WP-Safety

WP Easy Pay – Payment and Donation form Builder for Square Security & Risk Analysis

wordpress.org/plugins/wp-easy-pay

Integrate Square with WordPress easily, quickly, and securely. The Square Payment Form Builder for WordPress to accept Subscriptions, Donations and On …

1K active installs v4.2.12 PHP 7.0+ WP 5.2+ Updated Mar 2, 2026
cash-appdonationpayment-formsquaresquare-payments
97
A · Safe
CVEs total4
Unpatched0
Last CVEJul 23, 2024
Plugin page Download
Safety Verdict

Is WP Easy Pay – Payment and Donation form Builder for Square Safe to Use in 2026?

Generally Safe

Score 97/100

WP Easy Pay – Payment and Donation form Builder for Square has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Jul 23, 2024Updated 1mo ago
Risk Assessment

The security posture of wp-easy-pay v4.2.12 presents a mixed bag of good practices and concerning weaknesses. On the positive side, the plugin demonstrates strong adherence to secure coding principles with a very high percentage of properly escaped outputs and all SQL queries utilizing prepared statements. The absence of critical or high-severity taint flows, dangerous functions, and file operations is also encouraging. However, a significant concern arises from the presence of one AJAX handler that lacks authentication checks, creating a direct attack vector.

The vulnerability history, while currently showing no unpatched CVEs, reveals a pattern of past medium-severity issues including Missing Authorization, Cross-Site Scripting, and Cross-Site Request Forgery. This suggests a historical tendency towards vulnerabilities that could be exploited by unauthorized users or lead to the execution of malicious scripts if proper input validation and output escaping were not in place. The recent vulnerability in July 2024, even if patched, indicates ongoing security challenges.

In conclusion, while the plugin has made strides in secure coding practices, the unprotected AJAX endpoint and the historical vulnerability types present tangible risks. The reliance on 18 nonce checks, while a good practice, is overshadowed by the single critical omission in authorization. The bundled Freemius and Guzzle libraries, while not explicitly flagged as outdated, warrant attention for potential supply chain risks in the future.

Key Concerns

  • Unprotected AJAX handler found
  • 4 medium severity CVEs historically
  • Bundled Freemius v1.0 library
  • Bundled Guzzle library
Vulnerabilities
4

WP Easy Pay – Payment and Donation form Builder for Square Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
2 CVEs in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
4

4 total CVEs

CVE-2024-5861medium · 5.3Missing Authorization

WP Easy Pay (Free) <= 4.2.3 - Missing Authorization to Unauthenticated Service Disconnection

Jul 23, 2024 Patched in 4.2.4 (1d)
CVE-2023-1465medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP EasyPay <= 4.0.4 - Reflected Cross-Site Scripting

May 1, 2023 Patched in 4.1 (267d)
CVE-2022-47177medium · 4.3Cross-Site Request Forgery (CSRF)

WP EasyPay <= 4.0.4 - Cross-Site Request Forgery

Apr 14, 2023 Patched in 4.1 (284d)
CVE-2021-4411medium · 4.3Cross-Site Request Forgery (CSRF)

WP EasyPay – Square for WordPress <= 3.2.0 - Cross-Site Request Forgery Bypass

Jul 5, 2021 Patched in 3.2.3 (932d)
Code Analysis
Analyzed Mar 16, 2026

WP Easy Pay – Payment and Donation form Builder for Square Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
4 prepared
Unescaped Output
24
1212 escaped
Nonce Checks
18
Capability Checks
0
File Operations
0
External Requests
7
Bundled Libraries
2

Bundled Libraries

Freemius1.0Guzzle

SQL Query Safety

100% prepared4 total queries

Output Escaping

98% escaped1236 total outputs
Data Flows
All sanitized

Data Flow Analysis

11 flows
wpep_calculate_fee_data (modules\payments\payment-helper-functions.php:573)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

WP Easy Pay – Payment and Donation form Builder for Square Attack Surface

Entry Points13
Unprotected1

AJAX Handlers 12

authwp_ajax_wpep_delete_cofmodules\payments\payment-helper-functions.php:415
noprivwp_ajax_wpep_delete_cofmodules\payments\payment-helper-functions.php:416
authwp_ajax_wpep_apply_couponmodules\payments\payment-helper-functions.php:561
noprivwp_ajax_wpep_apply_couponmodules\payments\payment-helper-functions.php:562
authwp_ajax_wpep_calculate_fee_datamodules\payments\payment-helper-functions.php:657
noprivwp_ajax_wpep_calculate_fee_datamodules\payments\payment-helper-functions.php:658
authwp_ajax_wpep_payment_requestmodules\payments\square-payments.php:13
noprivwp_ajax_wpep_payment_requestmodules\payments\square-payments.php:14
authwp_ajax_wpep_file_uploadmodules\payments\square-payments.php:16
noprivwp_ajax_wpep_file_uploadmodules\payments\square-payments.php:17
authwp_ajax_wpep_payment_refundmodules\payments\square-payments.php:19
authwp_ajax_wpep_reset_donation_goalwpep-setup.php:22

