WP-Safety

Expandable Paywall Security & Risk Analysis

wordpress.org/plugins/expandable-paywall

A paywall solution that can be easily expanded with integration with several third party providers.

10 active installs v2.1.10 PHP 8.3+ WP 3.8+ Updated Jul 3, 2025
cambeyexternal-authenticationmetered-paywallpaywallremote-authentication
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Expandable Paywall Safe to Use in 2026?

Generally Safe

Score 100/100

Expandable Paywall has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9mo ago
Risk Assessment

The "expandable-paywall" plugin v2.1.10 exhibits a mixed security posture. While it shows good practices like utilizing prepared statements for a majority of its SQL queries and a commendable percentage of properly escaped outputs, significant concerns arise from its attack surface. Notably, 4 out of 8 identified entry points are AJAX handlers without any authentication checks, presenting a direct avenue for unauthorized actions. The presence of a high-severity taint flow with unsanitized paths is a critical finding, indicating a potential for code injection or other manipulation if user input is not properly validated and sanitized before being used in sensitive operations. The complete absence of recorded vulnerabilities in its history is a positive sign, suggesting the developers may have a good track record or that past issues were promptly addressed. However, this does not negate the risks identified in the static analysis. The plugin's strengths lie in its avoidance of dangerous functions and file operations, and its limited external dependencies. The primary weaknesses are the unprotected AJAX endpoints and the identified high-severity taint flow, which require immediate attention to mitigate potential security breaches.

Key Concerns

  • Unprotected AJAX handlers
  • High severity taint flow with unsanitized paths
  • Unescaped output detected
  • Bundled Freemius v1.0 library
Vulnerabilities
None known

Expandable Paywall Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

Expandable Paywall Code Analysis

Dangerous Functions
0
Raw SQL Queries
2
3 prepared
Unescaped Output
15
30 escaped
Nonce Checks
4
Capability Checks
3
File Operations
0
External Requests
0
Bundled Libraries
3

Bundled Libraries

DataTablesFreemius1.0Select2

SQL Query Safety

60% prepared5 total queries

Output Escaping

67% escaped45 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

2 flows1 with unsanitized paths
<class-expandable-paywall-admin> (admin\class-expandable-paywall-admin.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
4 unprotected

Expandable Paywall Attack Surface

Entry Points8
Unprotected4

AJAX Handlers 4

authwp_ajax_exp_get_logsincludes\class-expandable-paywall.php:70
noprivwp_ajax_exp_get_logsincludes\class-expandable-paywall.php:71
authwp_ajax_exp_clear_logsincludes\class-expandable-paywall.php:73
noprivwp_ajax_exp_clear_logsincludes\class-expandable-paywall.php:74

Shortcodes 4

[expandable-paywall-login] public\class-expandable-paywall-public.php:82
[expandable-paywall-logout] public\class-expandable-paywall-public.php:83
[expandable-paywall-register] public\class-expandable-paywall-public.php:84
[expandable-paywall-protect] public\class-expandable-paywall-public.php:85
WordPress Hooks 21
actionadd_meta_boxesadmin\class-expandable-paywall-admin.php:253
actionsave_postadmin\class-expandable-paywall-admin.php:254
filterplugin_iconexpandable-paywall.php:101
actioninitincludes\class-expandable-paywall.php:52
actionadmin_enqueue_scriptsincludes\class-expandable-paywall.php:60
actionadmin_enqueue_scriptsincludes\class-expandable-paywall.php:61
actionadmin_menuincludes\class-expandable-paywall.php:62
actionadmin_initincludes\class-expandable-paywall.php:63
actionadmin_headincludes\class-expandable-paywall.php:64
actionload-post.phpincludes\class-expandable-paywall.php:68
actionload-post-new.phpincludes\class-expandable-paywall.php:69
actionwp_enqueue_scriptsincludes\class-expandable-paywall.php:84
actionwp_enqueue_scriptsincludes\class-expandable-paywall.php:85
actioninitincludes\class-expandable-paywall.php:86
actionlogin_form_middleincludes\class-expandable-paywall.php:99
actionwp_footerincludes\class-expandable-paywall.php:102
filterquery_varsincludes\class-expandable-paywall.php:105
actiontemplate_redirectpublic\class-expandable-paywall-public.php:70
filterthe_titlepublic\class-expandable-paywall-public.php:74
actionwp_logoutpublic\class-expandable-paywall-public.php:102
filterthe_contentpublic\class-expandable-paywall-public.php:320
Maintenance & Trust

Expandable Paywall Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedJul 3, 2025
PHP min version8.3
Downloads4K

Community Trust

Rating100/100
Number of ratings2
Active installs10
Alternatives

Expandable Paywall Alternatives

Leaky Paywall

Leaky Paywall

leaky-paywall

A
95

The subscription engine for news & niche publishers.

800 5 CVEs
AccessType

AccessType

accesstype

A
85

Accesstype manages subscriptions, adds metered and hard paywall, with onetime and recurring subscription plans for continuous content monetization.

0 No CVEs
Contentlockr

Contentlockr

newsroomie

A
100

Unlock more subscribers and traffic.

0 No CVEs
codoc

codoc

codoc

A
99

A WordPress plugin for monetizing your website with paid articles, Reader Plans, and tipping.

2K 1 CVE
Memberful – Membership Plugin

Memberful – Membership Plugin

memberful-wp

A
97

Sell memberships and restrict access to content with WordPress and Memberful.

1K 3 CVEs
Developer Profile

Expandable Paywall Developer Profile

Matt Pramschufer

7 plugins · 1K total installs

87
trust score
Avg Security Score
90/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Expandable Paywall

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/expandable-paywall/admin/css/expandable-paywall-admin.css/wp-content/plugins/expandable-paywall/vendor/select2/select2/dist/css/select2.min.css/wp-content/plugins/expandable-paywall/admin/js/expandable-paywall-admin.js/wp-content/plugins/expandable-paywall/vendor/select2/select2/dist/js/select2.min.js/wp-content/plugins/expandable-paywall/admin/js/expandable-paywall-datatables.js
Script Paths
/wp-content/plugins/expandable-paywall/vendor/freemius/wordpress-sdk/start.php/wp-content/plugins/expandable-paywall/includes/class-expandable-paywall-activator.php/wp-content/plugins/expandable-paywall/includes/class-expandable-paywall-deactivator.php/wp-content/plugins/expandable-paywall/includes/class-expandable-paywall.php
Version Parameters
expandable-paywall/admin/css/expandable-paywall-admin.css?ver=expandable-paywall/vendor/select2/select2/dist/css/select2.min.css?ver=expandable-paywall/admin/js/expandable-paywall-admin.js?ver=expandable-paywall/vendor/select2/select2/dist/js/select2.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
expandable-paywall-logged-in-contentexpandable-paywall-contentexpandable-paywall-free-contentexpandable-paywall-paywall-wrapper
HTML Comments
<!-- Begin Expandable Paywall --><!-- End Expandable Paywall -->
Data Attributes
data-paywall-titledata-paywall-amountdata-paywall-amount-typedata-paywall-currencydata-paywall-post-iddata-paywall-user-id+2 more
JS Globals
Expandable_Paywall_Adminexpandable_paywall_core_freemiusdatatablesajax
FAQ

Frequently Asked Questions about Expandable Paywall