WP-Safety

Transbank Webpay Security & Risk Analysis

wordpress.org/plugins/transbank-webpay-plus-rest

Recibe pagos en línea con tarjetas de crédito, débito y prepago en tu WooCommerce a través de Webpay Plus y Webpay Oneclick.

10K active installs v1.13.0 PHP 8.2+ WP 6.3+ Updated Mar 31, 2026
transbankwebpay_oneclickwebpay_plus
99
A · Safe
CVEs total1
Unpatched0
Last CVEApr 6, 2023
Plugin page Download
Safety Verdict

Is Transbank Webpay Safe to Use in 2026?

Generally Safe

Score 99/100

Transbank Webpay has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

1 known CVELast CVE: Apr 6, 2023Updated 1mo ago
Risk Assessment

The Transbank Webpay Plus REST plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by extensively using prepared statements for its SQL queries and performing capability checks on a reasonable number of actions. The absence of critical or high severity taint flows is also a positive indicator, suggesting that untrusted data is generally handled with care in the analyzed code paths.

However, significant concerns arise from the plugin's attack surface. All five identified AJAX handlers lack authentication checks, presenting a direct pathway for unauthenticated users to interact with potentially sensitive functionalities. Furthermore, the output escaping is only properly implemented in 50% of cases, increasing the risk of cross-site scripting (XSS) vulnerabilities. The plugin's vulnerability history, specifically a high-severity SQL injection vulnerability discovered in April 2023, though currently patched, indicates a past weakness in input sanitization for SQL commands, reinforcing the need for vigilance in handling user-supplied data.

Overall, while the plugin shows strengths in database query security and privilege checks, the lack of authentication on AJAX endpoints and the inconsistent output escaping are critical weaknesses that elevate the risk profile. The past SQL injection vulnerability also suggests a pattern that warrants careful monitoring and potentially more rigorous security auditing.

Key Concerns

  • 5 AJAX handlers without auth checks
  • 50% of outputs not properly escaped
  • 1 High severity vulnerability in history
  • Bundled library Guzzle
Vulnerabilities
1 published

Transbank Webpay Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
Patched Has unpatched

Severity Breakdown

High
1

1 total CVE

CVE-2023-27610high · 7.2Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Transbank Webpay REST <= 1.6.6 - Authenticated (Administrator+) SQL Injection via orderby

Apr 6, 2023 Patched in 1.6.7 (292d)
Version History

Transbank Webpay Release Timeline

v1.13.0Current
v1.12.2
v1.12.1
v1.12.0
v1.11.0
v1.10.0
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.8.0
v1.7.1
v1.7.0
v1.6.8
v1.6.7
v1.6.61 CVE
CVE-2023-27610
v1.6.51 CVE
CVE-2023-27610
v1.6.41 CVE
CVE-2023-27610
v1.6.31 CVE
CVE-2023-27610
v1.6.21 CVE
CVE-2023-27610
Code Analysis
Analyzed Mar 16, 2026

Transbank Webpay Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
12 prepared
Unescaped Output
49
49 escaped
Nonce Checks
4
Capability Checks
8
File Operations
2
External Requests
1
Bundled Libraries
1

Bundled Libraries

Guzzle

SQL Query Safety

92% prepared13 total queries

Output Escaping

50% escaped98 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
show (src\Controllers\LogController.php:20)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

