WP-Safety

WP Express Checkout (Fast Payments via PayPal & Stripe) Security & Risk Analysis

wordpress.org/plugins/wp-express-checkout

Allows you to accept fast and secure payments for products and services via a payment popup window, supporting both the new PayPal and Stripe Checkout …

2K active installs v2.4.6 PHP + WP 6.0+ Updated Feb 21, 2026
ecommercepaymentpaypalsellstripe
99
A · Safe
CVEs total2
Unpatched0
Last CVEMar 29, 2024
Plugin page Download
Safety Verdict

Is WP Express Checkout (Fast Payments via PayPal & Stripe) Safe to Use in 2026?

Generally Safe

Score 99/100

WP Express Checkout (Fast Payments via PayPal & Stripe) has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Mar 29, 2024Updated 1mo ago
Risk Assessment

The wp-express-checkout v2.4.6 plugin exhibits a generally good security posture with several strong practices, including the exclusive use of prepared statements for SQL queries and a high rate of output escaping (82%). The absence of critical or high-severity known vulnerabilities and the fact that all past CVEs are patched are positive indicators. However, the plugin has a notable attack surface with 30 AJAX handlers, 5 of which lack authentication checks. While the taint analysis did not reveal any critical or high-severity unsanitized flows, the presence of 3 flows with unsanitized paths, even if assessed as low or medium severity by the analysis tool, warrants attention. The history of 2 medium-severity CVEs, with the most recent in March 2024, indicates that while vulnerabilities are being addressed, there's a pattern of issues that could be exploited if left unpatched. The combination of unprotected AJAX endpoints and a history of vulnerabilities suggests a moderate risk level. Further investigation into the nature of the 3 unsanitized flows and the historical CVEs is recommended.

Key Concerns

  • Unprotected AJAX handlers
  • Flows with unsanitized paths
  • History of medium severity CVEs
Vulnerabilities
2

WP Express Checkout (Fast Payments via PayPal & Stripe) Security Vulnerabilities

CVEs by Year

1 CVE in 2023
2023
1 CVE in 2024
2024
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2024-30527medium · 5.3Use of Less Trusted Source

WP Express Checkout (Accept PayPal Payments) <= 2.3.7 - Unauthenticated Price Manipulation

Mar 29, 2024 Patched in 2.3.8 (6d)
CVE-2023-1469medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Express Checkout <= 2.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon[code]

Mar 17, 2023 Patched in 2.2.9 (312d)
Code Analysis
Analyzed Mar 16, 2026

WP Express Checkout (Fast Payments via PayPal & Stripe) Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
1 prepared
Unescaped Output
136
641 escaped
Nonce Checks
25
Capability Checks
3
File Operations
8
External Requests
3
Bundled Libraries
0

SQL Query Safety

100% prepared1 total queries

Output Escaping

82% escaped777 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

7 flows3 with unsanitized paths
paypal_onboard_actions_messages_handler (admin\class-admin.php:1447)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
5 unprotected

WP Express Checkout (Fast Payments via PayPal & Stripe) Attack Surface

Entry Points36
Unprotected5

AJAX Handlers 30

authwp_ajax_wpec_feedback_notice_dismissadmin\includes\class-admin-user-feedback.php:23
authwp_ajax_wpec_order_action_resend_emailadmin\includes\class-orders-meta-boxes.php:33
authwp_ajax_wpec_order_action_reset_download_countsadmin\includes\class-orders-meta-boxes.php:34
authwp_ajax_wpec_order_action_payment_refundadmin\includes\class-orders-meta-boxes.php:35
authwp_ajax_wpec_add_order_noteadmin\includes\class-orders-meta-boxes.php:36
authwp_ajax_wpec_delete_order_noteadmin\includes\class-orders-meta-boxes.php:37
authwp_ajax_wpec_get_order_product_by_idadmin\includes\class-orders-meta-boxes.php:38
authwp_ajax_wpec_check_couponincludes\class-coupons.php:23
noprivwp_ajax_wpec_check_couponincludes\class-coupons.php:24
authwp_ajax_wpec_reset_logincludes\class-init.php:43
authwp_ajax_wpec_process_empty_paymentincludes\class-payment-processor-free.php:23
noprivwp_ajax_wpec_process_empty_paymentincludes\class-payment-processor-free.php:24
authwp_ajax_wpec_process_manual_checkoutincludes\class-payment-processor-manual.php:21
noprivwp_ajax_wpec_process_manual_checkoutincludes\class-payment-processor-manual.php:22
authwp_ajax_wpec_process_paymentincludes\class-payment-processor.php:32
noprivwp_ajax_wpec_process_paymentincludes\class-payment-processor.php:33
authwp_ajax_wpec_pp_create_orderincludes\class-paypal-button-ajax-handler.php:19
noprivwp_ajax_wpec_pp_create_orderincludes\class-paypal-button-ajax-handler.php:20
authwp_ajax_wpec_pp_capture_orderincludes\class-paypal-button-ajax-handler.php:22
noprivwp_ajax_wpec_pp_capture_orderincludes\class-paypal-button-ajax-handler.php:23
authwp_ajax_wpec_stripe_create_checkout_sessionincludes\class-stripe-button-ajax-handler.php:9
noprivwp_ajax_wpec_stripe_create_checkout_sessionincludes\class-stripe-button-ajax-handler.php:10
authwp_ajax_wpec_wc_generate_buttonincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:16
noprivwp_ajax_wpec_wc_generate_buttonincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:17
authwp_ajax_wpec_wc_block_payment_button_dataincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:20
noprivwp_ajax_wpec_wc_block_payment_button_dataincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:21
authwp_ajax_wpec_woocommerce_pp_create_orderincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:24
noprivwp_ajax_wpec_woocommerce_pp_create_orderincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:25
authwp_ajax_wpec_woocommerce_pp_capture_orderincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:28
noprivwp_ajax_wpec_woocommerce_pp_capture_orderincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:29

