WP-Safety

iPOSpays Gateways WC Security & Risk Analysis

wordpress.org/plugins/ipospays-gateways-wc

Accept all major credit cards, Bank, and alternative payment methods like Google Pay, PayPal, and Venmo.

100 active installs v1.3.7 PHP 7.4+ WP 6.4+ Updated Dec 12, 2025
credit-cardgoogle-paypayment-gatewaypaypalwoocommerce
56
C · Use Caution
CVEs total2
Unpatched2
Last CVEMay 11, 2026
Plugin page Download
Safety Verdict

Is iPOSpays Gateways WC Safe to Use in 2026?

Use With Caution

Score 56/100

iPOSpays Gateways WC has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

2 known CVEs 2 unpatched Last CVE: May 11, 2026Updated 5mo ago
Risk Assessment

The 'ipospays-gateways-wc' plugin exhibits a concerning security posture primarily due to a significant number of unprotected entry points. While the static analysis shows no dangerous functions, a lack of raw SQL queries, and a high percentage of properly escaped output, the absence of authentication checks on all AJAX handlers and REST API routes presents a substantial risk. This means that any unauthenticated user could potentially interact with these functions, leading to unauthorized actions or information disclosure.

The plugin's vulnerability history is clean, with no recorded CVEs. This is a positive indicator, suggesting a lack of publicly known exploitable flaws. However, the presence of multiple unsecured AJAX and REST API endpoints creates a large attack surface that could be exploited by a motivated attacker, even without specific known vulnerabilities. The plugin does implement nonce checks on its AJAX handlers and a capability check on one entry point, which are good practices, but these are insufficient when the majority of endpoints lack any form of authorization.

In conclusion, while the plugin does not demonstrate common code-level vulnerabilities like dangerous functions or unescaped output, its lack of authorization on a large number of its entry points is a critical weakness. The absence of past vulnerabilities is positive, but it does not mitigate the immediate risks posed by the current code's insecure design for handling user input through its API and AJAX endpoints.

Key Concerns

  • AJAX handlers without auth checks
  • REST API routes without permission callbacks
  • Large attack surface without auth (16 total)
Vulnerabilities
2 published

iPOSpays Gateways WC Security Vulnerabilities

CVEs by Year

2 CVEs in 2026 · unpatched
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-4663medium · 5.3Missing Authorization

iPOSpays Gateways WC <= 1.3.7 - Unauthenticated Missing Authorization to Settings Update via REST API Endpoint

May 11, 2026Unpatched
CVE-2026-39608medium · 5.3Missing Authorization

iPOSpays Gateways WC <= 1.3.7 - Missing Authorization

Feb 7, 2026Unpatched
Version History

iPOSpays Gateways WC Release Timeline

v1.3.7Current2 CVEs
CVE-2026-39608 CVE-2026-4663
v1.3.62 CVEs
CVE-2026-39608 CVE-2026-4663
v1.3.02 CVEs
CVE-2026-39608 CVE-2026-4663
v1.2.32 CVEs
CVE-2026-39608 CVE-2026-4663
v1.2.22 CVEs
CVE-2026-39608 CVE-2026-4663
v1.2.12 CVEs
CVE-2026-39608 CVE-2026-4663
v1.2.02 CVEs
CVE-2026-39608 CVE-2026-4663
v1.1.32 CVEs
CVE-2026-39608 CVE-2026-4663
v1.1.22 CVEs
CVE-2026-39608 CVE-2026-4663
v1.1.12 CVEs
CVE-2026-39608 CVE-2026-4663
v1.1.02 CVEs
CVE-2026-39608 CVE-2026-4663
v1.0.02 CVEs
CVE-2026-39608 CVE-2026-4663
Code Analysis
Analyzed Mar 16, 2026

iPOSpays Gateways WC Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
14
437 escaped
Nonce Checks
6
Capability Checks
1
File Operations
0
External Requests
9
Bundled Libraries
0

Output Escaping

97% escaped451 total outputs
Data Flows · Security
All sanitized

Data Flow Analysis

3 flows
<applepay-settings> (includes\admin\applepay-settings.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
16 unprotected

iPOSpays Gateways WC Attack Surface

Entry Points16
Unprotected16

AJAX Handlers 6

authwp_ajax_ipospays_gpay_processincludes\express-checkout\class-ipospays-gpay-btn.php:29
noprivwp_ajax_ipospays_gpay_processincludes\express-checkout\class-ipospays-gpay-btn.php:30
authwp_ajax_ipospays_applepay_processincludes\express-checkout\class-ipospays-gpay-btn.php:31
noprivwp_ajax_ipospays_applepay_processincludes\express-checkout\class-ipospays-gpay-btn.php:32
authwp_ajax_ipospays_clear_noticesipospays-gateways-wc.php:986
noprivwp_ajax_ipospays_clear_noticesipospays-gateways-wc.php:987

