Does PayTomorrow have any unpatched vulnerabilities?

No. All known vulnerabilities in PayTomorrow have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is PayTomorrow compatible with WordPress 6.7.5?

According to WordPress.org data, PayTomorrow 3.0.7 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

How often is PayTomorrow updated?

PayTomorrow was last updated on Jul 8, 2025. Frequent updates are generally a positive security signal.

What is PayTomorrow's security score?

PayTomorrow has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

PayTomorrow Security & Risk Analysis

wordpress.org/plugins/paytomorrow

We believe in fair financing. PayTomorrow’s unique two stage contract delivers flexible financing options with fair and transparent pricing.

60 active installs v3.0.7 PHP + WP 4.4+ Updated Jul 8, 2025

financinggatewaypayment

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is PayTomorrow Safe to Use in 2026?

Generally Safe

Score 100/100

PayTomorrow has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 9mo ago

Risk Assessment

The "paytomorrow" plugin v3.0.7 exhibits a mixed security posture. On one hand, the absence of known CVEs and a clean vulnerability history are positive indicators, suggesting the developers have a track record of addressing security issues or have not historically been a target for significant vulnerabilities. The static analysis also shows a high percentage of properly escaped outputs and no file operations, which are good security practices.

However, several significant concerns emerge from the code analysis. The complete lack of capability checks and nonce checks on any potential entry points, coupled with zero AJAX handlers, REST API routes, shortcodes, or cron events, is highly unusual. While this technically leads to a "zero attack surface" from these specific vectors, it raises suspicion. The presence of two flows with unsanitized paths, one of which is flagged as high severity taint, is a critical finding. This indicates that user-supplied data might be processed in a way that could lead to security compromises. Furthermore, the single SQL query is not using prepared statements, which is a risk for SQL injection vulnerabilities, especially when combined with unsanitized data flows.

In conclusion, while the plugin's vulnerability history is clean, the static analysis reveals potential weaknesses. The absence of common security checks (nonces, capabilities) and the presence of unsanitized data flows and raw SQL queries present a concerning, albeit theoretically small, attack surface. The high-severity taint flow is the most pressing issue that requires immediate attention.

Key Concerns

High severity taint flow
Raw SQL query without prepared statement
No nonce checks
No capability checks
Unsanitized paths in taint analysis

Vulnerabilities

None known

PayTomorrow Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Code Analysis

Analyzed Mar 16, 2026

PayTomorrow Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

27 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

0% prepared1 total queries

Output Escaping

90% escaped30 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

<class-wc-gateway-paytomorrow> (classes\class-wc-gateway-paytomorrow.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

PayTomorrow Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 17

actionplugins_loadedclass-wc-paytomorrow.php:21

actionwp_enqueue_scriptsclass-wc-paytomorrow.php:24

filterwoocommerce_payment_gatewaysclass-wc-paytomorrow.php:39

actionwoocommerce_blocks_loadedclass-wc-paytomorrow.php:42

actionwoocommerce_blocks_payment_method_type_registrationclass-wc-paytomorrow.php:112

actionwoocommerce_api_wc_gateway_paytomorrowclasses\class-wc-gateway-paytomorrow-ipn-handler.php:50

actionvalid_paytomorrow_standard_ipn_requestclasses\class-wc-gateway-paytomorrow-ipn-handler.php:51

actionwoocommerce_api_wc_gateway_paytomorrow_trackclasses\class-wc-gateway-paytomorrow-ipn-handler.php:52

actionwoocommerce_before_checkout_formclasses\class-wc-gateway-paytomorrow.php:120

actionadd_meta_boxesclasses\class-wc-gateway-paytomorrow.php:121

actionwoocommerce_order_status_cancelledclasses\class-wc-gateway-paytomorrow.php:122

actionwoocommerce_order_status_completedclasses\class-wc-gateway-paytomorrow.php:123

actionwoocommerce_thankyouclasses\class-wc-gateway-paytomorrow.php:124

actionadmin_enqueue_scriptsclasses\class-wc-gateway-paytomorrow.php:125

filteris_protected_metaclasses\class-wc-gateway-paytomorrow.php:467

actionwp_enqueue_scriptswoocommerce-paytomorrow.php:59

actionwoocommerce_before_add_to_cart_formwoocommerce-paytomorrow.php:60

Maintenance & Trust

PayTomorrow Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedJul 8, 2025

PHP min version

Downloads5K

Community Trust

Rating0/100

Number of ratings0

Active installs60

Alternatives

PayTomorrow Alternatives

Acima Digital Payment Gateway

acima-leasing-payment-gateway

100

Enable Acima Digital's lease-to-own payment option for your WooCommerce store.

80 No CVEs

Payment Gateway Based Fees and Discounts for WooCommerce

checkout-fees-for-woocommerce

Set fees and discounts for WooCommerce payment gateways.

30K 1 CVE

Paystack WooCommerce Payment Gateway

woo-paystack

100

Paystack for WooCommerce allows your WooCommerce store to accept secure payments from multiple local and global payment channels.

30K No CVEs

elegro Crypto Payment

elegro-payment

Increase your customers base by accepting cryptocurrencies.

20K No CVEs

Accept Stripe Payments

stripe-payments

Easily accept payments on your WordPress site via Stripe payment gateway.

20K 5 CVEs

Developer Profile

PayTomorrow Developer Profile

matthewwhitaker

1 plugin · 60 total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect PayTomorrow

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/paytomorrow/assets/css/checkout.css/wp-content/plugins/paytomorrow/classes/mpe/mpe-startup.js/wp-content/plugins/paytomorrow/classes/class-wc-gateway-paytomorrow-blocks-support.php/wp-content/plugins/paytomorrow/classes/class-wc-gateway-paytomorrow.php/wp-content/plugins/paytomorrow/popup/js/pt-popup.js/wp-content/plugins/paytomorrow/popup/css/pt-popup.css/wp-content/plugins/paytomorrow/blocks/pt-payment-method.js

Script Paths

//cdn.paytomorrow.com/js/pt-mpe.min.js

HTML / DOM Fingerprints

CSS Classes

pt-mpe

Data Attributes

data-plugin-name="PayTomorrow"data-plugin-version="3.0.7"

JS Globals

mpeSettingspopupUrlpopupCloseUrl

FAQ