Shortcodes 1

[wpep-form] modules\render_forms\form-render-shortcode.php:87
WordPress Hooks 40
actionadmin_noticesmodules\admin_notices\square-oauth-notice.php:43
actionadmin_noticesmodules\admin_notices\ssl-notice.php:24
actionadmin_initmodules\payments\square-authorization.php:14
actionadmin_initmodules\payments\square-authorization.php:15
actionadmin_initmodules\payments\square-authorization.php:16
actioninitmodules\render_forms\form-render-shortcode.php:75
actionwp_enqueue_scriptsmodules\render_forms\form-render-shortcode.php:372
actionwp_enqueue_scriptsviews\frontend\popup-form.php:51
actionwp_footerviews\frontend\popup-form.php:53
actioninitviews\frontend\popup-form.php:400
actioninitwp-easy-pay.php:51
actionwpep_fetch_dashboard_datawp-easy-pay.php:89
actionwp_headwp-easy-pay.php:249
actionadmin_initwp-easy-pay.php:272
actionplugins_loadedwp-easy-pay.php:273
actionwpep_weekly_refresh_tokenswp-easy-pay.php:279
actionedit_form_after_editorwp-easy-pay.php:295
actionadmin_enqueue_scriptswp-easy-pay.php:296
actionadmin_enqueue_scriptswp-easy-pay.php:297
actionadmin_enqueue_scriptswp-easy-pay.php:302
actionadmin_enqueue_scriptswp-easy-pay.php:303
actionedit_form_after_editorwp-easy-pay.php:309
actionadmin_enqueue_scriptswp-easy-pay.php:310
actionadmin_enqueue_scriptswp-easy-pay.php:311
actionadmin_enqueue_scriptswp-easy-pay.php:312
actioninitwpep-setup.php:14
filtermanage_wp_easy_pay_posts_columnswpep-setup.php:15
actionmanage_wp_easy_pay_posts_custom_columnwpep-setup.php:16
actioninitwpep-setup.php:17
filtermanage_wpep_reports_posts_columnswpep-setup.php:18
actionmanage_wpep_reports_posts_custom_columnwpep-setup.php:19
actionadmin_menuwpep-setup.php:20
actionpost_edit_form_tagwpep-setup.php:21
filtercron_scheduleswpep-setup.php:23
actionwpep_email_payment_summary_cron_job_hookwpep-setup.php:24
actionadmin_initwpep-setup.php:419
actionsave_post_wp_easy_paywpep-setup.php:902
actionadmin_initwpep-setup.php:1035
actionpost_submitbox_misc_actionswpep-setup.php:1070
actionadmin_initwpep-setup.php:1102

Scheduled Events 2

wpep_fetch_dashboard_data
wpep_weekly_refresh_tokens
Maintenance & Trust

WP Easy Pay – Payment and Donation form Builder for Square Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 2, 2026
PHP min version7.0
Downloads156K

Community Trust

Rating76/100
Number of ratings42
Active installs1K
Alternatives

WP Easy Pay – Payment and Donation form Builder for Square Alternatives

MyPayKit – Payment Forms for Square

MyPayKit – Payment Forms for Square

mypaykit-payment-forms-for-square

A
100

Create professional payment forms and accept Square payments in minutes. Simple setup, secure processing.

60 No CVEs
Paytium: Mollie payment forms & donations

Paytium: Mollie payment forms & donations

paytium

A
94

Mollie forms for payments and donations. With iDEAL | WERO , PayPal, Credit/Debet cards, subscriptions and recurring payments!

3K 13 CVEs
Checkout with Cash App on WooCommerce

Checkout with Cash App on WooCommerce

wc-cashapp

A
99

The #1 finance app in the App Store now available on WordPress. Receive Cash App payments on your website with WooCommerce + Cash App

2K 1 CVE
CP Contact Form with PayPal

CP Contact Form with PayPal

cp-contact-form-with-paypal

A
88

Easily create contact forms with integrated PayPal payments. Accept service payments, orders, and more with a drag-and-drop form builder.

900 7 CVEs
AidWP – Donation & Payment Forms (Stripe Powered)

AidWP – Donation & Payment Forms (Stripe Powered)

wp-stripe-donation

A
99

Create fast donation and payment forms. Accept payments on WordPress with Stripe — no WooCommerce required.

900 2 CVEs
Developer Profile

WP Easy Pay – Payment and Donation form Builder for Square Developer Profile

Saad Iqbal

84 plugins · 1.4M total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
287 days
View full developer profile
Detection Fingerprints

How We Detect WP Easy Pay – Payment and Donation form Builder for Square

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-easy-pay/assets/js/wp-easy-pay.js/wp-content/plugins/wp-easy-pay/assets/css/wp-easy-pay-admin.css/wp-content/plugins/wp-easy-pay/assets/css/wp-easy-pay-frontend.css
Version Parameters
wp-easy-pay/assets/js/wp-easy-pay.js?ver=wp-easy-pay/assets/css/wp-easy-pay-admin.css?ver=wp-easy-pay/assets/css/wp-easy-pay-frontend.css?ver=

HTML / DOM Fingerprints

CSS Classes
wpep_frontend_wrapperwpep_form_heading
Data Attributes
data-payment_typedata-payment_amountdata-form_iddata-actiondata-square_client_iddata-square_location_id
JS Globals
wpep_config
REST Endpoints
/wp-json/wpeasy/v1/create-payment
Shortcode Output
[wp_easy_pay_payment_form]
FAQ

Frequently Asked Questions about WP Easy Pay – Payment and Donation form Builder for Square