Shortcodes 6

[wp_express_checkout] public\includes\class-shortcodes.php:29
[wpec_thank_you] public\includes\class-shortcodes.php:32
[wpec_ty] public\includes\class-shortcodes.php:35
[wpec_ty_downloads] public\includes\class-shortcodes.php:38
[wpec_show_all_products] public\includes\class-shortcodes.php:41
[wpec_show_products_from_category] public\includes\class-shortcodes.php:44
WordPress Hooks 63
actionadmin_enqueue_scriptsadmin\class-admin.php:56
actionadmin_enqueue_scriptsadmin\class-admin.php:57
actionadmin_menuadmin\class-admin.php:59
actionadmin_noticesadmin\class-admin.php:61
filteroption_page_capability_ppdg-settings-groupadmin\class-admin.php:67
actionadmin_initadmin\class-admin.php:210
filterwp_default_editoradmin\class-admin.php:1123
actionadmin_noticesadmin\includes\class-admin-user-feedback.php:22
filterlist_table_primary_columnadmin\includes\class-orders-list.php:20
filtermonths_dropdown_resultsadmin\includes\class-orders-list.php:21
actionrestrict_manage_postsadmin\includes\class-orders-list.php:22
actionpre_get_postsadmin\includes\class-orders-list.php:23
actionpre_get_postsadmin\includes\class-orders-list.php:24
actionadd_meta_boxesadmin\includes\class-orders-meta-boxes.php:29
actionadmin_menuadmin\includes\class-orders-meta-boxes.php:30
filterlist_table_primary_columnadmin\includes\class-products-list.php:18
actionadd_meta_boxesadmin\includes\class-products-meta-boxes.php:18
filterpost_updated_messagesadmin\includes\class-products-meta-boxes.php:22
filterwp_default_editoradmin\includes\class-products-meta-boxes.php:579
filterwp_default_editoradmin\includes\class-products-meta-boxes.php:634
actioninitincludes\class-coupons.php:14
actionwpec_create_orderincludes\class-coupons.php:15
actionwpec_payment_completedincludes\class-coupons.php:16
actionwpec_before_settings_admin_menu_linkincludes\class-coupons.php:19
actioninitincludes\class-init.php:17
actionadmin_initincludes\class-init.php:18
filterwoocommerce_payment_gatewaysincludes\class-integrations.php:24
filterwoocommerce_payment_gatewaysincludes\class-integrations.php:25
filterwpec_product_type_subscriptionincludes\class-integrations.php:30
actioninitincludes\class-payment-processor-stripe.php:27
filterthe_contentincludes\class-post-type-content-handler.php:30
filterthe_contentincludes\class-post-type-content-handler.php:33
filterthe_contentincludes\class-post-type-content-handler.php:62
filterthe_contentincludes\class-post-type-content-handler.php:76
filterposts_orderbyincludes\class-products.php:188
filterwpec_button_js_dataincludes\class-self-hooks-handler.php:8
filterwpec_show_stripe_checkout_option_backward_compatibleincludes\class-self-hooks-handler.php:11
filterwpec_js_dataincludes\class-self-hooks-handler.php:14
actionwpec_create_orderincludes\class-variations.php:61
actionwpec_payment_completedincludes\class-view-downloads.php:35
actionwpec_payment_completedincludes\integrations\emember\class-emember.php:13
actionwpec_sub_webhook_eventincludes\integrations\emember\class-emember.php:16
actionwpec_sub_stripe_webhook_eventincludes\integrations\emember\class-emember.php:17
actionadd_meta_boxesincludes\integrations\emember\class-emember.php:266
actionwpec_save_product_handlerincludes\integrations\emember\class-emember.php:267
filterwpec_buyer_notification_email_bodyincludes\integrations\license-manager\class-license-manager.php:13
actionadd_meta_boxesincludes\integrations\license-manager\class-license-manager.php:121
actionwpec_save_product_handlerincludes\integrations\license-manager\class-license-manager.php:122
filterwpec_paypal_sdk_argsincludes\integrations\woocommerce\class-woocommerce-gateway.php:137
actionbefore_woocommerce_initincludes\integrations\woocommerce\class-wpec-woocommerce-init-handler.php:9
actionwoocommerce_blocks_payment_method_type_registrationincludes\integrations\woocommerce\class-wpec-woocommerce-init-handler.php:10
actionwpincludes\integrations\woocommerce\class-wpec-woocommerce-init-handler.php:12
actioninitpublic\class-main.php:55
actionwpmu_new_blogpublic\class-main.php:58
actionwp_enqueue_scriptspublic\class-main.php:61
actionafter_switch_themepublic\class-main.php:63
actionwppublic\class-main.php:65
filterwidget_textpublic\includes\class-shortcodes.php:47
actionwp_enqueue_scriptspublic\includes\class-shortcodes.php:51
actionwp_footerpublic\includes\class-shortcodes.php:365
actionplugins_loadedwp-express-checkout.php:79
filterplugin_action_linkswp-express-checkout.php:97
actionadmin_initwp-express-checkout.php:109
Maintenance & Trust

