WP-Safety

PagoForms: Mercado Pago Payments Security & Risk Analysis

wordpress.org/plugins/pagoforms

Accept Mercado Pago payments through WPForms. Credit cards, debit cards, cash payments, and digital wallets across Latin America.

0 active installs v1.0.2 PHP 7.4+ WP 5.8+ Updated Feb 23, 2026
argentinabrazilmercadopagopaymentswpforms
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is PagoForms: Mercado Pago Payments Safe to Use in 2026?

Generally Safe

Score 100/100

PagoForms: Mercado Pago Payments has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1mo ago
Risk Assessment

The pagoforms plugin v1.0.2 demonstrates a generally good security posture, with strong adherence to best practices in several key areas. The use of prepared statements for all SQL queries and a high percentage of properly escaped output are significant strengths, minimizing the risk of common database injection and cross-site scripting (XSS) vulnerabilities. The absence of any recorded historical vulnerabilities further suggests a mature and secure development process. The plugin also correctly avoids using dangerous functions and does not bundle external libraries, reducing potential attack vectors.

However, there is a notable concern regarding the plugin's attack surface. The analysis reveals one REST API route that lacks permission callbacks, making it potentially accessible to unauthenticated users. While there are no recorded critical or high-severity taint flows and no known CVEs, this unprotected entry point presents a significant risk. This is the primary weakness identified in the static analysis and warrants immediate attention to ensure proper authorization is implemented for all API endpoints.

In conclusion, pagoforms v1.0.2 is built on a solid foundation of secure coding practices. The plugin's strengths lie in its robust handling of SQL and output escaping, and its clean vulnerability history. The single unprotected REST API route is a critical vulnerability that needs to be addressed. If this issue is remediated, the plugin would represent a very secure option.

Key Concerns

  • REST API route without permission callback
Vulnerabilities
None known

PagoForms: Mercado Pago Payments Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Code Analysis
Analyzed Mar 17, 2026

PagoForms: Mercado Pago Payments Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
2
115 escaped
Nonce Checks
2
Capability Checks
4
File Operations
0
External Requests
3
Bundled Libraries
0

SQL Query Safety

100% prepared4 total queries

Output Escaping

98% escaped117 total outputs
Attack Surface
1 unprotected

PagoForms: Mercado Pago Payments Attack Surface

Entry Points3
Unprotected1

AJAX Handlers 2

authwp_ajax_pagoforms_test_connectionincludes\class-pagoforms-admin.php:43
authwp_ajax_pagoforms_dismiss_upsellincludes\class-pagoforms-upsell.php:50

REST API Routes 1

POST/wp-json/pagoforms/v1/webhookincludes\class-pagoforms-webhook.php:59
WordPress Hooks 30
actionadmin_menuincludes\class-pagoforms-admin.php:39
actionadmin_initincludes\class-pagoforms-admin.php:40
actionadmin_enqueue_scriptsincludes\class-pagoforms-admin.php:41
actionadmin_noticesincludes\class-pagoforms-admin.php:42
filterwpforms_field_properties_pagoforms-mercadopagoincludes\class-pagoforms-field.php:38
filterwpforms_currenciesincludes\class-pagoforms-loader.php:83
filterwpforms_db_payments_value_validator_get_allowed_gatewaysincludes\class-pagoforms-loader.php:84
filterwpforms_admin_payments_views_overview_page_gateway_is_configuredincludes\class-pagoforms-loader.php:85
filterwpforms_get_currencyincludes\class-pagoforms-loader.php:86
actioninitincludes\class-pagoforms-loader.php:97
filterwpforms_forms_submission_prepare_payment_dataincludes\class-pagoforms-payment-data.php:30
filterwpforms_forms_submission_prepare_payment_metaincludes\class-pagoforms-payment-data.php:31
actionwpforms_processincludes\class-pagoforms-payment-process.php:57
filterwpforms_process_entry_confirmation_redirect_confirmationsincludes\class-pagoforms-payment-process.php:58
actiontemplate_redirectincludes\class-pagoforms-return-handler.php:58
actionwp_headincludes\class-pagoforms-return-handler.php:101
actionwp_footerincludes\class-pagoforms-return-handler.php:104
filterwpforms_payments_availableincludes\class-pagoforms-settings.php:49
filterwpforms_has_payment_gatewayincludes\class-pagoforms-settings.php:52
actionwpforms_payments_panel_sidebarincludes\class-pagoforms-settings.php:55
actionwpforms_payments_panel_contentincludes\class-pagoforms-settings.php:56
actionpagoforms_builder_after_one_time_sectionincludes\class-pagoforms-upsell.php:46
filterwpforms_builder_fields_buttonsincludes\class-pagoforms-upsell.php:47
actionpagoforms_dashboard_after_gridincludes\class-pagoforms-upsell.php:48
actionadmin_footerincludes\class-pagoforms-upsell.php:49
actionrest_api_initincludes\class-pagoforms-webhook.php:49
actionadmin_noticespagoforms.php:73
actionwpforms_loadedpagoforms.php:81
actionadmin_noticespagoforms.php:129
actionplugins_loadedpagoforms.php:132
Maintenance & Trust

PagoForms: Mercado Pago Payments Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 23, 2026
PHP min version7.4
Downloads121

Community Trust

Rating0/100
Number of ratings0
Active installs0
Alternatives

PagoForms: Mercado Pago Payments Alternatives

MercadoPago Plus para WooCommerce

MercadoPago Plus para WooCommerce

woo-mercadopago-gateway-checkout

A
100

Conectá MercadoPago Plus para tu tienda de WooCommerce

50 No CVEs
WooPayments: Integrated WooCommerce Payments

WooPayments: Integrated WooCommerce Payments

woocommerce-payments

A
89

Securely accept credit and debit cards on your WooCommerce store. Manage payments without leaving your WordPress dashboard. Only with WooPayments.

900K 7 CVEs
WooCommerce PayPal Payments

WooCommerce PayPal Payments

woocommerce-paypal-payments

A
100

PayPal's latest payment processing solution. Accept PayPal, Pay Later, credit/debit cards, alternative digital wallets and bank accounts.

800K 1 CVE
WooCommerce Stripe Payment Gateway

WooCommerce Stripe Payment Gateway

woocommerce-gateway-stripe

A
98

Accept debit and credit cards in 135+ currencies, many local methods like Alipay, ACH, and SEPA, and express checkout with Apple Pay and Google Pay.

700K 4 CVEs
PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

pretty-link

A
90

🌠 The best WordPress link management, branding, tracking, sharing and payments plugin. Easily make pretty & trackable shortlinks. 🔗

300K 8 CVEs
Developer Profile

PagoForms: Mercado Pago Payments Developer Profile

PagoForms

1 plugin · 0 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect PagoForms: Mercado Pago Payments

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/pagoforms/assets/css/pagoforms-admin.css
Script Paths
/wp-content/plugins/pagoforms/assets/js/pagoforms-admin.js
Version Parameters
pagoforms-admin

HTML / DOM Fingerprints

CSS Classes
pagoforms-admin-notice
Data Attributes
data-nonce="pagoforms_admin_nonce"
JS Globals
pagoforms_admin
REST Endpoints
/wp-json/pagoforms/v1/test-connection
FAQ

Frequently Asked Questions about PagoForms: Mercado Pago Payments