WP-Safety

Easy PayPal & Stripe Buy Now Button Security & Risk Analysis

wordpress.org/plugins/wp-ecommerce-paypal

Add a PayPal Buy Now Button to your website and start selling with PayPal and Stripe today. No Coding Required. Official PayPal & Stripe Partner.

10K active installs v2.0.4 PHP 5.4+ WP 3.0+ Updated Jan 29, 2026
ecommercegatewaypaypalpaypal-buttonshop
94
A · Safe
CVEs total6
Unpatched0
Last CVEMay 7, 2025
Plugin page Download
Safety Verdict

Is Easy PayPal & Stripe Buy Now Button Safe to Use in 2026?

Generally Safe

Score 94/100

Easy PayPal & Stripe Buy Now Button has a strong security track record. Known vulnerabilities have been patched promptly.

6 known CVEsLast CVE: May 7, 2025Updated 2mo ago
Risk Assessment

The plugin "wp-ecommerce-paypal" v2.0.4 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and implementing nonce checks on all identified entry points (AJAX handlers and shortcodes). It also has a reasonable percentage of properly escaped output, which helps mitigate certain types of vulnerabilities. The absence of critical or high severity taint flows, along with no known unpatched CVEs, suggests an effort towards secure development in recent times.

However, there are notable areas of concern. The presence of one unsanitized path in the taint analysis, even if not classified as critical, warrants attention as it could potentially lead to security issues if exploited. Furthermore, the vulnerability history is a significant red flag. With a total of 6 known CVEs, including one high and five medium severity vulnerabilities, it indicates a past pattern of security weaknesses. The common vulnerability types listed (XSS, Open Redirect, CSRF) are classic examples of insecure input handling and insufficient protection mechanisms. While there are currently no unpatched vulnerabilities, the historical prevalence of these issues suggests a need for continued vigilance and thorough auditing.

In conclusion, while the plugin has made improvements in some security areas, particularly in its handling of SQL and nonce checks, its past vulnerability history and the presence of an unsanitized path in the taint analysis present ongoing risks. Users should remain cautious and ensure they are running the latest version, as indicated by the absence of unpatched CVEs. Continuous monitoring and timely updates are crucial for mitigating the residual risks associated with this plugin.

Key Concerns

  • One unsanitized path in taint analysis
  • History of 1 high severity CVE
  • History of 5 medium severity CVEs
  • 70% output escaping (30% unescaped)
  • 8 external HTTP requests (potential for SSRF)
Vulnerabilities
6

Easy PayPal & Stripe Buy Now Button Security Vulnerabilities

CVEs by Year

1 CVE in 2017
2017
2 CVEs in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
5

6 total CVEs

CVE-2025-47623medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy PayPal Buy Now Button <= 2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 7, 2025 Patched in 2.0.1 (10d)
CVE-2024-43236high · 7.2URL Redirection to Untrusted Site ('Open Redirect')

Easy PayPal Buy Now Button <= 1.9 - Unauthenticated Open Redirect

Aug 9, 2024 Patched in 1.9.1 (5d)
CVE-2024-1719medium · 4.3Cross-Site Request Forgery (CSRF)

Easy PayPal & Stripe Buy Now Button <= 1.8.3 & Contact Form 7 – PayPal & Stripe Add-on <= 2.1 - Cross-Site Request Forgery to Settings Update

Feb 27, 2024 Patched in 1.9 (1d)
CVE-2023-51683medium · 4.3Cross-Site Request Forgery (CSRF)

Easy PayPal Buy Now Button <= 1.8.1 - Cross-Site Request Forgery

Dec 27, 2023 Patched in 1.8.2 (27d)
CVE-2022-4628medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Easy PayPal Buy Now Button <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Jan 19, 2023 Patched in 1.7.4 (369d)
WF-80ae05c4-64de-48df-b302-6110403b79d0-wp-ecommerce-paypalmedium · 5.4Cross-Site Request Forgery (CSRF)

Easy PayPal Buy Now Button <= 1.7.2 - Cross-Site Request Forgery to Cross-Site Scripting

Jun 12, 2017 Patched in 1.7.3 (2416d)
Code Analysis
Analyzed Mar 16, 2026

Easy PayPal & Stripe Buy Now Button Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
97
226 escaped
Nonce Checks
10
Capability Checks
6
File Operations
0
External Requests
8
Bundled Libraries
0

Output Escaping

70% escaped323 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

7 flows1 with unsanitized paths
wpecpp_stripe_connection_status (includes\stripe_connect.php:6)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Easy PayPal & Stripe Buy Now Button Attack Surface

Entry Points10
Unprotected0

AJAX Handlers 9

authwp_ajax_wpecpp-ppcp-onboarding-startincludes\ppcp.php:53
authwp_ajax_wpecpp-ppcp-disconnectincludes\ppcp.php:128
authwp_ajax_wpecpp-ppcp-order-createincludes\ppcp_frontend.php:4
noprivwp_ajax_wpecpp-ppcp-order-createincludes\ppcp_frontend.php:5
authwp_ajax_wpecpp-ppcp-order-finalizeincludes\ppcp_frontend.php:58
noprivwp_ajax_wpecpp-ppcp-order-finalizeincludes\ppcp_frontend.php:59
authwp_ajax_wpecpp_preview_shortcodeincludes\shortcode_manager.php:424
authwp_ajax_wpecpp_stripe_checkout_sessionincludes\stripe_connect.php:248
noprivwp_ajax_wpecpp_stripe_checkout_sessionincludes\stripe_connect.php:249

Shortcodes 1

[wpecpp] includes\public_shortcode.php:9
WordPress Hooks 25
actionmedia_buttonsincludes\admin_media_button.php:9
actionadmin_footerincludes\admin_media_button.php:20
actionadmin_menuincludes\admin_menu.php:9
actionadmin_headincludes\admin_menu.php:61
actionadmin_noticesincludes\admin_notices.php:10
actionadmin_initincludes\admin_notices.php:66
actionadmin_noticesincludes\admin_notices.php:80
actionadmin_initincludes\admin_notices.php:131
actioninitincludes\shortcode_manager.php:43
actionadd_meta_boxesincludes\shortcode_manager.php:78
actionsave_postincludes\shortcode_manager.php:274
filtermanage_wpplugin_pp_button_posts_columnsincludes\shortcode_manager.php:293
actionmanage_wpplugin_pp_button_posts_custom_columnincludes\shortcode_manager.php:322
filtermanage_edit-wpplugin_pp_button_sortable_columnsincludes\shortcode_manager.php:332
actionadmin_headincludes\shortcode_manager.php:382
actionadmin_enqueue_scriptsincludes\shortcode_manager.php:399
actionplugins_loadedincludes\stripe_connect.php:167
actionplugins_loadedincludes\stripe_connect.php:206
actioninitincludes\stripe_connect.php:342
actionplugins_loadedwp-ecommerce-paypal.php:37
actionadmin_initwp-ecommerce-paypal.php:52
actionadmin_enqueue_scriptswp-ecommerce-paypal.php:225
actionwp_enqueue_scriptswp-ecommerce-paypal.php:238
actionadmin_enqueue_scriptswp-ecommerce-paypal.php:282
actionadmin_noticeswp-ecommerce-paypal.php:338
Maintenance & Trust

Easy PayPal & Stripe Buy Now Button Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 29, 2026
PHP min version5.4
Downloads363K

Community Trust

Rating90/100
Number of ratings24
Active installs10K
Alternatives

Easy PayPal & Stripe Buy Now Button Alternatives

Shopping Cart & eCommerce Store

Shopping Cart & eCommerce Store

wp-easycart

A
88

A FREE WordPress eCommerce & WordPress Shopping Cart plugin that can sell products, subscriptions, downloads, services, donations, and much more o &hellip;

4K 21 CVEs
Easy PayPal Events & Tickets

Easy PayPal Events & Tickets

easy-paypal-events-tickets

A
97

Sell tickets for your event with PayPal. No Coding Required. Official PayPal Partner.

1K 3 CVEs
Easy PayPal Shopping Cart

Easy PayPal Shopping Cart

easy-paypal-shopping-cart

A
99

Add a PayPal Shopping Cart to your website and start selling today. No Coding Required. Official PayPal Partner.

1K 2 CVEs
UI for WordPress Simple Paypal Shopping Cart

UI for WordPress Simple Paypal Shopping Cart

ui-for-wp-simple-paypal-shopping-cart

A
85

Generates the short code for WordPress Simple Paypal Shopping Cart.

100 No CVEs
sleekStore lite

sleekStore lite

sleekstore

A
85

sleekStore - instant way to start sales and launch online store powered by WordPress. Functional, convenient, hyper-flexlible.

20 No CVEs
Developer Profile

Easy PayPal & Stripe Buy Now Button Developer Profile

Scott Paterson

12 plugins · 44K total installs

76
trust score
Avg Security Score
96/100
Avg Patch Time
267 days
View full developer profile
Detection Fingerprints

How We Detect Easy PayPal & Stripe Buy Now Button

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-ecommerce-paypal/assets/css/wpecpp-admin.css/wp-content/plugins/wp-ecommerce-paypal/assets/js/wpecpp-admin.js/wp-content/plugins/wp-ecommerce-paypal/assets/css/wpecpp.css/wp-content/plugins/wp-ecommerce-paypal/assets/js/wpecpp.js
Script Paths
https://js.stripe.com/v3/
Version Parameters
wp-ecommerce-paypal/assets/css/wpecpp-admin.css?ver=wp-ecommerce-paypal/assets/js/wpecpp-admin.js?ver=wp-ecommerce-paypal/assets/css/wpecpp.css?ver=wp-ecommerce-paypal/assets/js/wpecpp.js?ver=

HTML / DOM Fingerprints

JS Globals
wpecpp
FAQ

Frequently Asked Questions about Easy PayPal & Stripe Buy Now Button