WP Express Checkout (Fast Payments via PayPal & Stripe) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 21, 2026
PHP min version
Downloads87K

Community Trust

Rating98/100
Number of ratings31
Active installs2K
Alternatives

WP Express Checkout (Fast Payments via PayPal & Stripe) Alternatives

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

easy-digital-downloads

B
75

The #1 eCommerce plugin to sell digital products & subscriptions. Accept credit card payments with Stripe & PayPal and start your store today.

40K 39 CVEs
Contact Form 7 – PayPal & Stripe Add-on

Contact Form 7 – PayPal & Stripe Add-on

contact-form-7-paypal-add-on

A
96

Easily add PayPal and Stripe to Contact Form 7. Accept credit card payments with Stripe & PayPal on your site today. Offical PayPal & Stripe Partner.

8K 5 CVEs
Simple Payment Module for Divi

Simple Payment Module for Divi

wpz-payments-free

A
92

A payment module for Divi that supports both Stripe and PayPal!

50 No CVEs
WooCommerce PayPal Payments

WooCommerce PayPal Payments

woocommerce-paypal-payments

A
100

PayPal's latest payment processing solution. Accept PayPal, Pay Later, credit/debit cards, alternative digital wallets and bank accounts.

800K 1 CVE
PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

pretty-link

A
90

🌠 The best WordPress link management, branding, tracking, sharing and payments plugin. Easily make pretty & trackable shortlinks. 🔗

300K 8 CVEs
Developer Profile

WP Express Checkout (Fast Payments via PayPal & Stripe) Developer Profile

mra13

15 plugins · 210K total installs

76
trust score
Avg Security Score
95/100
Avg Patch Time
629 days
View full developer profile
Detection Fingerprints

How We Detect WP Express Checkout (Fast Payments via PayPal & Stripe)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-express-checkout/assets/css/admin.css/wp-content/plugins/wp-express-checkout/assets/js/admin.js
Script Paths
/wp-content/plugins/wp-express-checkout/assets/js/admin.js
Version Parameters
wp-express-checkout/assets/css/admin.css?ver=wp-express-checkout/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes
wpec-products-adminwpec-orders-adminwpec-ppec-productswpec-paypal-express-checkout-buttonwpec-stripe-checkout-button
HTML Comments
<!-- WPEC Admin User Feedback --><!-- WPEC Admin Notice --><!-- WPEC Product Form --><!-- WPEC Product Details -->+2 more
Data Attributes
data-wpec-product-iddata-wpec-currencydata-wpec-amountdata-wpec-button-textdata-wpec-payment-methoddata-wpec-stripe-publishable-key
JS Globals
window.wpec_ajax_object
REST Endpoints
/wp-json/wpec/v1/create-payment-intent/wp-json/wpec/v1/process-payment/wp-json/wpec/v1/validate-coupon
Shortcode Output
[wp_express_checkout][wpec_product_details][wpec_payment_form]
FAQ

Frequently Asked Questions about WP Express Checkout (Fast Payments via PayPal & Stripe)