WP-Safety

Simple Payment Security & Risk Analysis

wordpress.org/plugins/simple-payment

Simple Payment enables a simple, fast and powerful integration to process payments. Convert any Post/Page to a product - easy and very customizable to …

50 active installs v2.4.7 PHP 7.4+ WP 4.6+ Updated Oct 6, 2025
checkoutcredit-carddonationmembershipsimple-payment
87
A · Safe
CVEs total4
Unpatched0
Last CVEOct 29, 2025
Plugin page Download
Safety Verdict

Is Simple Payment Safe to Use in 2026?

Generally Safe

Score 87/100

Simple Payment has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Oct 29, 2025Updated 6mo ago
Risk Assessment

The "simple-payment" plugin v2.4.7 exhibits a mixed security posture. On the positive side, it demonstrates good practices in its use of prepared statements for SQL queries, a high percentage of properly escaped output, and a reasonable number of capability and nonce checks. The attack surface is also relatively small, with no apparent unprotected entry points detected during static analysis.

However, several significant concerns warrant attention. The presence of the `unserialize` function is a critical risk, as it can lead to Remote Code Execution if used with untrusted data. The taint analysis reveals 5 high-severity flows with unsanitized paths, indicating potential vulnerabilities where user-controlled input could be manipulated. Furthermore, the plugin's history of 4 known CVEs, including a past critical vulnerability related to PHP Remote File Inclusion and Authentication Bypass, suggests a pattern of exploitable weaknesses. While no CVEs are currently unpatched, this history indicates that the plugin has been a target and has had serious security flaws in the past.

In conclusion, while "simple-payment" v2.4.7 has improved in some areas like SQL handling and output escaping, the inherent risk associated with `unserialize` and the identified high-severity taint flows, combined with its past vulnerability record, necessitate caution. Users should remain vigilant and ensure the plugin is kept updated, as past issues indicate a potential for recurring security problems.

Key Concerns

  • Presence of unserialize function
  • 5 high severity unsanitized taint flows
  • Past critical CVE history
  • Past high severity CVE history (2)
  • Past medium severity CVE history
Vulnerabilities
4

Simple Payment Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
3 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Critical
1
High
2
Medium
1

4 total CVEs

CVE-2025-62075high · 8.1Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Simple Payment <= 2.4.6 - Unauthenticated Local File Inclusion

Oct 29, 2025 Patched in 2.4.7 (6d)
CVE-2025-62076high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Payment <= 2.4.6 - Unauthenticated Stored Cross-Site Scripting

Oct 29, 2025 Patched in 2.4.7 (6d)
CVE-2025-6688critical · 9.8Authentication Bypass Using an Alternate Path or Channel

Simple Payment 1.3.6 - 2.3.8 - Authentication Bypass to Admin

Jun 26, 2025 Patched in 2.3.9 (1d)
CVE-2024-54303medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Payment <= 2.3.7 - Reflected Cross-Site Scripting

Dec 11, 2024 Patched in 2.3.8 (9d)
Code Analysis
Analyzed Mar 16, 2026

Simple Payment Code Analysis

Dangerous Functions
1
Raw SQL Queries
1
27 prepared
Unescaped Output
96
372 escaped
Nonce Checks
7
Capability Checks
17
File Operations
0
External Requests
5
Bundled Libraries
0

Dangerous Functions Found

unserialize$items = unserialize( (string) $this->column->get_raw_value( $id ), [ 'allowed_classes' => false ] )addons\admin-columns-pro\classes\Export\Model\Entry\ItemList.php:17

SQL Query Safety

96% prepared28 total queries

Output Escaping

79% escaped468 total outputs
Data Flows
11 unsanitized

Data Flow Analysis

21 flows11 with unsanitized paths
sp_wc_maybe_failed_order (addons\woocommerce\init.php:64)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Simple Payment Attack Surface

