Does GF Windcave Free have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is GF Windcave Free compatible with WordPress 6.9.4?

According to WordPress.org data, GF Windcave Free 2.6.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is GF Windcave Free compatible with PHP 7.4+?

GF Windcave Free requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is GF Windcave Free updated?

GF Windcave Free was last updated on Dec 14, 2025. Frequent updates are generally a positive security signal.

What is GF Windcave Free's security score?

GF Windcave Free has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

GF Windcave Free Security & Risk Analysis

wordpress.org/plugins/gravity-forms-dps-pxpay

Easily create online payment forms with Gravity Forms and Windcave (DPS Payment Express) PxPay

100 active installs v2.6.1 PHP 7.4+ WP 4.9+ Updated Dec 14, 2025

ecommercegravity-formspayment-expresspxpaywindcave

A · Safe

CVEs total1

Unpatched0

Last CVEMay 1, 2015

Plugin page Download

Safety Verdict

Is GF Windcave Free Safe to Use in 2026?

Generally Safe

Score 100/100

GF Windcave Free has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: May 1, 2015Updated 5mo ago

Risk Assessment

The "gravity-forms-dps-pxpay" plugin v2.6.1 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by exclusively using prepared statements for its SQL queries and properly escaping a high percentage of its output. The absence of critical or high-severity taint flows and the fact that all known CVEs are patched are also strong indicators of a relatively well-maintained codebase concerning past vulnerabilities.

However, a significant concern arises from the static analysis, which reveals a single entry point in the form of an AJAX handler that lacks authentication checks. This unprotected endpoint represents a direct attack vector that could be exploited if it handles user-supplied data without proper validation or authorization. While the plugin has a history of a single medium-severity cross-site scripting vulnerability from 2015, the presence of an unprotected AJAX handler in the current version poses a more immediate and potentially exploitable risk.

In conclusion, while the plugin has a good track record regarding patched vulnerabilities and secure coding practices for SQL and output, the unprotected AJAX handler is a critical flaw that significantly diminishes its overall security. The absence of a taint flow analysis for the identified entry point makes it difficult to assess the exact impact, but the presence of an unauthenticated endpoint is inherently risky.

Key Concerns

Unprotected AJAX handler present
One file operation
One external HTTP request

Vulnerabilities

1 published

GF Windcave Free Security Vulnerabilities

CVEs by Year

1 CVE in 2015

2015

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2015-10117medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

GF Windcave Free <= 1.4.3 - Reflected Cross-Site Scripting

May 1, 2015 Patched in 1.4.3 (3189d)

Version History

GF Windcave Free Release Timeline

v2.6.1Current

v2.6.0

v2.5.0

v2.4.0

v2.3.5

v2.3.4

v2.3.3

v2.3.2.1

v2.3.1

v2.3.0

v2.2.1

v2.2.0

v2.1.0

v2.0.2

v2.0.1

v2.0.0

v1.8.0

v1.7.0

v1.6.1.1

v1.6.0

Code Analysis

Analyzed Mar 16, 2026

GF Windcave Free Code Analysis

Dangerous Functions

Raw SQL Queries

12 prepared

Unescaped Output

51 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared12 total queries

Output Escaping

82% escaped62 total outputs

Attack Surface

1 unprotected

GF Windcave Free Attack Surface

Entry Points1

Unprotected1

AJAX Handlers 1

authwp_ajax_gfdpspxpay_upgradev1includes\class.GFDpsPxPayPlugin.php:43

WordPress Hooks 21

actionadmin_noticesgravityforms-dps-pxpay.php:44

actionplugins_loadedincludes\bootstrap.php:11

actioninitincludes\class.GFDpsPxPayAddOn.php:62

filtergform_validation_messageincludes\class.GFDpsPxPayAddOn.php:63

filtergform_custom_merge_tagsincludes\class.GFDpsPxPayAddOn.php:64

filtergform_replace_merge_tagsincludes\class.GFDpsPxPayAddOn.php:65

actionwpincludes\class.GFDpsPxPayAddOn.php:66

actiongform_payment_detailsincludes\class.GFDpsPxPayAddOn.php:67

filtergform_is_delayed_pre_process_feedincludes\class.GFDpsPxPayAddOn.php:71

filtergform_disable_post_creationincludes\class.GFDpsPxPayAddOn.php:72

actiongform_after_submissionincludes\class.GFDpsPxPayAddOn.php:73

actiongform_payment_statusincludes\class.GFDpsPxPayAddOn.php:90

actiongform_after_update_entryincludes\class.GFDpsPxPayAddOn.php:91

filtergform_entry_post_saveincludes\class.GFDpsPxPayAddOn.php:651

filtergform_confirmationincludes\class.GFDpsPxPayAddOn.php:738

filtergform_confirmationincludes\class.GFDpsPxPayAddOn.php:747

actiongform_loadedincludes\class.GFDpsPxPayPlugin.php:39

actionadmin_noticesincludes\class.GFDpsPxPayPlugin.php:40

filterplugin_row_metaincludes\class.GFDpsPxPayPlugin.php:41

actionadmin_noticesincludes\class.GFDpsPxPayUpdateV1.php:100

actionadmin_noticesincludes\class.GFDpsPxPayUpdateV1.php:119

Maintenance & Trust

GF Windcave Free Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 14, 2025

PHP min version7.4

Downloads11K

Community Trust

Rating100/100

Number of ratings5

Active installs100

Alternatives

GF Windcave Free Alternatives

Gravity Forms Eway

gravityforms-eway

100

Easily create online payment forms with Gravity Forms and Eway.

500 No CVEs

Opayo Form Payment Gateway for Gravity Forms

sagepay-form-payment-gateway-for-gravity-forms

100

Accept card payments in Gravity Forms using Opayo Form (hosted checkout by Elavon)—customers pay on Opayo’s pages, not on your server.

80 No CVEs

Click & Pledge for Gravity Forms

gravity-forms-click-pledge

100

Add a credit card payment gateway for Click & Pledge to the Gravity Forms plugin

30 No CVEs

Paystation (3 Party Hosted) for Gravity forms

gravity-forms-paystation-3-party-hosted

Integrates Gravity Forms with the Paystation 3 party hosted payment gateway allowing end-users to purchase goods and services via Gravity Forms.

30 No CVEs

Docket Connector

docket-connector

Create invoices within your Docket account from Gravity Forms.

20 No CVEs

Developer Profile

GF Windcave Free Developer Profile

webaware

13 plugins · 153K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

1595 days

View full developer profile

Detection Fingerprints

How We Detect GF Windcave Free

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/gravity-forms-dps-pxpay/static/css/admin-update-v1.css/wp-content/plugins/gravity-forms-dps-pxpay/static/js/admin-update-v1.js

Script Paths

/wp-content/plugins/gravity-forms-dps-pxpay/static/js/admin-update-v1.js

Version Parameters

gravity-forms-dps-pxpay/static/js/admin-update-v1.js?ver=gravity-forms-dps-pxpay/static/css/admin-update-v1.css?ver=

HTML / DOM Fingerprints

JS Globals

gfdpspxpay_updatev1

FAQ