WP-Safety

Online Payments – Get Paid with PayPal, Square & Stripe Security & Risk Analysis

wordpress.org/plugins/paypal-payment-button-by-vcita

Add a payment button to your website and get paid instantly with vcita's Online Payments solution.

100 active installs v3.30.0 PHP + WP 4.6+ Updated Mar 16, 2025
paymentspaypalsquarestripetransfers
89
A · Safe
CVEs total4
Unpatched0
Last CVEFeb 17, 2025
Plugin page Download
Safety Verdict

Is Online Payments – Get Paid with PayPal, Square & Stripe Safe to Use in 2026?

Generally Safe

Score 89/100

Online Payments – Get Paid with PayPal, Square & Stripe has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Feb 17, 2025Updated 1yr ago
Risk Assessment

The "paypal-payment-button-by-vcita" plugin v3.30.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and has a robust structure regarding entry points with no unprotected AJAX handlers or REST API routes. Nonce checks are also present on all identified entry points, which is a significant strength in preventing CSRF attacks. However, a notable concern arises from the significantly low percentage of properly escaped output (33%). This indicates a substantial risk of Cross-Site Scripting (XSS) vulnerabilities, where unescaped user input could be rendered directly into the HTML output, allowing attackers to inject malicious scripts.

Key Concerns

  • Low percentage of properly escaped output
  • Medium severity XSS and CSRF vulnerabilities in history
  • Zero capability checks on entry points
Vulnerabilities
4

Online Payments – Get Paid with PayPal, Square & Stripe Security Vulnerabilities

CVEs by Year

2 CVEs in 2023
2023
2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2024-11895medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Online Payments – Get Paid with PayPal, Square & Stripe <= 3.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Feb 17, 2025 Patched in 3.30.0 (1d)
CVE-2025-22661medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Online Payments – Get Paid with PayPal, Square & Stripe <= 3.20.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 15, 2025 Patched in 3.30.0 (36d)
CVE-2023-2406medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 2, 2023 Patched in 3.10.0 (235d)
CVE-2023-2407medium · 6.1Cross-Site Request Forgery (CSRF)

Event Registration Calendar By vcita <= 1.3.1 & Online Payments – Get Paid with PayPal, Square & Stripe <= 3.10.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting

Jun 2, 2023 Patched in 3.20.0 (657d)
Code Analysis
Analyzed Mar 16, 2026

Online Payments – Get Paid with PayPal, Square & Stripe Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
48
24 escaped
Nonce Checks
5
Capability Checks
0
File Operations
0
External Requests
3
Bundled Libraries
0

Output Escaping

33% escaped72 total outputs
Data Flows
All sanitized

Data Flow Analysis

5 flows
ls_remote_create_module_page (core\ajax_api.php:51)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Online Payments – Get Paid with PayPal, Square & Stripe Attack Surface

Entry Points9
Unprotected0

AJAX Handlers 4

authwp_ajax_activate-modulecore\ajax_api.php:40
authwp_ajax_create-module-pagecore\ajax_api.php:91
authwp_ajax_remove-module-pagecore\ajax_api.php:139
authwp_ajax_update-livesite-statuscore\ajax_api.php:181

