WP-Safety

Autopay dla WooCommerce Security & Risk Analysis

wordpress.org/plugins/pay-wp

Autopay - niezawodna wtyczka do płatności online specjalnie na potrzeby polskich sklepów internetowych na WordPress i WooCommerce.

900 active installs v2.2.26 PHP 7.4+ WP 6.4+ Updated Mar 7, 2026
autopayblikblue-mediaplatnosciwp-pay
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Plugin page Download
Safety Verdict

Is Autopay dla WooCommerce Safe to Use in 2026?

Generally Safe

Score 100/100

Autopay dla WooCommerce has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 2mo ago
Risk Assessment

The "pay-wp" plugin v2.2.26 presents a mixed security posture. On the positive side, it has no known historical vulnerabilities (CVEs) and a relatively small attack surface with all identified entry points exhibiting authentication checks. The use of prepared statements for SQL queries (82%) and the presence of capability checks are also good security practices. However, several code signals raise concerns. The significant number of dangerous functions like `unserialize`, `assert`, `proc_open`, and `shell_exec` indicates potential for serious code execution vulnerabilities if not handled with extreme care. While taint analysis found no critical or high-severity issues, the presence of flows with unsanitized paths suggests a potential for exploitation if these paths are exposed to user input and lack proper sanitization, which could lead to local file inclusion or other path traversal issues.

Key Concerns

  • Presence of dangerous functions (unserialize, assert, proc_open, shell_exec)
  • Flows with unsanitized paths identified in taint analysis
  • SQL queries not using prepared statements (18% of total)
  • Output escaping not consistently applied (30% not properly escaped)
  • Bundled library detected (Guzzle)
Vulnerabilities
None known

Autopay dla WooCommerce Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Autopay dla WooCommerce Release Timeline

v2.2.26Current
v2.2.24
v2.2.23
v2.2.22
v2.2.21
v2.2.20
v2.2.19
v2.2.18
v2.2.17
v2.2.16
v2.2.15
v2.2.14
v2.2.13
v2.2.12
v2.2.11
v2.2.9
v2.2.8
v2.2.7
v2.2.6
v2.2.5
Code Analysis
Analyzed Mar 16, 2026

Autopay dla WooCommerce Code Analysis

Dangerous Functions
33
Raw SQL Queries
2
9 prepared
Unescaped Output
32
75 escaped
Nonce Checks
5
Capability Checks
4
File Operations
76
External Requests
6
Bundled Libraries
1

