WP-Safety

Peach Payments Gateway Security & Risk Analysis

wordpress.org/plugins/wc-peach-payments-gateway

A payment gateway integration between WooCommerce and Peach Payments.

1K active installs v4.0.1 PHP 7.4+ WP 6.8+ Updated Mar 25, 2026
credit-cardpayment-requestpaymentswoocommerce
98
A · Safe
CVEs total2
Unpatched0
Last CVEJan 16, 2026
Plugin page Download
Safety Verdict

Is Peach Payments Gateway Safe to Use in 2026?

Generally Safe

Score 98/100

Peach Payments Gateway has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Jan 16, 2026Updated 1mo ago
Risk Assessment

The wc-peach-payments-gateway plugin exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query handling, with 100% prepared statements, and the absence of critical or high-severity known vulnerabilities, there are significant concerns regarding its attack surface. A notable portion of its AJAX handlers (3 out of 5) lack proper authentication checks, representing a direct entry point for potential unauthorized actions. The taint analysis, while not revealing critical or high-severity issues, did identify five flows with unsanitized paths, suggesting potential for improper handling of user-supplied data that could lead to unexpected behavior or vulnerabilities if exploited in conjunction with other weaknesses.

The plugin's vulnerability history shows two medium-severity CVEs, both of which are now patched. The common vulnerability type of 'Missing Authorization' in past issues aligns with the current static analysis findings of unprotected AJAX handlers, indicating a recurring pattern of insufficient access control. While the current version appears to have addressed past known issues, the presence of unprotected AJAX endpoints and unsanitized data flows remains a significant risk. The plugin's strengths lie in its database query security and the lack of critical historical vulnerabilities. However, the identified attack surface vulnerabilities and the historical trend of authorization issues warrant careful consideration and remediation.

Key Concerns

  • Unprotected AJAX handlers
  • Flows with unsanitized paths
  • Low number of capability checks
Vulnerabilities
2 published

Peach Payments Gateway Security Vulnerabilities

CVEs by Year

1 CVE in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-67942medium · 5.3Missing Authorization

Peach Payments Gateway <= 3.3.6 - Missing Authorization

Jan 16, 2026 Patched in 3.3.7 (4d)
CVE-2024-25922medium · 4.3Missing Authorization

Peach Payments Gateway <= 3.1.9 - Missing Authorization via peach_core_version_rollback()

Feb 14, 2024 Patched in 3.2.0 (7d)
Version History

Peach Payments Gateway Release Timeline

v4.0.1Current
v4.0.0
v3.3.7
v3.3.61 CVE
CVE-2025-67942
v3.3.51 CVE
CVE-2025-67942
v3.3.41 CVE
CVE-2025-67942
v3.3.31 CVE
CVE-2025-67942
v3.3.21 CVE
CVE-2025-67942
v3.3.11 CVE
CVE-2025-67942
v3.3.01 CVE
CVE-2025-67942
v3.2.91 CVE
CVE-2025-67942
v3.2.81 CVE
CVE-2025-67942
v3.2.71 CVE
CVE-2025-67942
v3.2.61 CVE
CVE-2025-67942
v3.2.51 CVE
CVE-2025-67942
v3.2.41 CVE
CVE-2025-67942
v3.2.31 CVE
CVE-2025-67942
v3.2.21 CVE
CVE-2025-67942
v3.2.11 CVE
CVE-2025-67942
v3.2.01 CVE
CVE-2025-67942
Code Analysis
Analyzed Mar 16, 2026

Peach Payments Gateway Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
34
89 escaped
Nonce Checks
4
Capability Checks
1
File Operations
4
External Requests
10
Bundled Libraries
0

Output Escaping

72% escaped123 total outputs
Data Flows · Security
5 unsanitized

Data Flow Analysis

6 flows5 with unsanitized paths
endpoint_content (includes\class-change-card-endpoint.php:99)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Peach Payments Gateway Attack Surface