Shortcodes 5

[livesite-pay] core\shortcodes.php:22
[vcita_pay_now] core\shortcodes.php:23
[livesite-contact] core\shortcodes.php:24
[vCitaContact] core\shortcodes.php:25
[livesite-schedule] core\shortcodes.php:26
WordPress Hooks 49
actionwp_headcore\sdk.php:18
actionwp_enqueue_scriptscore\sdk.php:19
actionwp_headcore\shortcodes.php:28
actionadmin_noticesLivesite.php:45
actionadmin_initLivesite.php:46
actionadmin_menumodules\form_builder.php:55
actiontrash_pagemodules\form_builder.php:60
actionadd_meta_boxesmodules\form_builder.php:63
actionadd_meta_boxesmodules\form_builder.php:64
actionadd_meta_boxesmodules\form_builder.php:65
actionadmin_noticesmodules\form_builder.php:103
actionadmin_enqueue_scriptsmodules\form_builder.php:108
actionadmin_enqueue_scriptsmodules\form_builder.php:109
actionadmin_menumodules\livesite_widget.php:55
actionadd_meta_boxesmodules\livesite_widget.php:58
actionadd_meta_boxesmodules\livesite_widget.php:59
actionadd_meta_boxesmodules\livesite_widget.php:60
actionadmin_enqueue_scriptsmodules\livesite_widget.php:90
actionadmin_enqueue_scriptsmodules\livesite_widget.php:91
actionadmin_menumodules\payments.php:55
actiontrash_pagemodules\payments.php:60
actionadd_meta_boxesmodules\payments.php:63
actionadd_meta_boxesmodules\payments.php:64
actionadd_meta_boxesmodules\payments.php:65
actionadmin_noticesmodules\payments.php:104
actionadmin_enqueue_scriptsmodules\payments.php:110
actionadmin_enqueue_scriptsmodules\payments.php:111
actionadmin_menumodules\scheduler.php:59
actiondelete_postmodules\scheduler.php:62
actiontrash_pagemodules\scheduler.php:64
actionadd_meta_boxesmodules\scheduler.php:67
actionadd_meta_boxesmodules\scheduler.php:68
actionadd_meta_boxesmodules\scheduler.php:69
actionadmin_noticesmodules\scheduler.php:107
actionadmin_enqueue_scriptsmodules\scheduler.php:111
actionadmin_enqueue_scriptsmodules\scheduler.php:112
actionadmin_menuplugin_init.php:27
actionupgrader_process_completeplugin_init.php:29
filterplugin_action_linksplugin_init.php:42
actionadmin_enqueue_scriptsplugin_init.php:146
actionadmin_enqueue_scriptsplugin_init.php:147
actionadmin_menusystem\backoffice_page.php:45
actionadmin_enqueue_scriptssystem\backoffice_page.php:63
actionadmin_enqueue_scriptssystem\backoffice_page.php:64
actionadmin_menusystem\parse_vcita_callback.php:32
actionadmin_menusystem\reset_plugin.php:32
actionadmin_menusystem\settings_page.php:40
actionadmin_enqueue_scriptssystem\settings_page.php:58
actionadmin_enqueue_scriptssystem\settings_page.php:59
Maintenance & Trust

Online Payments – Get Paid with PayPal, Square & Stripe Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedMar 16, 2025
PHP min version
Downloads52K

Community Trust

Rating84/100
Number of ratings5
Active installs100
Alternatives

Online Payments – Get Paid with PayPal, Square & Stripe Alternatives

Contact Form 7 – PayPal & Stripe Add-on

Contact Form 7 – PayPal & Stripe Add-on

contact-form-7-paypal-add-on

A
96

Easily add PayPal and Stripe to Contact Form 7. Accept credit card payments with Stripe & PayPal on your site today. Offical PayPal & Stripe Partner.

8K 5 CVEs
Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More

Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More

better-payment

A
100

Better Payment allows you to automate payment transactions to manage payments, donations, subscriptions, sell products, etc on your Elementor website.

6K No CVEs
Payment forms, Buy now buttons, and Invoicing System | GetPaid

Payment forms, Buy now buttons, and Invoicing System | GetPaid

invoicing

A
99

Payments & Invoicing plugin for WordPress to quickly and easily sell online. Create Buy Now buttons or inline checkout forms in seconds to accept &hellip;

5K 2 CVEs
PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net)

PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net)

peachpay-for-woocommerce

A
95

Connect and manage all your payment methods, offer shoppers a beautiful Express Checkout, and reduce cart abandonment.

400 4 CVEs
Braintree Payments For WordPress – Accept Payments WP

Braintree Payments For WordPress – Accept Payments WP

accept-payments-wp

A
85

Accept Braintree payments on your website with well converting & mobile friendly payment forms. No code or shopping cart required.

10 No CVEs
Developer Profile

Online Payments – Get Paid with PayPal, Square & Stripe Developer Profile

vcita

3 plugins · 1K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
171 days
View full developer profile
Detection Fingerprints

How We Detect Online Payments – Get Paid with PayPal, Square & Stripe

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/paypal-payment-button-by-vcita/plugin_init.php/wp-content/plugins/paypal-payment-button-by-vcita/core/helpers.php/wp-content/plugins/paypal-payment-button-by-vcita/core/widget.php/wp-content/plugins/paypal-payment-button-by-vcita/js/custom.js/wp-content/plugins/paypal-payment-button-by-vcita/css/custom.css
Script Paths
/wp-content/plugins/paypal-payment-button-by-vcita/js/custom.js
Version Parameters
paypal-payment-button-by-vcita/js/custom.js?ver=paypal-payment-button-by-vcita/css/custom.css?ver=

HTML / DOM Fingerprints

CSS Classes
vcita-pay-button
HTML Comments
<!-- Created By: vcita.com -->
Data Attributes
data-vcita-paypal-button
JS Globals
vcita_widget_settings
Shortcode Output
[vcita-paypal-button]
FAQ

Frequently Asked Questions about Online Payments – Get Paid with PayPal, Square & Stripe