Does SEPA Girocode have any unpatched vulnerabilities?

Yes — SEPA Girocode currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is SEPA Girocode compatible with WordPress 4.6.0?

According to WordPress.org data, SEPA Girocode 0.5.1 has been tested up to WordPress 4.6.0. Check the plugin's changelog for the latest compatibility information.

How often is SEPA Girocode updated?

SEPA Girocode was last updated on Unknown. Frequent updates are generally a positive security signal.

What is SEPA Girocode's security score?

SEPA Girocode has a WP-Safety security score of 78/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

SEPA Girocode Security & Risk Analysis

wordpress.org/plugins/sepa-girocode

Create EPC-Codes (in Germany known as Girocode) for money transfer | Girocode-Barcode für SEPA-Überweisungen erstellen

20 active installs v0.5.1 PHP + WP 4.0+ Updated Unknown

epcgirocodesctsepa

B · Generally Safe

CVEs total1

Unpatched1

Last CVEJun 5, 2025

Plugin page Download

Safety Verdict

Is SEPA Girocode Safe to Use in 2026?

Mostly Safe

Score 78/100

SEPA Girocode is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Jun 5, 2025

Risk Assessment

The "sepa-girocode" v0.5.1 plugin exhibits several concerning security practices despite a limited attack surface. While the plugin has no exposed AJAX handlers or REST API routes without authentication, and no critical or high severity taint flows were identified, the codebase has significant weaknesses. The lack of any nonce or capability checks is a major concern, as it implies that even entry points that exist could be exploited without proper authorization. Furthermore, the plugin performs raw SQL queries without using prepared statements, which opens the door to SQL injection vulnerabilities. The presence of a medium severity Cross-Site Scripting (XSS) vulnerability in its history, despite the latest vulnerability being dated in the future (which is likely a data error and should be treated as a current concern), highlights a recurring issue with input sanitization and output escaping, further evidenced by only 58% of output being properly escaped. The use of the bundled TCPDF library also raises a flag, as bundled libraries can become outdated and introduce their own vulnerabilities if not actively maintained.

Key Concerns

Unpatched medium severity CVE
Raw SQL queries without prepared statements
No nonce checks on entry points
No capability checks on entry points
Significant portion of output not escaped
Flows with unsanitized paths
Bundled TCPDF library

Vulnerabilities

SEPA Girocode Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-49450medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

SEPA Girocode <= 0.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 5, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

SEPA Girocode Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

18 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

TCPDF

SQL Query Safety

0% prepared2 total queries

Output Escaping

58% escaped31 total outputs

Data Flows

1 unsanitized

Data Flow Analysis

1 flows1 with unsanitized paths

<index> (includes\phpqrcode\index.php:0)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

SEPA Girocode Attack Surface

Entry Points2

Unprotected0

Shortcodes 2

[girocode] sepa-girocode.php:472

[girocode-generator] sepa-girocode.php:473

WordPress Hooks 3

actionparse_requestsepa-girocode.php:476

filterquery_varssepa-girocode.php:477

actionupgrader_process_completesepa-girocode.php:479

Maintenance & Trust

SEPA Girocode Maintenance & Trust

Maintenance Signals

WordPress version tested4.6.0

Last updatedUnknown

PHP min version

Downloads2K

Community Trust

Rating20/100

Number of ratings1

Active installs20

Alternatives

SEPA Girocode Alternatives

GiroCode

girocode

This plugin displays GiroCodes for easy bank transfers. A GiroCode is a QR code with data for a transfer which can be scanned into a banking app.

20 No CVEs

Donation QR Block

donation-qr-block

100

Display an EPC/GiroCode QR code for SEPA bank donations. Scannable by banking apps to pre-fill transfer details.

0 No CVEs

Viva.com | Smart Checkout for WooCommerce

viva-com-smart-for-woocommerce

100

Take secure online payments on your WooCommerce store with Viva.com Smart Checkout. ---

5K No CVEs

CSSIgniter Shortcodes

cssigniter-shortcodes

This plugin defines and allows you to use a lot of useful shortcodes. Need a button? Sure. A message box? You know we have it.

2K 1 CVE

Icon Separator

icon-separator

100

A simple, lightweight, accessibility-ready icon separator block.

1K No CVEs

Developer Profile

SEPA Girocode Developer Profile

mhallmann

1 plugin · 20 total installs

trust score

Avg Security Score

78/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect SEPA Girocode

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/sepa-girocode/images/girocode.png

HTML / DOM Fingerprints

Data Attributes

data-sepa-girocode-class

JS Globals

sepa_girocode_class

Shortcode Output

<img src="index.php?sepa-girocode=show-code&key=<a href="index.php?sepa-girocode=get-codefile&key=

FAQ