WP-Safety

Quick Paypal Payments Security & Risk Analysis

wordpress.org/plugins/quick-paypal-payments

Zero to PayPal with just one shortcode. Jam packed with features and options with easy to use custom settings.

1K active installs v5.7.50 PHP 7.4+ WP 5.3+ Updated Feb 24, 2026
paymentspaypalpaypal-payment-form
91
A · Safe
CVEs total7
Unpatched0
Last CVESep 4, 2025
Plugin page Download
Safety Verdict

Is Quick Paypal Payments Safe to Use in 2026?

Generally Safe

Score 91/100

Quick Paypal Payments has a strong security track record. Known vulnerabilities have been patched promptly.

7 known CVEsLast CVE: Sep 4, 2025Updated 1mo ago
Risk Assessment

The plugin "quick-paypal-payments" v5.7.50 exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query handling (100% prepared statements) and a high percentage of output escaping (89%), significant concerns arise from its attack surface and vulnerability history. The presence of 7 AJAX handlers, with 5 lacking authentication checks, represents a considerable risk. Taint analysis revealed 6 flows with unsanitized paths, indicating potential for input manipulation and subsequent exploitation, even though no critical or high severity issues were flagged in this specific analysis.

The historical vulnerability data is a strong indicator of past security weaknesses. With a total of 7 known CVEs, including 2 high and 5 medium severity vulnerabilities, and common types like CSRF, XSS, and Missing Authorization, there's a pattern of recurring security flaws. Although there are currently no unpatched CVEs, the frequent discovery of vulnerabilities suggests ongoing challenges in maintaining a secure codebase. The last reported vulnerability in 2025-09-04 also suggests potential for future disclosures.

In conclusion, while the current static analysis does not report critical vulnerabilities and good practices in SQL handling are evident, the substantial unprotected attack surface and the plugin's history of multiple high and medium severity vulnerabilities warrant caution. The prevalence of unsanitized paths in the taint analysis, coupled with the past issues, suggests that users should remain vigilant and ensure prompt updates when new versions are released.

Key Concerns

  • 5 AJAX handlers without auth checks
  • 6 Taint flows with unsanitized paths
  • 2 High severity CVEs historically
  • 5 Medium severity CVEs historically
  • Bundled Freemius v1.0 library
Vulnerabilities
7

Quick Paypal Payments Security Vulnerabilities

CVEs by Year

1 CVE in 2013
2013
5 CVEs in 2023
2023
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
2
Medium
5

7 total CVEs

CVE-2025-27003medium · 4.3Cross-Site Request Forgery (CSRF)

Quick Paypal Payments <= 5.7.46 - Cross-Site Request Forgery

Sep 4, 2025 Patched in 5.7.47 (6d)
CVE-2023-1554medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Quick Paypal Payments <= 5.7.26.3 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 27, 2023 Patched in 5.7.26.4 (302d)
CVE-2023-23889medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Quick Paypal Payments <= 5.7.25 - Authenticated (Contributor+) Cross Site Scripting

Feb 15, 2023 Patched in 5.7.26 (342d)
CVE-2023-25713high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Quick Paypal Payments <= 5.7.25 - Unauthenticated Stored Cross Site Scripting

Feb 14, 2023 Patched in 5.7.26 (343d)
CVE-2023-25714high · 7.3Missing Authorization

Quick Paypal Payments <= 5.7.25 - Missing Authorization

Feb 14, 2023 Patched in 5.7.26 (343d)
CVE-2023-25702medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Quick Paypal Payments <= 5.7.25 - Authenticated (Administrator+) Stored Cross-Site Scripting

Feb 10, 2023 Patched in 5.7.26 (347d)
WF-6e3524a6-4f12-4640-96a0-da60afa0b770-quick-paypal-paymentsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Quick Paypal Payments < 3.1 - Cross-Site Scripting

Oct 18, 2013 Patched in 3.1 (3749d)
Code Analysis
Analyzed Mar 16, 2026

Quick Paypal Payments Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
30
249 escaped
Nonce Checks
29
Capability Checks
2
File Operations
3
External Requests
3
Bundled Libraries
1

Bundled Libraries

Freemius1.0

Output Escaping

89% escaped279 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

7 flows6 with unsanitized paths
qpp_show_messages (legacy\messages.php:45)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

Quick Paypal Payments Attack Surface

Entry Points10
Unprotected5

AJAX Handlers 7

authwp_ajax_qpp_dismiss_noticecontrol\class-plugin.php:82
authwp_ajax_qpp_validate_formlegacy\quick-paypal-payments.php:29
noprivwp_ajax_qpp_validate_formlegacy\quick-paypal-payments.php:30
authwp_ajax_qpp_process_paymentlegacy\quick-paypal-payments.php:31
noprivwp_ajax_qpp_process_express_checkout_paymentlegacy\quick-paypal-payments.php:32
authwp_ajax_qpp_refresh_nonceui\admin\class-admin.php:50
noprivwp_ajax_qpp_refresh_nonceui\admin\class-admin.php:51