Transbank Webpay Attack Surface

Entry Points5
Unprotected5

AJAX Handlers 5

authwp_ajax_dismiss_noticesrc\Admin\Notices\DismissNoticeAjax.php:18
authwp_ajax_check_connectionwebpay-rest.php:62
authwp_ajax_check_can_download_filewebpay-rest.php:63
authwp_ajax_download_log_filewebpay-rest.php:64
authwp_ajax_get_transaction_statuswebpay-rest.php:65
WordPress Hooks 21
actionadmin_noticessrc\Admin\Notices\AdminNoticeManager.php:16
actionwoocommerce_rest_checkout_process_payment_with_contextsrc\Blocks\WCGatewayTransbankBlocks.php:18
actionwoocommerce_payment_token_deletedsrc\PaymentGateways\WC_Gateway_Transbank_Oneclick_Mall_REST.php:108
filterwoocommerce_payment_methods_list_itemsrc\PaymentGateways\WC_Gateway_Transbank_Oneclick_Mall_REST.php:110
filterwoocommerce_payment_token_classsrc\PaymentGateways\WC_Gateway_Transbank_Oneclick_Mall_REST.php:111
filterwoocommerce_saved_payment_methods_listsrc\PaymentGateways\WC_Gateway_Transbank_Oneclick_Mall_REST.php:112
actionwoocommerce_thankyousrc\PaymentGateways\WC_Gateway_Transbank_Webpay_Plus_REST.php:61
actionplugins_loadedwebpay-rest.php:53
actionwp_loadedwebpay-rest.php:54
actionadd_meta_boxeswebpay-rest.php:57
actioninitwebpay-rest.php:61
actionwoocommerce_before_cartwebpay-rest.php:68
actionwoocommerce_before_checkout_formwebpay-rest.php:70
actionadmin_enqueue_scriptswebpay-rest.php:71
actionwoocommerce_blocks_loadedwebpay-rest.php:82
actionwoocommerce_blocks_payment_method_type_registrationwebpay-rest.php:86
actionbefore_woocommerce_initwebpay-rest.php:96
actionbefore_woocommerce_initwebpay-rest.php:103
actioninitwebpay-rest.php:116
filterwoocommerce_payment_gatewayswebpay-rest.php:142
actionadmin_menuwebpay-rest.php:153
Maintenance & Trust

Transbank Webpay Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 31, 2026
PHP min version8.2
Downloads188K

Community Trust

Rating72/100
Number of ratings14
Active installs10K
Alternatives

Transbank Webpay Alternatives

VentiPay

VentiPay

ventipay

A
100

Plugin oficial de Venti para WooCommerce

100 No CVEs
SimplePay WooCommerce

SimplePay WooCommerce

simplepay

A
85

Este plugin te permite integrar SimplePay para que tu tienda de WooCommerce pueda aceptar todo tipo de pagos chilenos. Wbpay Plus, Webpay One Click, &hellip;

0 No CVEs
Migración de Medio de Pago Webpay Plus SOAP a REST de Transbank para WooCommerce

Migración de Medio de Pago Webpay Plus SOAP a REST de Transbank para WooCommerce

wc-transbank-webpay-plus-rest

A
85

Vende con las tarjetas de Webpay Plus en tu carro de compras con WooCommerce. Medio de Pago de Transbank.

0 No CVEs
Zafepay

Zafepay

zafepay

A
100

Con Zafepay tus clientes pagan con tarjeta de crédito, débito, prepago y transferencia. Puedes cobrar en cuotas sin interés!

0 No CVEs
Developer Profile

Transbank Webpay Developer Profile

Transbank Developers

1 plugin · 10K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
292 days
View full developer profile
Detection Fingerprints

How We Detect Transbank Webpay

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/transbank-webpay-plus-rest/css/tbk.css/wp-content/plugins/transbank-webpay-plus-rest/css/font-awesome/all.css/wp-content/plugins/transbank-webpay-plus-rest/js/admin.js/wp-content/plugins/transbank-webpay-plus-rest/js/swal.min.js
Script Paths
/wp-content/plugins/transbank-webpay-plus-rest/js/admin.js/wp-content/plugins/transbank-webpay-plus-rest/js/swal.min.js
Version Parameters
tbk-styles?ver=1.1

HTML / DOM Fingerprints

Data Attributes
tbk_tab
JS Globals
ajax_object
REST Endpoints
/wp-json/transbank/v1/transaction/status/wp-json/transbank/v1/healthcheck
FAQ

Frequently Asked Questions about Transbank Webpay