Does WP Express Checkout (Fast Payments via PayPal & Stripe) have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is WP Express Checkout (Fast Payments via PayPal & Stripe) compatible with WordPress 7.0?

According to WordPress.org data, WP Express Checkout (Fast Payments via PayPal & Stripe) 2.4.8 has been tested up to WordPress 7.0. Check the plugin's changelog for the latest compatibility information.

What is WP Express Checkout (Fast Payments via PayPal & Stripe)'s security score?

WP Express Checkout (Fast Payments via PayPal & Stripe) has a WP-Safety security score of 99/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

WP Express Checkout (Fast Payments via PayPal & Stripe) Security & Risk Analysis

wordpress.org/plugins/wp-express-checkout

Allows you to accept fast and secure payments for products and services via a payment popup window, supporting both the new PayPal and Stripe Checkout …

2K active installs v2.4.8 PHP + WP 6.0+ Updated Apr 2, 2026

ecommercepaymentpaypalsellstripe

A · Safe

CVEs total2

Unpatched0

Last CVEMar 29, 2024

Plugin page Download

Safety Verdict

Is WP Express Checkout (Fast Payments via PayPal & Stripe) Safe to Use in 2026?

Generally Safe

Score 99/100

WP Express Checkout (Fast Payments via PayPal & Stripe) has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Mar 29, 2024Updated 1mo ago

Risk Assessment

The wp-express-checkout v2.4.6 plugin exhibits a generally good security posture with several strong practices, including the exclusive use of prepared statements for SQL queries and a high rate of output escaping (82%). The absence of critical or high-severity known vulnerabilities and the fact that all past CVEs are patched are positive indicators. However, the plugin has a notable attack surface with 30 AJAX handlers, 5 of which lack authentication checks. While the taint analysis did not reveal any critical or high-severity unsanitized flows, the presence of 3 flows with unsanitized paths, even if assessed as low or medium severity by the analysis tool, warrants attention. The history of 2 medium-severity CVEs, with the most recent in March 2024, indicates that while vulnerabilities are being addressed, there's a pattern of issues that could be exploited if left unpatched. The combination of unprotected AJAX endpoints and a history of vulnerabilities suggests a moderate risk level. Further investigation into the nature of the 3 unsanitized flows and the historical CVEs is recommended.

Key Concerns

Unprotected AJAX handlers
Flows with unsanitized paths
History of medium severity CVEs

Vulnerabilities

2 published

WP Express Checkout (Fast Payments via PayPal & Stripe) Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

Patched Has unpatched

Severity Breakdown

Medium

2 total CVEs

CVE-2024-30527medium · 5.3Use of Less Trusted Source

WP Express Checkout (Accept PayPal Payments) <= 2.3.7 - Unauthenticated Price Manipulation

Mar 29, 2024 Patched in 2.3.8 (6d)

CVE-2023-1469medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

WP Express Checkout <= 2.2.8 - Authenticated (Admin+) Stored Cross-Site Scripting via pec_coupon[code]

Mar 17, 2023 Patched in 2.2.9 (312d)

Version History

WP Express Checkout (Fast Payments via PayPal & Stripe) Release Timeline

v2.4.8Current

v2.4.7

v2.4.6

v2.4.5

v2.4.4

v2.4.3

v2.4.2

v2.4.1

v2.4.0

v2.3.17

v2.3.16

v2.3.15

v2.3.14

v2.3.13

v2.3.12

v2.3.71 CVE

v2.3.51 CVE

v2.3.31 CVE

v2.3.21 CVE

v2.3.01 CVE

Code Analysis

Analyzed Mar 16, 2026

WP Express Checkout (Fast Payments via PayPal & Stripe) Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

136

641 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared1 total queries

Output Escaping

82% escaped777 total outputs

Data Flows · Security

3 unsanitized

Data Flow Analysis

7 flows3 with unsanitized paths

paypal_onboard_actions_messages_handler (admin\class-admin.php:1447)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