Entry Points5
Unprotected3

AJAX Handlers 5

authwp_ajax_pp_delete_saved_cardincludes\class-init.php:64
authwp_ajax_pp_add_saved_cardincludes\class-init.php:65
authwp_ajax_pp_get_registration_idincludes\class-token-add-handler.php:13
authwp_ajax_pp_save_new_cardincludes\class-token-add-handler.php:16
authwp_ajax_pp_delete_saved_cardincludes\class-token-add-handler.php:17
WordPress Hooks 49
actioninitincludes\class-change-card-endpoint.php:20
filterquery_varsincludes\class-change-card-endpoint.php:21
actioninitincludes\class-change-card-endpoint.php:23
filterwcs_view_subscription_actionsincludes\class-change-card-endpoint.php:26
filterwoocommerce_payment_gatewaysincludes\class-gateway-loader.php:18
filterwoocommerce_payment_gatewaysincludes\class-init.php:61
actionwoocommerce_gateway_peach-payments_woocommerce_block_supportincludes\class-init.php:70
actionwoocommerce_scheduled_subscription_payment_peach-paymentsincludes\class-init.php:71
actionwoocommerce_blocks_payment_method_type_registrationincludes\class-init.php:73
actioninitincludes\class-init.php:86
actionwoocommerce_api_wc_gateway_peach_hostedincludes\class-ipn-handler.php:10
actioninitincludes\class-my-cards-endpoint.php:17
filterquery_varsincludes\class-my-cards-endpoint.php:18
filterwoocommerce_account_menu_itemsincludes\class-my-cards-endpoint.php:19
actioninitincludes\class-my-cards-endpoint.php:21
actionadmin_noticesincludes\class-requirements-check.php:20
actionadmin_noticesincludes\class-requirements-check.php:27
actionadmin_noticesincludes\class-requirements-check.php:34
actionadmin_noticesincludes\class-requirements-check.php:41
actionadmin_noticesincludes\class-requirements-check.php:47
actiontemplate_redirectincludes\class-token-add-handler.php:18
actionwoocommerce_api_wc_switch_webhook_peach_paymentsincludes\class-webhook-handler.php:11
actionwoocommerce_api_wc_switch_peach_paymentsincludes\class-webhook-handler.php:14
actionwoocommerce_api_wc_payon_webhook_peach_paymentsincludes\class-webhook-handler.php:17
actioninitincludes\endpoints\class-my-cards-endpoint.php:17
filterquery_varsincludes\endpoints\class-my-cards-endpoint.php:18
filterwoocommerce_account_menu_itemsincludes\endpoints\class-my-cards-endpoint.php:19
actionwoocommerce_account_my-cards_endpointincludes\endpoints\class-my-cards-endpoint.php:20
actioninitincludes\endpoints\class-my-cards-endpoint.php:23
actionwp_enqueue_scriptsincludes\enqueue-assets.php:16
actionwoocommerce_account_my-cards_endpointincludes\enqueue-assets.php:17
actionwp_enqueue_scriptsincludes\enqueue-assets.php:19
actionwp_enqueue_scriptsincludes\enqueue-assets.php:20
actionadmin_enqueue_scriptsincludes\enqueue-assets.php:22
actionwoocommerce_after_checkout_validationincludes\gateways\class-hosted-gateway.php:62
actionwoocommerce_blocks_checkout_order_processedincludes\gateways\class-hosted-gateway.php:63
actionplugins_loadedwoocommerce_gateway_peach_payments.php:51
actionadmin_noticeswoocommerce_gateway_peach_payments.php:74
actionwoocommerce_blocks_loadedwoocommerce_gateway_peach_payments.php:123
actionwoocommerce_blocks_payment_method_type_registrationwoocommerce_gateway_peach_payments.php:129
actionwoocommerce_initwoocommerce_gateway_peach_payments.php:138
actionadmin_noticeswoocommerce_gateway_peach_payments.php:143
actionadmin_initwoocommerce_gateway_peach_payments.php:144
actionupdate_option_woocommerce_peach-payments_embed_clientidwoocommerce_gateway_peach_payments.php:146
actionupdate_option_woocommerce_peach-payments_embed_clientsecretwoocommerce_gateway_peach_payments.php:147
actionupdate_option_woocommerce_peach-payments_embed_merchantidwoocommerce_gateway_peach_payments.php:148
actionupdate_option_woocommerce_peach-payments_access_tokenwoocommerce_gateway_peach_payments.php:149
actionupdate_option_woocommerce_peach-payments_channel_3dswoocommerce_gateway_peach_payments.php:150
actionupdate_option_woocommerce_peach-payments_secretwoocommerce_gateway_peach_payments.php:151
Maintenance & Trust

Peach Payments Gateway Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMar 25, 2026
PHP min version7.4
Downloads51K

Community Trust

Rating100/100
Number of ratings2
Active installs1K
Alternatives

Peach Payments Gateway Alternatives

WooPayments: Integrated WooCommerce Payments

WooPayments: Integrated WooCommerce Payments

woocommerce-payments

A
89

Securely accept credit and debit cards on your WooCommerce store. Manage payments without leaving your WordPress dashboard. Only with WooPayments.

900K 7 CVEs
WooCommerce PayPal Payments

WooCommerce PayPal Payments

woocommerce-paypal-payments

A
100

PayPal's latest payment processing solution. Accept PayPal, Pay Later, credit/debit cards, alternative digital wallets and bank accounts.

800K 1 CVE
WooCommerce Stripe Payment Gateway

WooCommerce Stripe Payment Gateway

woocommerce-gateway-stripe

A
98

Accept debit and credit cards in 135+ currencies, many local methods like Alipay, ACH, and SEPA, and express checkout with Apple Pay and Google Pay.

700K 4 CVEs
Mollie Payments for WooCommerce

Mollie Payments for WooCommerce

mollie-payments-for-woocommerce

A
93

Accept all major payment methods in WooCommerce today. Credit cards, iDEAL and more! Fast, safe and intuitive.

100K 4 CVEs
WooCommerce Payfast Gateway

WooCommerce Payfast Gateway

woocommerce-payfast-gateway

A
100

Give customers more flexibility and increase your bottom line with Payfast — one of South Africa’s most popular payment gateways.

30K No CVEs
Developer Profile

Peach Payments Gateway Developer Profile

peachpayments

1 plugin · 1K total installs

99
trust score
Avg Security Score
98/100
Avg Patch Time
6 days
View full developer profile
Detection Fingerprints

How We Detect Peach Payments Gateway

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wc-peach-payments-gateway/assets/css/public/frontend.css/wp-content/plugins/wc-peach-payments-gateway/assets/css/public/style.css/wp-content/plugins/wc-peach-payments-gateway/assets/js/public/checkout.js/wp-content/plugins/wc-peach-payments-gateway/assets/js/public/frontend.js/wp-content/plugins/wc-peach-payments-gateway/assets/js/public/my-cards.js/wp-content/plugins/wc-peach-payments-gateway/assets/js/public/token.js
Script Paths
/wp-content/plugins/wc-peach-payments-gateway/assets/js/public/checkout.js/wp-content/plugins/wc-peach-payments-gateway/assets/js/public/frontend.js/wp-content/plugins/wc-peach-payments-gateway/assets/js/public/my-cards.js/wp-content/plugins/wc-peach-payments-gateway/assets/js/public/token.js
Version Parameters
wc-peach-payments-gateway/assets/css/public/frontend.css?ver=wc-peach-payments-gateway/assets/css/public/style.css?ver=wc-peach-payments-gateway/assets/js/public/checkout.js?ver=wc-peach-payments-gateway/assets/js/public/frontend.js?ver=wc-peach-payments-gateway/assets/js/public/my-cards.js?ver=wc-peach-payments-gateway/assets/js/public/token.js?ver=

HTML / DOM Fingerprints

CSS Classes
peach-payments-gateway-formpp-gateway-form-wrapper
HTML Comments
<!-- We are not supporting the following plugins anymore -->
Data Attributes
data-peach-client-iddata-peach-channeldata-peach-redirect-urldata-peach-currencydata-peach-order-iddata-peach-amount+13 more
JS Globals
PP_Gateway_AssetsWC_Peach_Payments_Frontend
FAQ

Frequently Asked Questions about Peach Payments Gateway