Entry Points1
Unprotected0

Shortcodes 1

[simple_payment] simple-payment-plugin.php:132
WordPress Hooks 116
actionacp/admin/settings/hide_on_screenaddons\admin-columns-pro\classes\Admin.php:15
actionac/list_screen/column_createdaddons\admin-columns-pro\classes\Column\EntryConfigurator.php:24
filtersp_get_entries_args_entry_listaddons\admin-columns-pro\classes\Editing\RequestHandler\Query\Entry.php:31
filtersp_get_entries_args_entry_listaddons\admin-columns-pro\classes\Export\Strategy\Entry.php:18
filtersp_entries_field_valueaddons\admin-columns-pro\classes\ListScreen\Entry.php:65
filtersp_get_entries_args_entry_listaddons\admin-columns-pro\classes\Search\Query.php:16
filtersp_query_sqladdons\admin-columns-pro\classes\Search\Query.php:17
actionsp_pre_entry_listaddons\admin-columns-pro\classes\Search\TableScreen\Entry.php:12
actionac/column_groupsaddons\admin-columns-pro\classes\Service\ColumnGroup.php:15
actionac/column_typesaddons\admin-columns-pro\classes\Service\Columns.php:12
actionac/list_screen_groupsaddons\admin-columns-pro\classes\Service\ListScreens.php:14
actionac/list_keysaddons\admin-columns-pro\classes\Service\ListScreens.php:15
actionac/admin_scriptsaddons\admin-columns-pro\classes\Service\Scripts.php:23
actionac/table_scriptsaddons\admin-columns-pro\classes\Service\Scripts.php:24
actionac/list_screensaddons\admin-columns-pro\classes\SimplePayment.php:89
filteracp/editing/resultaddons\admin-columns-pro\classes\TableScreen\Entry.php:15
actionac/table/list_screenaddons\admin-columns-pro\classes\TableScreen\Entry.php:16
actionac/table/list_screenaddons\admin-columns-pro\classes\TableScreen\Entry.php:17
actionac/table/list_screenaddons\admin-columns-pro\classes\TableScreen\Entry.php:18
actionac/admin_headaddons\admin-columns-pro\classes\TableScreen\Entry.php:19
actionac/admin_headaddons\admin-columns-pro\classes\TableScreen\Entry.php:20
actioninitaddons\elementor\init.php:95
actionplugins_loadedaddons\elementor\init.php:96
actionadmin_noticesaddons\elementor\init.php:135
actionadmin_noticesaddons\elementor\init.php:141
actionelementor/widgets/widgets_registeredaddons\elementor\init.php:146
actionelementor/controls/controls_registeredaddons\elementor\init.php:147
filtersafe_style_cssaddons\gravityforms\class-json.php:216
actiongform_loadedaddons\gravityforms\init.php:11
actionwpaddons\gravityforms\init.php:13
actionwpaddons\gravityforms\init.php:14
actionsp_payment_successaddons\gravityforms\init.php:94
actionsp_payment_statusaddons\gravityforms\init.php:95
actionsp_payment_verifyaddons\gravityforms\init.php:98
actiongform_enqueue_scriptsaddons\gravityforms\init.php:102
filtersp_payment_pre_process_filteraddons\gravityforms\init.php:103
filtergform_confirmationaddons\gravityforms\init.php:723
actioninitaddons\gutenberg\init.php:16
actionsp_form_renderaddons\invisible-recaptcha\init.php:12
filtersp_form_validationaddons\invisible-recaptcha\init.php:13
filterwoocommerce_payment_gatewaysaddons\woocommerce\init.php:16
actionsp_creditcard_tokenaddons\woocommerce\init.php:59
actionplugins_loadedaddons\woocommerce\init.php:62
actionwc_ajax_checkoutaddons\woocommerce\init.php:90
actionwoocommerce_email_before_order_tableaddons\woocommerce\init.php:160
filterwoocommerce_available_payment_gatewaysaddons\woocommerce\init.php:163
filterwoocommerce_get_customer_payment_tokensaddons\woocommerce\init.php:164
filterwc_payment_gateway_form_saved_payment_methods_htmladdons\woocommerce\init.php:165
filterwoocommerce_payment_methods_list_itemaddons\woocommerce\init.php:167
filterwoocommerce_payment_token_classaddons\woocommerce\init.php:169
filterwoocommerce_credit_card_form_fieldsaddons\woocommerce\init.php:179
filterwoocommerce_payment_gateway_get_new_payment_method_option_htmladdons\woocommerce\init.php:800
actionadd_meta_boxesaddons\woocommerce\metabox.php:26
actionadmin_enqueue_scriptsaddons\woocommerce\metabox.php:27
actionwoocommerce_scheduled_subscription_payment_simple-paymentaddons\woocommerce-subscriptions\init.php:12
actionwoocommerce_subscription_failing_payment_method_updated_simple-paymentaddons\woocommerce-subscriptions\init.php:88
filtersp_wc_payment_argsaddons\woocommerce-subscriptions\init.php:94
filtersp_woocommerce_supportsaddons\woocommerce-subscriptions\init.php:103
filterwpjb_payment_render_responseaddons\wpjobboard\form.php:13
actionsp_payment_successaddons\wpjobboard\gateway.php:13
filterwpjb_payments_listaddons\wpjobboard\init.php:13
filterwpjb_list_currencyaddons\wpjobboard\init.php:14
actionsp_extension_zapieraddons\zapier\init.php:3
actionupgrader_process_completeadmin\admin.php:36
actionadmin_noticesadmin\admin.php:38
filterplugin_row_metaadmin\admin.php:45
filterdisplay_post_statesadmin\admin.php:47
actionadmin_menuadmin\admin.php:48
filterset-screen-optionadmin\admin.php:52
actionadmin_initadmin\admin.php:64
actionadmin_enqueue_scriptsadmin\admin.php:78
actionadmin_initadmin\admin.php:83
actionsp_payment_verifyadmin\transaction-list-table.php:280
actionplugins_loadeddb\simple-payment-database.php:7
filtersp_payment_pre_process_filterengines\cardcom.php:9
filtergform_simplepayment_return_urlengines\cardcom.php:32
filtersp_payment_callbackengines\cardcom.php:44
actionplugins_loadedsimple-payment-plugin.php:102
actionwp_loadedsimple-payment-plugin.php:103
filtercron_schedulessimple-payment-plugin.php:105
filterallowed_redirect_hostssimple-payment-plugin.php:108
actionsp_cronsimple-payment-plugin.php:111
actionsp_cron_purgesimple-payment-plugin.php:112
actionadmin_initsimple-payment-plugin.php:114
actionparse_requestsimple-payment-plugin.php:131
actionsp_validate_licensesimple-payment-plugin.php:134
actionupgrader_process_completesimple-payment-plugin.php:135
actioninittgm\class-tgm-plugin-activation.php:268
filterload_textdomain_mofiletgm\class-tgm-plugin-activation.php:269
actioninittgm\class-tgm-plugin-activation.php:272
actionadmin_menutgm\class-tgm-plugin-activation.php:421
actionadmin_headtgm\class-tgm-plugin-activation.php:422
filterinstall_plugin_complete_actionstgm\class-tgm-plugin-activation.php:425
filterupdate_plugin_complete_actionstgm\class-tgm-plugin-activation.php:426
actionadmin_noticestgm\class-tgm-plugin-activation.php:429
actionadmin_inittgm\class-tgm-plugin-activation.php:430
actionadmin_enqueue_scriptstgm\class-tgm-plugin-activation.php:431
actionload-plugins.phptgm\class-tgm-plugin-activation.php:436
actionswitch_themetgm\class-tgm-plugin-activation.php:439
actionswitch_themetgm\class-tgm-plugin-activation.php:442
actionadmin_inittgm\class-tgm-plugin-activation.php:447
actionswitch_themetgm\class-tgm-plugin-activation.php:452
actionload_textdomain_mofiletgm\class-tgm-plugin-activation.php:475
filterupgrader_source_selectiontgm\class-tgm-plugin-activation.php:889
actionplugins_loadedtgm\class-tgm-plugin-activation.php:2112
filtertgmpa_table_data_itemstgm\class-tgm-plugin-activation.php:2236
filterupgrader_source_selectiontgm\class-tgm-plugin-activation.php:2977
actionadmin_inittgm\class-tgm-plugin-activation.php:3147
actionupgrader_process_completetgm\class-tgm-plugin-activation.php:3242
filterupgrader_post_installtgm\class-tgm-plugin-activation.php:3301
filterupgrader_post_installtgm\class-tgm-plugin-activation.php:3446
actiontgmpa_registertgm\tgm.php:36
filterpre_set_site_transient_update_pluginsupdater.php:72
filterplugins_apiupdater.php:73
actionadmin_initupdater.php:76
filterpre_set_site_transient_update_pluginsupdater.php:235