Dangerous Functions Found

unserialize$a = unserialize( $this->settings->get_option( 'pos' ) ) ?? [];src\BlueMediaApi\BlueMediaClientFactory.php:30
unserialize$a = unserialize( $this->settings->get_option( 'pos' ) ) ?? [];src\BlueMediaApi\BlueMediaClientFactory.php:37
unserialize$profiles = ! empty( $this->get_option( $key ) ) ? unserialize( $this->get_option( $key ) ) : $defausrc\WooCommerceGateway\StandardPaymentGateway.php:302
unserialize$sortedChannels = ! empty( $this->get_option( $key ) ) ? unserialize( $this->get_option( $key ) ) : src\WooCommerceGateway\StandardPaymentGateway.php:323
assertassert(self::$logger !== null);vendor_prefixed\doctrine\deprecations\src\Deprecation.php:150
unserializereturn unserialize($serializedString);vendor_prefixed\doctrine\instantiator\src\Doctrine\Instantiator\Instantiator.php:112
unserializeunserialize($serializedString);vendor_prefixed\doctrine\instantiator\src\Doctrine\Instantiator\Instantiator.php:171
unserialize$this->unserializeFromArray(unserialize($str));vendor_prefixed\jms\metadata\src\SerializationHelper.php:26
unserialize$this->expression = new SerializedParsedExpression(...unserialize($str));vendor_prefixed\jms\serializer\src\Expression\Expression.php:57
assertassert($context instanceof SerializationContext);vendor_prefixed\jms\serializer\src\GraphNavigator\SerializationGraphNavigator.php:90
assertassert($doctrineMetadata instanceof ORMClassMetadata || $doctrineMetadata instanceof ODMClassMetadatvendor_prefixed\jms\serializer\src\Metadata\Driver\DoctrineTypeDriver.php:20
proc_open$this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);vendor_prefixed\monolog\monolog\src\Monolog\Handler\ProcessHandler.php:104
shell_exec$branches = shell_exec('git branch -v --no-abbrev');vendor_prefixed\monolog\monolog\src\Monolog\Processor\GitProcessor.php:60
shell_exec$result = explode(' ', trim((string) shell_exec('hg id -nb')));vendor_prefixed\monolog\monolog\src\Monolog\Processor\MercurialProcessor.php:59
unserializeforeach ($deprecations ? unserialize($deprecations) : [] as $deprecation) {vendor_prefixed\symfony\browser-kit\AbstractBrowser.php:383
unserializereturn unserialize($process->getOutput());vendor_prefixed\symfony\browser-kit\AbstractBrowser.php:395
shell_exec$sttyMode = shell_exec('stty -g');vendor_prefixed\symfony\console\Application.php:841
shell_execshell_exec('stty ' . $sttyMode);vendor_prefixed\symfony\console\Application.php:844
proc_open$isTtySupported = (bool) @proc_open('echo 1 >/dev/null', [['file', '/dev/tty', 'r'], ['file', '/dev/vendor_prefixed\symfony\console\Cursor.php:154
shell_exec$sttyMode = shell_exec('stty -g');vendor_prefixed\symfony\console\Cursor.php:159
shell_execshell_exec('stty -icanon -echo');vendor_prefixed\symfony\console\Cursor.php:160
shell_execshell_exec(sprintf('stty %s', $sttyMode));vendor_prefixed\symfony\console\Cursor.php:163
shell_exec$sttyMode = shell_exec('stty -g');vendor_prefixed\symfony\console\Helper\QuestionHelper.php:216
shell_execshell_exec('stty -icanon -echo');vendor_prefixed\symfony\console\Helper\QuestionHelper.php:221
shell_execshell_exec('stty ' . $sttyMode);vendor_prefixed\symfony\console\Helper\QuestionHelper.php:233
shell_execshell_exec('stty ' . $sttyMode);vendor_prefixed\symfony\console\Helper\QuestionHelper.php:318
shell_exec$sExec = shell_exec('"' . $exe . '"');vendor_prefixed\symfony\console\Helper\QuestionHelper.php:351
shell_exec$sttyMode = shell_exec('stty -g');vendor_prefixed\symfony\console\Helper\QuestionHelper.php:360
shell_execshell_exec('stty -echo');vendor_prefixed\symfony\console\Helper\QuestionHelper.php:361
shell_execshell_exec('stty ' . $sttyMode);vendor_prefixed\symfony\console\Helper\QuestionHelper.php:367
shell_execreturn self::$stty = (bool) shell_exec('stty 2> ' . ('\\' === \DIRECTORY_SEPARATOR ? 'NUL' : '/dev/nvendor_prefixed\symfony\console\Terminal.php:62
proc_openif (!$process = @proc_open($command, $descriptorspec, $pipes, null, null, ['suppress_errors' => \truvendor_prefixed\symfony\console\Terminal.php:137
unserializereturn unserialize(self::parseScalar(substr($scalar, 12)));vendor_prefixed\symfony\yaml\Inline.php:543

Bundled Libraries

Guzzle

SQL Query Safety

82% prepared11 total queries

Output Escaping

70% escaped107 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
log (vendor_prefixed\symfony\console\Command\CompleteCommand.php:140)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Autopay dla WooCommerce Attack Surface

