WP-Safety

SmartPay Security & Risk Analysis

wordpress.org/plugins/smartpay

Sell digital downloads and accept payments including donations easily with Stripe, PayPal, Paddle etc. - simple, fast, and secure.

100 active installs v2.8.2 PHP 8.1+ WP 6.0+ Updated Oct 5, 2025
digital-productdonationsdownload-managerecommercepayment-gateways
97
A · Safe
CVEs total2
Unpatched0
Last CVEJun 24, 2025
Plugin page Download
Safety Verdict

Is SmartPay Safe to Use in 2026?

Generally Safe

Score 97/100

SmartPay has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Jun 24, 2025Updated 7mo ago
Risk Assessment

The 'smartpay' plugin v2.8.2 presents a mixed security posture. While the code analysis shows a good percentage of SQL queries using prepared statements and properly escaped outputs, a significant concern is the large number of unprotected REST API routes (12 out of 12). This creates a substantial attack surface that could be exploited for unauthorized actions or information disclosure. The taint analysis, though limited in scope, did not reveal any critical or high-severity unsanitized paths, which is a positive sign. However, the plugin's vulnerability history is concerning, with two known CVEs, including a past high-severity vulnerability related to authorization bypass and sensitive information exposure. The fact that there are currently no unpatched CVEs is a strength, but the historical pattern of such vulnerabilities suggests potential for recurring issues in these areas, especially if the underlying code logic is not robustly secured against common attack vectors.

Key Concerns

  • 12 unprotected REST API routes
  • Past High Severity CVE
  • Past Medium Severity CVE
  • 5 unsanitized flows (taint analysis)
Vulnerabilities
2 published

SmartPay Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2025-25171high · 8.8Authorization Bypass Through User-Controlled Key

WP SmartPay <= 2.7.13 - Authenticated (Subscriber+) Account Takeover

Jun 24, 2025 Patched in 2.8.0 (120d)
CVE-2025-3851medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Download Manager and Payment Form WordPress Plugin – WP SmartPay 1.1.0 - 2.7.13 - Authenticated (Subscriber+) Information Exposure

May 6, 2025 Patched in 2.8.0 (183d)
Version History

SmartPay Release Timeline

v2.8.2Current
v2.8.1.1
v2.8.0
v2.7.132 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.122 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.112 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.102 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.92 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.82 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.72 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.62 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.52 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.4.22 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.32 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.22 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.1.12 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.12 CVEs
CVE-2025-3851 CVE-2025-25171
v2.7.02 CVEs
CVE-2025-3851 CVE-2025-25171
v2.6.92 CVEs
CVE-2025-3851 CVE-2025-25171
v2.6.8.12 CVEs
CVE-2025-3851 CVE-2025-25171
Code Analysis
Analyzed Mar 16, 2026

SmartPay Code Analysis

Dangerous Functions
0
Raw SQL Queries
10
24 prepared
Unescaped Output
53
443 escaped
Nonce Checks
6
Capability Checks
7
File Operations
12
External Requests
1
Bundled Libraries
0

SQL Query Safety

71% prepared34 total queries

Output Escaping

89% escaped496 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

5 flows5 with unsanitized paths
processDownload (app\Modules\Frontend\Utilities\Downloader.php:28)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
12 unprotected

SmartPay Attack Surface

Entry Points17
Unprotected12

AJAX Handlers 1

authwp_ajax_toggle_integration_activationapp\Modules\Integration\Integration.php:17

REST API Routes 12

GET/wp-json/smartpay/v1reportsapp\Modules\Admin\Report.php:22
GET/wp-json/smartpay/v1couponsapp\Modules\Coupon\Coupon.php:43
GET/wp-json/smartpay/v1coupons/(?P<id>[\d]+)app\Modules\Coupon\Coupon.php:56
GET/wp-json/smartpay/v1customersapp\Modules\Customer\Customer.php:30
GET/wp-json/smartpay/v1customers/(?P<id>[\d]+)app\Modules\Customer\Customer.php:43
GET/wp-json/smartpay/v1formsapp\Modules\Form\Form.php:58
GET/wp-json/smartpay/v1forms/(?P<id>[\d]+)app\Modules\Form\Form.php:71
GET/wp-json/smartpay/v1/publiccustomers/(?P<id>[\d]+)app\Modules\Frontend\Common.php:50
GET/wp-json/smartpay/v1paymentsapp\Modules\Payment\Payment.php:35
GET/wp-json/smartpay/v1payments/(?P<id>[\d]+)app\Modules\Payment\Payment.php:48
GET/wp-json/smartpay/v1productsapp\Modules\Product\Product.php:35
GET/wp-json/smartpay/v1products/(?P<id>[\d]+)app\Modules\Product\Product.php:48

