Does Subscriptions & Memberships for PayPal have any unpatched vulnerabilities?

No. All known vulnerabilities in Subscriptions & Memberships for PayPal have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Subscriptions & Memberships for PayPal compatible with WordPress 6.9.4?

According to WordPress.org data, Subscriptions & Memberships for PayPal 1.1.8 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Subscriptions & Memberships for PayPal compatible with PHP 5.4+?

Subscriptions & Memberships for PayPal requires PHP 5.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Subscriptions & Memberships for PayPal updated?

Subscriptions & Memberships for PayPal was last updated on Dec 4, 2025. Frequent updates are generally a positive security signal.

What is Subscriptions & Memberships for PayPal's security score?

Subscriptions & Memberships for PayPal has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Subscriptions & Memberships for PayPal Security & Risk Analysis

wordpress.org/plugins/subscriptions-memberships-for-paypal

A simple and easy way to sell subscriptions and / or memberships with PayPal. No Coding Required. Official PayPal Partner.

1K active installs v1.1.8 PHP 5.4+ WP 3.5+ Updated Dec 4, 2025

membershipmembershipspaypalsubscriptionsubscriptions

A · Safe

CVEs total4

Unpatched0

Last CVENov 28, 2025

Plugin page Download

Safety Verdict

Is Subscriptions & Memberships for PayPal Safe to Use in 2026?

Generally Safe

Score 95/100

Subscriptions & Memberships for PayPal has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Nov 28, 2025Updated 4mo ago

Risk Assessment

The "subscriptions-memberships-for-paypal" plugin v1.1.8 exhibits a generally good security posture due to a low attack surface and strong adherence to secure coding practices like prepared statements and output escaping. The static analysis reveals no critical vulnerabilities in terms of dangerous functions, unsanitized paths in taint flows, or unprotected entry points. The presence of numerous nonce and capability checks further bolsters its defenses against common attacks.

However, the plugin's vulnerability history is a significant concern. With a total of four known medium-severity CVEs, including past instances of Missing Authorization, Insufficient Verification of Data Authenticity, CSRF, and XSS, it indicates a recurring pattern of weaknesses. The fact that all historical vulnerabilities are reported as 'currently unpatched' in the provided data, despite the last vulnerability being dated in the future, suggests potential issues with the accuracy or completeness of the vulnerability tracking. Even if the current version has resolved these specific CVEs, the historical prevalence of these types of vulnerabilities warrants caution and diligent monitoring.

In conclusion, while the current code analysis of v1.1.8 is positive, the plugin's past security record demands a degree of skepticism. Users should ensure they are running the latest available version and be aware that plugins with a history of security issues may be more prone to future discoveries. A layered security approach is recommended.

Key Concerns

Known medium severity CVEs
Past vulnerability types (Auth, XSS, CSRF)

Vulnerabilities

Subscriptions & Memberships for PayPal Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

3 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

Medium

4 total CVEs

CVE-2025-66107medium · 5.3Missing Authorization

Subscriptions & Memberships for PayPal <= 1.1.7 - Missing Authorization

Nov 28, 2025 Patched in 1.1.8 (4d)

CVE-2025-12752medium · 5.3Insufficient Verification of Data Authenticity

Subscriptions & Memberships for PayPal <= 1.1.7 - Unauthenticated Fake Payment Creation

Nov 21, 2025 Patched in 1.1.8 (1d)

CVE-2024-13560medium · 4.3Cross-Site Request Forgery (CSRF)

Subscriptions & Memberships for PayPal <= 1.1.6 - Cross-Site Request Forgery to Arbitrary Post Deletion

Feb 25, 2025 Patched in 1.1.7 (1d)

WF-5fdf6407-388c-4fb4-b00d-7ed389a9067d-subscriptions-memberships-for-paypalmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Subscriptions & Memberships for PayPal <= 1.1.5 - Reflected Cross-Site Scripting

May 25, 2022 Patched in 1.1.6 (608d)

Code Analysis

Analyzed Mar 16, 2026

Subscriptions & Memberships for PayPal Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

331 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

99% escaped335 total outputs

Data Flows

All sanitized

Data Flow Analysis

13 flows

wpeppsub_plugin_buttons (includes\private_buttons.php:5)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Subscriptions & Memberships for PayPal Attack Surface

Entry Points3

Unprotected0

Shortcodes 3

[wpeppsub] includes\public_shortcode.php:508

[wpeppsub_login] includes\public_shortcode.php:548

[wpeppsub_logout] includes\public_shortcode.php:560

WordPress Hooks 13

actioninitincludes\private_button_inserter.php:5

actionadmin_footerincludes\private_button_inserter.php:15

actionmedia_buttonsincludes\private_button_inserter.php:16

filtergettextincludes\private_filters.php:16

filtersanitize_post_meta_currency_wpeppsubincludes\private_filters.php:28

actionadmin_noticesincludes\private_functions.php:12

actionadmin_menuincludes\private_functions.php:30

actioninitincludes\private_functions.php:147

actionadmin_menuincludes\private_restrict.php:32

actionsave_postincludes\private_restrict.php:106

filterthe_contentincludes\private_restrict.php:112

actionloop_startincludes\private_restrict.php:114

actioninitincludes\public_ipn.php:386

Maintenance & Trust

Subscriptions & Memberships for PayPal Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedDec 4, 2025

PHP min version5.4

Downloads38K

Community Trust

Rating78/100

Number of ratings12

Active installs1K

Alternatives

Subscriptions & Memberships for PayPal Alternatives

Hype

pico

Intelligent popups and landing pages to fully manage email and phone number signups, newsletters, subscriptions, donations, and memberships.

30 1 unpatched

Wallkit Subscriptions & Paywall Plugin for WordPress

wallkit

A Plug & Play paid-content system to manage subscribers, gather fees and drive additional content sales.

20 No CVEs

CRM Memberships

crm-memberships

WordPress plugin for content protection, membership management, and CRM integration. Create courses, restrict content, and integrate with CRMs.

0 1 unpatched

PG Sync for Klaviyo and Woo Memberships and Subscriptions

pg-sync-for-klaviyo-and-woo-memberships-and-subscriptions

100

This is a very lightweight plugin that synchs WooCommerce Memberships (and optionally Subscriptions) to Klaviyo.

0 No CVEs

Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction

paid-member-subscriptions

Feature-packed membership plugin for creating subscription plans, adding recurring payments & content restriction on your membership site.

10K 16 CVEs

Developer Profile

Subscriptions & Memberships for PayPal Developer Profile

Scott Paterson

12 plugins · 44K total installs

trust score

Avg Security Score

96/100

Avg Patch Time

267 days

View full developer profile

Detection Fingerprints

How We Detect Subscriptions & Memberships for PayPal

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