Entry Points1
Unprotected0

AJAX Handlers 1

authwp_ajax_wpdesk_notice_dismissvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:42
WordPress Hooks 32
actionbefore_woocommerce_initpay-wp.php:64
actionwoocommerce_api_wc-gateway-wppaysrc\BlueMediaApi\Handlers\APIHandler.php:28
actioninitsrc\Plugin.php:75
filterwoocommerce_payment_gatewayssrc\Plugin.php:77
actionwoocommerce_blocks_loadedsrc\Plugin.php:79
actioninitsrc\Plugin.php:84
actionwoocommerce_blocks_payment_method_type_registrationsrc\Plugin.php:158
actionwoocommerce_after_checkout_validationsrc\WooCommerceGateway\BlikZeroEmbedGateway.php:55
actionwc_ajax_wppay_refresh_blik_order_statussrc\WooCommerceGateway\BlikZeroEmbedGateway.php:57
actionwp_enqueue_scriptssrc\WooCommerceGateway\BlikZeroEmbedGateway.php:58
actionwp_enqueue_scriptssrc\WooCommerceGateway\CardEmbedGateway.php:70
actionwoocommerce_checkout_processsrc\WooCommerceGateway\CardEmbedGateway.php:71
actionwoocommerce_receipt_wppaysrc\WooCommerceGateway\StandardPaymentGateway.php:121
filterwoocommerce_payment_gatewayssrc\WooCommerceGateway\StandardPaymentGateway.php:123
actionwp_dashboard_setupvendor_prefixed\wpdesk\ltv-dashboard-widget\src\DashboardWidget.php:102
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:148
actionwp_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:149
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:41
actionadmin_noticesvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:144
actionadmin_footervendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:145
filterwp_autoloader_loader_loaders_to_loadvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:45
filterwp_autoloader_loader_loaders_to_createvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:46
actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\Simple\SimplePaidStrategy.php:58
actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:81
actionbefore_woocommerce_initvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:88
actionactivated_pluginvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:102
filterdoing_it_wrong_trigger_errorvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:123
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\Assets.php:28
actionadmin_menuvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:35
actionadmin_initvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:36
actionadmin_noticesvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptOut.php:28
filterplugin_row_metavendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\PluginActionLinks.php:36
Maintenance & Trust

Autopay dla WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 7, 2026
PHP min version7.4
Downloads21K

Community Trust

Rating80/100
Number of ratings4
Active installs900
Alternatives

Autopay dla WooCommerce Alternatives

PayU GPO Payment for WooCommerce

PayU GPO Payment for WooCommerce

woo-payu-payment-gateway

A
100

PayU fast online payments for WooCommerce. Banks, BLIK, credit or debit cards, Installments, Apple Pay, Google Pay.

10K No CVEs
Pay by paynow.pl

Pay by paynow.pl

pay-by-paynow-pl

A
100

paynow is a secure online payment by bank transfers, BLIK and card.

6K No CVEs
Autopay

Autopay

platnosci-online-blue-media

A
100

Autopay is a payment module that enables cashless transactions in a shop based on the WordPress platform (WooCommerce).

3K No CVEs
CashBill.pl – Płatności WooCommerce

CashBill.pl – Płatności WooCommerce

cashbill-payment-method

A
99

Dedykowane rozwiązanie integrujące najpopularniejsze metody płatności. Dzięki tej wtyczce możesz w atrakcyjny sposób prezentować siatkę z logotypami b …

900 1 CVE
Tubapay

Tubapay

tubapay-v2

A
100

Podzielenie płatności za zakupy Klientów oraz obsługa płatności abonamentowych / subskrypcji w WooCommerce. Wszyj w swoją ofertę pobieranie cyklicznyc …

100 No CVEs
Developer Profile

Autopay dla WooCommerce Developer Profile

wpdesk

24 plugins · 128K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
135 days
View full developer profile
Detection Fingerprints

How We Detect Autopay dla WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/pay-wp/assets/css/frontend.css/wp-content/plugins/pay-wp/assets/js/frontend.js/wp-content/plugins/pay-wp/assets/js/blik_zero.js/wp-content/plugins/pay-wp/assets/js/card_embed.js/wp-content/plugins/pay-wp/assets/css/admin.css/wp-content/plugins/pay-wp/assets/js/admin.js
Script Paths
/wp-content/plugins/pay-wp/assets/js/frontend.js/wp-content/plugins/pay-wp/assets/js/blik_zero.js/wp-content/plugins/pay-wp/assets/js/card_embed.js/wp-content/plugins/pay-wp/assets/js/admin.js
Version Parameters
pay-wp/assets/css/frontend.css?ver=pay-wp/assets/js/frontend.js?ver=pay-wp/assets/js/blik_zero.js?ver=pay-wp/assets/js/card_embed.js?ver=pay-wp/assets/css/admin.css?ver=pay-wp/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wppay-form-containerwppay-card-embed-formwppay-blik-zero-embed-formwppay_admin_css
HTML Comments
<!-- Start of WPDesk Autopay Payment Gateway --><!-- End of WPDesk Autopay Payment Gateway -->
Data Attributes
data-paywp-settingsdata-wppay-gateway-urldata-wppay-nonce
JS Globals
wppay_admin_objectWPPay
REST Endpoints
/wp-json/pay-wp/v1/payment
FAQ

Frequently Asked Questions about Autopay dla WooCommerce