Shortcodes 4

[smartpay_form] app\Modules\Shortcode\Shortcode.php:15
[smartpay_product] app\Modules\Shortcode\Shortcode.php:18
[smartpay_payment_receipt] app\Modules\Shortcode\Shortcode.php:21
[smartpay_dashboard] app\Modules\Shortcode\Shortcode.php:24
WordPress Hooks 17
actionadmin_initapp\Modules\Admin\Setting.php:12
filterupload_dirapp\Modules\Admin\Utilities\WPHooks.php:17
actionsmartpay_free_ajax_process_paymentapp\Modules\Gateway\Gateways\ManualPurchase\FreePurchase.php:40
actionsmartpay_free_subscription_process_paymentapp\Modules\Gateway\Gateways\ManualPurchase\FreePurchase.php:41
actionadmin_noticesapp\Modules\Gateway\Gateways\PaypalStandard.php:28
actionadmin_noticesapp\Modules\Gateway\Gateways\PaypalStandard.php:42
actionsmartpay_paypal_process_paymentapp\Modules\Gateway\Gateways\PaypalStandard.php:60
actionsmartpay_before_payment_receiptapp\Modules\Gateway\Gateways\PaypalStandard.php:62
actionsmartpay_paypal_ajax_process_paymentapp\Modules\Gateway\Gateways\PaypalStandard.php:64
filtersmartpay_settings_sections_gatewaysapp\Modules\Gateway\Gateways\PaypalStandard.php:66
filtersmartpay_settings_gatewaysapp\Modules\Gateway\Gateways\PaypalStandard.php:68
actioninitapp\Modules\Gateway\Gateways\PaypalStandard.php:70
actionsmartpay_paypal_web_acceptapp\Modules\Gateway\Gateways\PaypalStandard.php:72
actionplugins_loadedbootstrap.php:24
actionadmin_noticesbootstrap.php:28
actionplugins_loadedsmartpay.php:47
actioninitsmartpay.php:54

Scheduled Events 1

smartpay_cleanup_file_symlinks
Maintenance & Trust

SmartPay Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedOct 5, 2025
PHP min version8.1
Downloads15K

Community Trust

Rating94/100
Number of ratings19
Active installs100
Alternatives

SmartPay Alternatives

Download Manager

Download Manager

download-manager

B
76

This File Management & Digital Store plugin will help you to control file downloads & sell digital products from your WP site.

100K 79 CVEs
Download Monitor

Download Monitor

download-monitor

B
82

Powerful Download Manager Plugin for WordPress

90K 29 CVEs
Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

easy-digital-downloads

B
75

The #1 eCommerce plugin to sell digital products & subscriptions. Accept payments with Stripe & PayPal. Sell ebooks, software & more.

40K 40 CVEs
Premium Packages – Sell Digital Products Securely

Premium Packages – Sell Digital Products Securely

wpdm-premium-packages

A
94

Premium Packages is a free, full-featured WordPress eCommerce plugin to sell digital products easily and securely.

3K 9 CVEs
Gravity Forms Eway

Gravity Forms Eway

gravityforms-eway

A
100

Easily create online payment forms with Gravity Forms and Eway.

500 No CVEs
Developer Profile

SmartPay Developer Profile

Convers Lab

3 plugins · 2K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
104 days
View full developer profile
Detection Fingerprints

How We Detect SmartPay

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/smartpay/public/css/admin.css/wp-content/plugins/smartpay/public/js/admin.js
Script Paths
/wp-content/plugins/smartpay/public/js/admin.js
Version Parameters
smartpay/public/css/admin.css?ver=smartpay/public/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
smartpay-svg-icon
Data Attributes
data-sp-admin-pagedata-sp-form-builder-pagedata-sp-settings-pagedata-sp-integrations-page
JS Globals
smartpay
REST Endpoints
/wp-json/smartpay/
FAQ

Frequently Asked Questions about SmartPay