnotice\tenpay.php:133
actionadmin_footeronboarding\current-page.php:67
actionadmin_enqueue_scriptsonboarding\enqueue.php:391
actionadmin_menuonboarding\main.php:53
actioninitpayment-records.php:8
Maintenance & Trust

Direct Payments WP Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 6, 2026
PHP min version7.0
Downloads2K

Community Trust

Rating100/100
Number of ratings1
Active installs40
Alternatives

Direct Payments WP Alternatives

Mollie Forms

Mollie Forms

mollie-forms

A
96

Create registration forms with payment methods of Mollie. One-time and recurring payments are possible.

3K 4 CVEs
Payment Forms for Paystack

Payment Forms for Paystack

payment-forms-for-paystack

A
97

Create forms with multiple input fields and have your users pay before submission. Form submission results are available on your dashboard.

3K 3 CVEs
Checkout with Zelle on Woocommerce

Checkout with Zelle on Woocommerce

wc-zelle

A
99

Receive Zelle payments on your website with WooCommerce + Zelle

3K 1 CVE
Checkout Gateway for IRIS

Checkout Gateway for IRIS

checkout-gateway-iris

A
99

Unofficial IRIS checkout payment gateway for WooCommerce. Accept payments via IRIS and manage order statuses efficiently.

1K 1 CVE
Direct Payments for WooCommerce – Bank Transfer, Mobile Money, Crypto and Peer-to-Peer (P2P) Payments

Direct Payments for WooCommerce – Bank Transfer, Mobile Money, Crypto and Peer-to-Peer (P2P) Payments

direct-payments-for-woocommerce

A
100

Direct Payments for WooCommerce allows your store to accept instant payments via bank transfers, mobile money, crypto and popular P2P platforms global &hellip;

700 No CVEs
Developer Profile

Direct Payments WP Developer Profile

Digages

5 plugins · 850 total installs

88
trust score
Avg Security Score
91/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Direct Payments WP

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/direct-payments-wp/assets/js/hide-view-form.js/wp-content/plugins/direct-payments-wp/select.css/wp-content/plugins/direct-payments-wp/select2.min.js/wp-content/plugins/direct-payments-wp/admin/forms/form-manager.js
Script Paths
admin/forms/form-manager.jsassets/js/hide-view-form.jsselect2.min.jsselect.css
Version Parameters
direct-payments-wp/admin/forms/form-manager.js?ver=1.3.2direct-payments-wp/assets/js/hide-view-form.js?ver=1.3.2direct-payments-wp/select2.min.js?ver=1.3.2direct-payments-wp/select.css?ver=1.3.2

HTML / DOM Fingerprints

CSS Classes
custom-plugin-select2
JS Globals
tumaz_form_management
FAQ

Frequently Asked Questions about Direct Payments WP