5 unprotected

WP Express Checkout (Fast Payments via PayPal & Stripe) Attack Surface

Entry Points36

Unprotected5

AJAX Handlers 30

authwp_ajax_wpec_feedback_notice_dismissadmin\includes\class-admin-user-feedback.php:23

authwp_ajax_wpec_order_action_resend_emailadmin\includes\class-orders-meta-boxes.php:33

authwp_ajax_wpec_order_action_reset_download_countsadmin\includes\class-orders-meta-boxes.php:34

authwp_ajax_wpec_order_action_payment_refundadmin\includes\class-orders-meta-boxes.php:35

authwp_ajax_wpec_add_order_noteadmin\includes\class-orders-meta-boxes.php:36

authwp_ajax_wpec_delete_order_noteadmin\includes\class-orders-meta-boxes.php:37

authwp_ajax_wpec_get_order_product_by_idadmin\includes\class-orders-meta-boxes.php:38

authwp_ajax_wpec_check_couponincludes\class-coupons.php:23

noprivwp_ajax_wpec_check_couponincludes\class-coupons.php:24

authwp_ajax_wpec_reset_logincludes\class-init.php:43

authwp_ajax_wpec_process_empty_paymentincludes\class-payment-processor-free.php:23

noprivwp_ajax_wpec_process_empty_paymentincludes\class-payment-processor-free.php:24

authwp_ajax_wpec_process_manual_checkoutincludes\class-payment-processor-manual.php:21

noprivwp_ajax_wpec_process_manual_checkoutincludes\class-payment-processor-manual.php:22

authwp_ajax_wpec_process_paymentincludes\class-payment-processor.php:32

noprivwp_ajax_wpec_process_paymentincludes\class-payment-processor.php:33

authwp_ajax_wpec_pp_create_orderincludes\class-paypal-button-ajax-handler.php:19

noprivwp_ajax_wpec_pp_create_orderincludes\class-paypal-button-ajax-handler.php:20

authwp_ajax_wpec_pp_capture_orderincludes\class-paypal-button-ajax-handler.php:22

noprivwp_ajax_wpec_pp_capture_orderincludes\class-paypal-button-ajax-handler.php:23

authwp_ajax_wpec_stripe_create_checkout_sessionincludes\class-stripe-button-ajax-handler.php:9

noprivwp_ajax_wpec_stripe_create_checkout_sessionincludes\class-stripe-button-ajax-handler.php:10

authwp_ajax_wpec_wc_generate_buttonincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:16

noprivwp_ajax_wpec_wc_generate_buttonincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:17

authwp_ajax_wpec_wc_block_payment_button_dataincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:20

noprivwp_ajax_wpec_wc_block_payment_button_dataincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:21

authwp_ajax_wpec_woocommerce_pp_create_orderincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:24

noprivwp_ajax_wpec_woocommerce_pp_create_orderincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:25

authwp_ajax_wpec_woocommerce_pp_capture_orderincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:28

noprivwp_ajax_wpec_woocommerce_pp_capture_orderincludes\integrations\woocommerce\class-woocommerce-payment-button-ajax-handler.php:29

