Does Tilopay have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Tilopay compatible with WordPress 6.8.5?

According to WordPress.org data, Tilopay 3.1.2 has been tested up to WordPress 6.8.5. Check the plugin's changelog for the latest compatibility information.

Is Tilopay compatible with PHP 7.4+?

Tilopay requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Tilopay updated?

Tilopay was last updated on Nov 12, 2025. Frequent updates are generally a positive security signal.

What is Tilopay's security score?

Tilopay has a WP-Safety security score of 100/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Tilopay Security & Risk Analysis

wordpress.org/plugins/tilopay

Accept payments on WooCommerce stores with seamless integration, multi-currency support, and advanced tools for secure payment processing.

1K active installs v3.1.2 PHP 7.4+ WP 3.9+ Updated Nov 12, 2025

caribbeancentral-americaecommercepayment-gatewaywoocommerce

A · Safe

CVEs total0

Unpatched0

Last CVENever

Plugin page Download

Safety Verdict

Is Tilopay Safe to Use in 2026?

Generally Safe

Score 100/100

Tilopay has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 6mo ago

Risk Assessment

The "tilopay" plugin v3.1.2 exhibits a mixed security posture. On the positive side, it demonstrates good practices by not using dangerous functions, performing all SQL queries with prepared statements, and having a high percentage of properly escaped output. Furthermore, its vulnerability history is clean, with no known CVEs, suggesting a generally well-maintained codebase.

However, significant concerns arise from the identified attack surface. The plugin has one unprotected REST API route, which represents a direct entry point for attackers without any authorization checks. The taint analysis also revealed two flows with unsanitized paths, indicating a potential for directory traversal or similar vulnerabilities, although their severity is not classified as critical or high in this analysis. The absence of capability checks on any of its entry points is a notable weakness.

In conclusion, while the plugin's core coding practices for data handling and SQL interaction are strong, the unprotected REST API route and the presence of unsanitized paths in taint flows are critical security risks that require immediate attention. The clean vulnerability history is a positive sign, but it does not negate the immediate threats presented by the identified entry points and taint issues.

Key Concerns

Unprotected REST API route
Taint flows with unsanitized paths
No capability checks on entry points

Vulnerabilities

None known

Tilopay Security Vulnerabilities

No known vulnerabilities — this is a good sign.

Version History

Tilopay Release Timeline

v3.1.2Current

v3.1.1

v3.1.0

v3.0.9

v3.0.8

v3.0.7

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.1.2

v2.1.1

v2.1.0

v2.0.9

v2.0.8

v2.0.7

v2.0.5

Code Analysis

Analyzed Mar 16, 2026

Tilopay Code Analysis

Dangerous Functions

Raw SQL Queries

0 prepared

Unescaped Output

103 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Output Escaping

89% escaped116 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

tilopay_check_order_payment_from_query_params (includes\TilopayHelper.php:76)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Tilopay Attack Surface

Entry Points1

Unprotected1

REST API Routes 1

POST/wp-json/tilopay/v1/tpay_validate_checkout_form_errorsincludes\TilopayHelper.php:900

WordPress Hooks 26

filterallowed_redirect_hostsincludes\InitTilopay.php:17

filterwoocommerce_available_payment_gatewaysincludes\InitTilopay.php:25

actiontpay_my_cron_tilopayincludes\InitTilopay.php:27

filtercron_schedulesincludes\InitTilopay.php:29

actionplugins_loadedincludes\InitTilopay.php:32

filterload_textdomain_mofileincludes\InitTilopay.php:34

actionwoocommerce_blocks_loadedincludes\InitTilopay.php:37

actionbefore_woocommerce_initincludes\InitTilopay.php:40

filterwoocommerce_locate_templateincludes\InitTilopay.php:43

actioninitincludes\InitTilopay.php:48

actionwoocommerce_email_sentincludes\InitTilopay.php:53

actionwoocommerce_blocks_payment_method_type_registrationincludes\TilopayHelper.php:442

filterwoocommerce_rest_api_enabledincludes\WCTilopay.php:123

actionwoocommerce_scheduled_subscription_payment_retryincludes\WCTilopay.php:124

actionadmin_noticesincludes\WCTilopay.php:129

actionwoocommerce_api_tilopay_response_wooincludes\WCTilopay.php:133

actionwp_enqueue_scriptsincludes\WCTilopay.php:137

actionwp_enqueue_scriptsincludes\WCTilopay.php:140

filterwoocommerce_payment_gatewaystilopay.php:66

filterwoocommerce_after_checkout_formtilopay.php:68

actionwoocommerce_order_status_changedtilopay.php:70

actionwoocommerce_order_refundedtilopay.php:81

actionwp_enqueue_scriptstilopay.php:87

actionadmin_enqueue_scriptstilopay.php:93

actionrest_api_inittilopay.php:103

actionwoocommerce_loadedtilopay.php:107

Scheduled Events 1

tpay_my_cron_tilopay

Maintenance & Trust

Tilopay Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5

Last updatedNov 12, 2025

PHP min version7.4

Downloads24K

Community Trust

Rating86/100

Number of ratings4

Active installs1K

Alternatives

Tilopay Alternatives

Dime Pay – Seamless Payment Processing for Your Business

dime-for-woocommerce

100

A custom payment gateway for WooCommerce that securely processes payments through our platform.

20 No CVEs

SumUp Payment Gateway For WooCommerce

sumup-payment-gateway-for-woocommerce

The SumUp plugin for WooCommerce allows businesses to securely process payments online. Accept payments from customers using a range of payment method …

10K 1 CVE

Pay for Payment for WooCommerce

woocommerce-pay-for-payment

100

Setup individual charges for each payment method in WooCommerce.

10K No CVEs

Bold pagos en linea

bold-pagos-en-linea

Recibe pagos en tu tienda de forma segura con diferentes métodos de pago confiables.

4K 1 CVE

Pay in Store WooCommerce Payment Gateway

pay-in-store-woocommerce-payment-gateway

Provides a Pay in Store upon pick up Payment Gateway for Woocommerce.

3K No CVEs

Developer Profile

Tilopay Developer Profile

hnanne

1 plugin · 1K total installs

trust score

Avg Security Score

100/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Tilopay

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/tilopay/assets/css/tilopay-checkout.css/wp-content/plugins/tilopay/assets/js/tilopay-checkout.js/wp-content/plugins/tilopay/assets/js/tilopay-admin.js

Script Paths

/wp-content/plugins/tilopay/assets/js/tilopay-checkout.js/wp-content/plugins/tilopay/assets/js/tilopay-admin.js

Version Parameters

tilopay/assets/css/tilopay-checkout.css?ver=tilopay/assets/js/tilopay-checkout.js?ver=tilopay/assets/js/tilopay-admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

tilopay-error-messagetilopay-success-messagetilopay-payment-gatewaytilopay_checkout_field

HTML Comments

+4 more

Data Attributes

data-tilopay-order-iddata-tilopay-amountdata-tilopay-currency

JS Globals

tilopay_script_params

REST Endpoints

/wp-json/tilopay/v1/validate-form

FAQ