Scheduled Events 2

sp_cron
sp_cron_purge
Maintenance & Trust

Simple Payment Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 6, 2025
PHP min version7.4
Downloads11K

Community Trust

Rating100/100
Number of ratings3
Active installs50
Alternatives

Simple Payment Alternatives

Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions

Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions

wp-full-stripe-free

A
92

🚀 Create Stripe payment forms for WordPress. Accept credit cards, Apple Pay, donations, subscriptions & more. Easy setup, no coding needed!

10K 5 CVEs
Minimal Stripe Wrapper

Minimal Stripe Wrapper

minimal-stripe-wrapper

A
100

Minimal Stripe Wrapper (MSW) – Simple, Secure, and Lightweight Stripe Integration for WordPress

10 No CVEs
iyzico for WooCommerce

iyzico for WooCommerce

iyzico-woocommerce

A
100

iyzico latest payment processing solution. Accept credit/debit cards, alternative digital wallets and bank accounts.

10K No CVEs
Payment Gateway for PayPal on WooCommerce

Payment Gateway for PayPal on WooCommerce

woo-paypal-gateway

A
99

PayPal, Credit/Debit Cards, Google Pay, Apple Pay, Pay Later, Venmo, SEPA, iDEAL, Mercado Pago, Bancontact & more - by an official PayPal Partner

10K 1 CVE
Payment Gateway of Stripe for WooCommerce

Payment Gateway of Stripe for WooCommerce

payment-gateway-stripe-and-woocommerce-integration

A
96

Integrate Stripe Payment Gateway in WooCommerce and accept cards, Google Pay, Apple Pay, Klarna, Alipay, and more with seamless, secure checkout.

9K 4 CVEs
Developer Profile

Simple Payment Developer Profile

Ido Kobelkowsky

1 plugin · 50 total installs

91
trust score
Avg Security Score
87/100
Avg Patch Time
6 days
View full developer profile
Detection Fingerprints

How We Detect Simple Payment

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/simple-payment/assets/css/frontend.css/wp-content/plugins/simple-payment/assets/js/frontend.js
Script Paths
/wp-content/plugins/simple-payment/assets/js/frontend.js
Version Parameters
simple-payment/assets/css/frontend.css?ver=simple-payment/assets/js/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
simple-payment-form
HTML Comments
<!-- Simple Payment --><!-- /Simple Payment --><!-- Simple Payment Form --><!-- End Simple Payment Form -->
Data Attributes
data-simple-payment-nonce
JS Globals
simple_payment_params
REST Endpoints
/wp-json/simple-payment/v1/process_payment
Shortcode Output
[simple_payment_form[simple_payment_button
FAQ

Frequently Asked Questions about Simple Payment