Shortcodes 6

[wp_express_checkout] public\includes\class-shortcodes.php:29

[wpec_thank_you] public\includes\class-shortcodes.php:32

[wpec_ty] public\includes\class-shortcodes.php:35

[wpec_ty_downloads] public\includes\class-shortcodes.php:38

[wpec_show_all_products] public\includes\class-shortcodes.php:41

[wpec_show_products_from_category] public\includes\class-shortcodes.php:44

WordPress Hooks 63

actionadmin_enqueue_scriptsadmin\class-admin.php:56

actionadmin_enqueue_scriptsadmin\class-admin.php:57

actionadmin_menuadmin\class-admin.php:59

actionadmin_noticesadmin\class-admin.php:61

filteroption_page_capability_ppdg-settings-groupadmin\class-admin.php:67

actionadmin_initadmin\class-admin.php:210

filterwp_default_editoradmin\class-admin.php:1123

actionadmin_noticesadmin\includes\class-admin-user-feedback.php:22

filterlist_table_primary_columnadmin\includes\class-orders-list.php:20

filtermonths_dropdown_resultsadmin\includes\class-orders-list.php:21

actionrestrict_manage_postsadmin\includes\class-orders-list.php:22

actionpre_get_postsadmin\includes\class-orders-list.php:23

actionpre_get_postsadmin\includes\class-orders-list.php:24

actionadd_meta_boxesadmin\includes\class-orders-meta-boxes.php:29

actionadmin_menuadmin\includes\class-orders-meta-boxes.php:30

filterlist_table_primary_columnadmin\includes\class-products-list.php:18

actionadd_meta_boxesadmin\includes\class-products-meta-boxes.php:18

filterpost_updated_messagesadmin\includes\class-products-meta-boxes.php:22

filterwp_default_editoradmin\includes\class-products-meta-boxes.php:579

filterwp_default_editoradmin\includes\class-products-meta-boxes.php:634

actioninitincludes\class-coupons.php:14

actionwpec_create_orderincludes\class-coupons.php:15

actionwpec_payment_completedincludes\class-coupons.php:16

actionwpec_before_settings_admin_menu_linkincludes\class-coupons.php:19

actioninitincludes\class-init.php:17

actionadmin_initincludes\class-init.php:18

filterwoocommerce_payment_gatewaysincludes\class-integrations.php:24

filterwoocommerce_payment_gatewaysincludes\class-integrations.php:25

filterwpec_product_type_subscriptionincludes\class-integrations.php:30

actioninitincludes\class-payment-processor-stripe.php:27

filterthe_contentincludes\class-post-type-content-handler.php:30

filterthe_contentincludes\class-post-type-content-handler.php:33

filterthe_contentincludes\class-post-type-content-handler.php:62

filterthe_contentincludes\class-post-type-content-handler.php:76

filterposts_orderbyincludes\class-products.php:188

filterwpec_button_js_dataincludes\class-self-hooks-handler.php:8

filterwpec_show_stripe_checkout_option_backward_compatibleincludes\class-self-hooks-handler.php:11

filterwpec_js_dataincludes\class-self-hooks-handler.php:14

actionwpec_create_orderincludes\class-variations.php:61

actionwpec_payment_completedincludes\class-view-downloads.php:35

actionwpec_payment_completedincludes\integrations\emember\class-emember.php:13

actionwpec_sub_webhook_eventincludes\integrations\emember\class-emember.php:16

actionwpec_sub_stripe_webhook_eventincludes\integrations\emember\class-emember.php:17

actionadd_meta_boxesincludes\integrations\emember\class-emember.php:266

actionwpec_save_product_handlerincludes\integrations\emember\class-emember.php:267

filterwpec_buyer_notification_email_bodyincludes\integrations\license-manager\class-license-manager.php:13

actionadd_meta_boxesincludes\integrations\license-manager\class-license-manager.php:121

actionwpec_save_product_handlerincludes\integrations\license-manager\class-license-manager.php:122

filterwpec_paypal_sdk_argsincludes\integrations\woocommerce\class-woocommerce-gateway.php:137

actionbefore_woocommerce_initincludes\integrations\woocommerce\class-wpec-woocommerce-init-handler.php:9

actionwoocommerce_blocks_payment_method_type_registrationincludes\integrations\woocommerce\class-wpec-woocommerce-init-handler.php:10

actionwpincludes\integrations\woocommerce\class-wpec-woocommerce-init-handler.php:12

actioninitpublic\class-main.php:55

actionwpmu_new_blogpublic\class-main.php:58

actionwp_enqueue_scriptspublic\class-main.php:61

actionafter_switch_themepublic\class-main.php:63

actionwppublic\class-main.php:65

filterwidget_textpublic\includes\class-shortcodes.php:47

actionwp_enqueue_scriptspublic\includes\class-shortcodes.php:51

actionwp_footerpublic\includes\class-shortcodes.php:365

actionplugins_loadedwp-express-checkout.php:79

filterplugin_action_linkswp-express-checkout.php:97

actionadmin_initwp-express-checkout.php:109

Maintenance & Trust

WP Express Checkout (Fast Payments via PayPal & Stripe) Maintenance & Trust

Maintenance Signals

WordPress version tested7.0

Last updatedApr 2, 2026

PHP min version

Downloads90K

Community Trust

Rating98/100

Number of ratings32

Active installs2K

Alternatives

WP Express Checkout (Fast Payments via PayPal & Stripe) Alternatives

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

easy-digital-downloads

The #1 eCommerce plugin to sell digital products & subscriptions. