Stan Checkout Security & Risk Analysis

wordpress.org/plugins/stan-checkout

Vendez plus. Vendez mieux et plus vite avec Stan Xpress Checkout !

0 active installs v1.3.6 PHP + WP 5.0.0+ Updated Nov 7, 2024
checkoutpaiementpaymentstanstanapp
92
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Stan Checkout Safe to Use in 2026?

Generally Safe

Score 92/100

Stan Checkout has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 1yr ago
Risk Assessment

The "stan-checkout" plugin v1.3.6 exhibits significant security concerns despite its lack of recorded CVEs. The static analysis reveals a concerningly large attack surface, with all three identified REST API routes lacking proper permission callbacks. This means any user, regardless of their role or privileges, could potentially interact with these endpoints. Additionally, the complete absence of nonce checks and capability checks on the identified entry points amplifies this risk, as it provides no mechanism to verify user intent or authorization. While the plugin utilizes prepared statements for all SQL queries and a high percentage of outputs are properly escaped, these strengths are overshadowed by the fundamental security flaws in its access control mechanisms. The taint analysis, though limited in scope with only two flows analyzed, found two flows with unsanitized paths, which could indicate potential injection vulnerabilities if these paths are user-controlled. The absence of any historical vulnerabilities is positive, but it does not negate the present risks identified in the code analysis, which suggest a lack of secure development practices regarding input validation and authorization. Therefore, while the plugin shows some good practices in data handling (SQL and output escaping), its unprotected entry points and lack of authorization checks present a critical risk.

Key Concerns

  • REST API routes without permission callbacks
  • No nonce checks on entry points
  • No capability checks on entry points
  • Taint flows with unsanitized paths
Vulnerabilities
None known

Stan Checkout Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Stan Checkout Release Timeline

v1.3.6Current
v1.3.5
v1.3.4
v1.3.3
vv1.3.2
v1.3.1
v1.3.0
v1.2.7
v1.2.6
v1.2.5
vv1.2.5
vv1.2.4
vv1.2.3
vv1.2.2
vv1.2.1
v1.2.0
v1.1.1
v1.1.0
Code Analysis
Analyzed Apr 16, 2026

Stan Checkout Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
8 prepared
Unescaped Output
8
43 escaped
Nonce Checks
0
Capability Checks
0
File Operations
1
External Requests
5
Bundled Libraries
0

SQL Query Safety

100% prepared8 total queries

Output Escaping

84% escaped51 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths
handle_notify_order (includes/classes/class-wc-stan-checkout-payment-gateway.php:240)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Stan Checkout Attack Surface

Entry Points3
Unprotected3

REST API Routes 3

GET/wp-json/stan/checkoutsincludes/classes/class-wc-stan-checkout-cart-api.php:62
GET/wp-json/stan/cartsincludes/classes/class-wc-stan-checkout-cart-api.php:69
GET/wp-json/stan/webhooksincludes/classes/class-wc-stan-checkout-webhook-api.php:57
WordPress Hooks 23
actionwoocommerce_before_checkout_billing_formincludes/classes/class-wc-stan-checkout-button.php:36
actionwoocommerce_before_cart_totalsincludes/classes/class-wc-stan-checkout-button.php:37
actionwoocommerce_widget_shopping_cart_buttonsincludes/classes/class-wc-stan-checkout-button.php:38
actionwoocommerce_before_add_to_cart_buttonincludes/classes/class-wc-stan-checkout-button.php:39
filterjson_endpointsincludes/classes/class-wc-stan-checkout-cart-api.php:25
actionrest_api_initincludes/classes/class-wc-stan-checkout-cart-api.php:27
filterwoocommerce_add_to_cart_redirectincludes/classes/class-wc-stan-checkout-cart-api.php:91
filterwoocommerce_gateway_titleincludes/classes/class-wc-stan-checkout-payment-gateway.php:88
filterwoocommerce_available_payment_gatewaysincludes/classes/class-wc-stan-checkout-payment-gateway.php:96
filterjson_endpointsincludes/classes/class-wc-stan-checkout-webhook-api.php:25
actionrest_api_initincludes/classes/class-wc-stan-checkout-webhook-api.php:27
actionplugins_loadedincludes/classes/class-wc-stan-checkout.php:321
actionadmin_enqueue_scriptsincludes/classes/class-wc-stan-checkout.php:336
actionadmin_enqueue_scriptsincludes/classes/class-wc-stan-checkout.php:337
actionwp_enqueue_scriptsincludes/classes/class-wc-stan-checkout.php:352
actionwp_enqueue_scriptsincludes/classes/class-wc-stan-checkout.php:353
filterwoocommerce_payment_gatewaysincludes/classes/class-wc-stan-checkout.php:386
actioninitincludes/classes/class-wc-stan-checkout.php:387
actionshutdownincludes/wc-stan-utils.php:60
actionplugins_loadedwc-stan-checkout.php:103
actionadmin_noticeswc-stan-checkout.php:120
actionbefore_woocommerce_initwc-stan-checkout.php:130
filterplugin_action_links_wc-stan-checkout/wc-stan-checkout.phpwc-stan-checkout.php:156
Maintenance & Trust

Stan Checkout Maintenance & Trust

Maintenance Signals

WordPress version tested6.5.8
Last updatedNov 7, 2024
PHP min version
Downloads3K

Community Trust

Rating100/100
Number of ratings1
Active installs0
Developer Profile

Stan Checkout Developer Profile

Jonathan - CTO Brightweb

2 plugins · 10 total installs

86
trust score
Avg Security Score
89/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Stan Checkout

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/stan-checkout/admin/css/wc-stan-checkout-admin.css/wp-content/plugins/stan-checkout/public/css/wc-stan-checkout-public.css/wp-content/plugins/stan-checkout/public/js/wc-stan-checkout-public.js
Script Paths
/wp-content/plugins/stan-checkout/public/js/wc-stan-checkout-public.js
Version Parameters
stan-checkout/admin/css/wc-stan-checkout-admin.css?ver=stan-checkout/public/css/wc-stan-checkout-public.css?ver=stan-checkout/public/js/wc-stan-checkout-public.js?ver=

HTML / DOM Fingerprints

CSS Classes
stan-checkout-btn-primarystan-checkout-btn-secondarystan-checkout-input-errorstan-checkout-input-successstan-checkout-loading-overlaystan-checkout-checkout-field
HTML Comments
<!-- Stan Checkout Payment Gateway --><!-- End Stan Checkout Payment Gateway --><!-- Stan Checkout loading animation --><!-- End Stan Checkout loading animation -->+2 more
Data Attributes
data-stan-checkout-actiondata-stan-checkout-param
JS Globals
stan_checkout_params
REST Endpoints
/wp-json/wc-stan-checkout/v1/order/wp-json/wc-stan-checkout/v1/payment
Shortcode Output
[stan_checkout_button][stan_checkout_form]
FAQ

Frequently Asked Questions about Stan Checkout