REST API Routes 10

POST/wp-json/ipospays/v1/store_ach_dataincludes\payment-methods\class-ach-gateway.php:92
GET/wp-json/ipospays/v1/loadingincludes\payment-methods\class-ftd-redirect-gateway.php:207
GET/wp-json/ipospays/v1/refund/webhookincludes\payment-methods\class-ftd-redirect-gateway.php:213
GET/wp-json/ipospays/v1/payment_token_idincludes\payment-methods\class-ftd-redirect-gateway.php:220
GET/wp-json/ipospays/v1get_session_idincludes\payment-methods\class-ftd-redirect-gateway.php:227
GET/wp-json/ipospays/v1/google_payment_tokenincludes\payment-methods\class-ftd-redirect-gateway.php:234
GET/wp-json/ipospays/v1/apple_payment_tokenincludes\payment-methods\class-ftd-redirect-gateway.php:241
GET/wp-json/ipospays/v1/loggerincludes\payment-methods\class-ftd-redirect-gateway.php:247
GET/wp-json/ipospays/v1/save_settingsincludes\payment-methods\class-ftd-redirect-gateway.php:253
GET/wp-json/ipospays/v1/delete_keysincludes\payment-methods\class-ftd-redirect-gateway.php:259
WordPress Hooks 27
actionwp_enqueue_scriptsincludes\express-checkout\class-ipospays-gpay-btn.php:27
actionwp_footerincludes\express-checkout\class-ipospays-gpay-btn.php:28
actionrest_api_initincludes\payment-methods\class-ach-gateway.php:51
actionrest_api_initincludes\payment-methods\class-ftd-redirect-gateway.php:64
actionwoocommerce_pay_order_before_paymentincludes\payment-methods\class-ftd-redirect-gateway.php:66
actionwoocommerce_after_add_to_cart_formincludes\payment-methods\class-ftd-redirect-gateway.php:67
actionwp_footerincludes\payment-methods\class-ftd-redirect-gateway.php:118
actionwp_footerincludes\payment-methods\class-ftd-redirect-gateway.php:143
filterplugin_row_metaipospays-gateways-wc.php:37
actionwp_enqueue_scriptsipospays-gateways-wc.php:53
actionadmin_enqueue_scriptsipospays-gateways-wc.php:138
actionadmin_enqueue_scriptsipospays-gateways-wc.php:141
filteradmin_urlipospays-gateways-wc.php:176
actionadmin_initipospays-gateways-wc.php:201
actionadmin_noticesipospays-gateways-wc.php:203
actionplugins_loadedipospays-gateways-wc.php:300
filterwoocommerce_payment_gatewaysipospays-gateways-wc.php:468
actionbefore_woocommerce_initipospays-gateways-wc.php:488
actionwoocommerce_blocks_loadedipospays-gateways-wc.php:492
actionwoocommerce_blocks_payment_method_type_registrationipospays-gateways-wc.php:506
actionwoocommerce_admin_order_totals_after_discountipospays-gateways-wc.php:516
filterwoocommerce_get_order_item_totalsipospays-gateways-wc.php:570
actionadmin_noticesipospays-gateways-wc.php:657
actionadmin_headipospays-gateways-wc.php:714
filterwoocommerce_get_settings_checkoutipospays-gateways-wc.php:753
actionplugins_loadedipospays-gateways-wc.php:902
actionwp_footerpayment-forms\credit-card.php:685
Maintenance & Trust

iPOSpays Gateways WC Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedDec 12, 2025
PHP min version7.4
Downloads3K

Community Trust

Rating0/100
Number of ratings0
Active installs100
Alternatives

iPOSpays Gateways WC Alternatives

Sola Payment Gateway for WooCommerce

Sola Payment Gateway for WooCommerce

woo-cardknox-gateway

A
100

Accept payments with the Sola gateway.

700 No CVEs
AllPays.co – Payment Gateway for WooCommerce

AllPays.co – Payment Gateway for WooCommerce

allpaysco-payment-gateway-for-woocommerce

A
100

Accept card payments, Apple Pay, Google Pay, Venmo, bank transfers, and local payment methods with AllPays.co for WooCommerce.

0 No CVEs
WooPayments: Integrated WooCommerce Payments

WooPayments: Integrated WooCommerce Payments

woocommerce-payments

A
89

Securely accept credit and debit cards on your WooCommerce store. Manage payments without leaving your WordPress dashboard. Only with WooPayments.

900K 7 CVEs
WooCommerce PayPal Payments

WooCommerce PayPal Payments

woocommerce-paypal-payments

A
100

PayPal's latest payment processing solution. Accept PayPal, Pay Later, credit/debit cards, alternative digital wallets and bank accounts.

800K 1 CVE
Asaas Gateway for WooCommerce

Asaas Gateway for WooCommerce

woo-asaas

A
100

Take transparent credit card and bank ticket payment checkouts on your store using Asaas.

9K No CVEs
Developer Profile

iPOSpays Gateways WC Developer Profile

iPOSPays

1 plugin · 100 total installs

63
trust score
Avg Security Score
56/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect iPOSpays Gateways WC

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/ipospays-gateways-wc/assets/js/custom-checkout.js/wp-content/plugins/ipospays-gateways-wc/assets/js/nonce-verify.js/wp-content/plugins/ipospays-gateways-wc/assets/css/setting.css/wp-content/plugins/ipospays-gateways-wc/assets/js/setting.js/wp-content/plugins/ipospays-gateways-wc/assets/js/gpay.js/wp-content/plugins/ipospays-gateways-wc/assets/js/applepay.js
Script Paths
/wp-content/plugins/ipospays-gateways-wc/assets/js/custom-checkout.js/wp-content/plugins/ipospays-gateways-wc/assets/js/nonce-verify.js/wp-content/plugins/ipospays-gateways-wc/assets/js/setting.js/wp-content/plugins/ipospays-gateways-wc/assets/js/gpay.js/wp-content/plugins/ipospays-gateways-wc/assets/js/applepay.js
Version Parameters
ipospays-gateways-wc/assets/js/custom-checkout.js?ver=1.3.7ipospays-gateways-wc/assets/js/nonce-verify.js?ver=1.3.7ipospays-gateways-wc/assets/css/setting.css?ver=1.3.7ipospays-gateways-wc/assets/js/setting.js?ver=1.3.7ipospays-gateways-wc/assets/js/gpay.js?ver=1.3.7ipospays-gateways-wc/assets/js/applepay.js?ver=1.3.7

HTML / DOM Fingerprints

JS Globals
wpVarsipospayData
FAQ

Frequently Asked Questions about iPOSpays Gateways WC