Shortcodes 3

[qpp] legacy\quick-paypal-payments.php:18
[qppreport] legacy\quick-paypal-payments.php:19
[test] ui\user\class-frontend.php:69
WordPress Hooks 30
filteris_submenu_visiblecontrol\class-freemius-config.php:62
actioninitlegacy\functions\qpp_block.php:24
filteris_submenu_visiblelegacy\messages.php:5
actionwp_footerlegacy\quick-paypal-payments.php:17
filterplugin_action_linkslegacy\quick-paypal-payments.php:20
actionwp_enqueue_scriptslegacy\quick-paypal-payments.php:26
actiontemplate_redirectlegacy\quick-paypal-payments.php:27
actionwp_headlegacy\quick-paypal-payments.php:28
actionwp_headlegacy\quick-paypal-payments.php:61
actionwp_headlegacy\quick-paypal-payments.php:89
actionwp_headlegacy\quick-paypal-payments.php:660
actionwidgets_initlegacy\quick-paypal-payments.php:2304
actionwp_mail_failedlegacy\quick-paypal-payments.php:3387
actioninitlegacy\settings.php:5
actionadmin_menulegacy\settings.php:6
actionadmin_menulegacy\settings.php:7
actionplugin_row_metalegacy\settings.php:8
actionwp_headlegacy\settings.php:14
actionadmin_enqueue_scriptslegacy\settings.php:2065
actionafter_uninstallquick-paypal-payments.php:71
actionadmin_enqueue_scriptsui\admin\class-admin-pages.php:72
filterscreen_layout_columnsui\admin\class-admin-pages.php:75
actionadmin_menuui\admin\class-admin-settings.php:74
actionadmin_enqueue_scriptsui\admin\class-admin.php:44
actionadmin_enqueue_scriptsui\admin\class-admin.php:45
actionadmin_noticesui\admin\class-admin.php:46
actioninitui\admin\class-admin.php:47
actionwp_enqueue_scriptsui\user\class-frontend.php:45
actionwp_enqueue_scriptsui\user\class-frontend.php:46
actionwpui\user\class-frontend.php:48
Maintenance & Trust

Quick Paypal Payments Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 24, 2026
PHP min version7.4
Downloads231K

Community Trust

Rating88/100
Number of ratings32
Active installs1K
Alternatives

Quick Paypal Payments Alternatives

WooCommerce PayPal Payments

WooCommerce PayPal Payments

woocommerce-paypal-payments

A
100

PayPal's latest payment processing solution. Accept PayPal, Pay Later, credit/debit cards, alternative digital wallets and bank accounts.

800K 1 CVE
Contact Form 7 – PayPal & Stripe Add-on

Contact Form 7 – PayPal & Stripe Add-on

contact-form-7-paypal-add-on

A
96

Easily add PayPal and Stripe to Contact Form 7. Accept credit card payments with Stripe & PayPal on your site today. Offical PayPal & Stripe Partner.

8K 5 CVEs
Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More

Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More

better-payment

A
100

Better Payment allows you to automate payment transactions to manage payments, donations, subscriptions, sell products, etc on your Elementor website.

6K No CVEs
Payment forms, Buy now buttons, and Invoicing System | GetPaid

Payment forms, Buy now buttons, and Invoicing System | GetPaid

invoicing

A
99

Payments & Invoicing plugin for WordPress to quickly and easily sell online. Create Buy Now buttons or inline checkout forms in seconds to accept &hellip;

5K 2 CVEs
Receive customer payments on Woocommerce

Receive customer payments on Woocommerce

momo-venmo

A
100

Receive Venmo payments on your website with WooCommerce + Venmo

2K No CVEs
Developer Profile

Quick Paypal Payments Developer Profile

fullworks

13 plugins · 79K total installs

75
trust score
Avg Security Score
94/100
Avg Patch Time
1372 days
View full developer profile
Detection Fingerprints

How We Detect Quick Paypal Payments

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/quick-paypal-payments/payments.css/wp-content/plugins/quick-paypal-payments/custom.css/wp-content/plugins/quick-paypal-payments/jquery-ui.css
Script Paths
/wp-content/plugins/quick-paypal-payments/payments.js
Version Parameters
quick-paypal-payments/payments.js?ver=5.7.50quick-paypal-payments/payments.css?ver=5.7.50quick-paypal-payments/jquery-ui.css?ver=1.8.9

HTML / DOM Fingerprints

CSS Classes
qpp_input_fieldqpp_label_fieldqpp_amount_fieldqpp_payment_id_fieldqpp_form_wrapperqpp_payment_button_wrapper
HTML Comments
Register the scripts we needAdd footer event to fire and include the javascript file only when neededFunction which displays registered scriptsONLY IF $qpp_shortcode_exists EXISTS+2 more
Data Attributes
data-qpp-iddata-qpp-currencydata-qpp-amountdata-qpp-payment-iddata-qpp-item-namedata-qpp-custom+4 more
JS Globals
qpp_dataqpp_shortcode_existsqpp_current_customqpp_end_loopqpp_attributes
REST Endpoints
/wp-json/qpp/v1/validate/wp-json/qpp/v1/process_payment
Shortcode Output
[qpp][qppreport]
FAQ

Frequently Asked Questions about Quick Paypal Payments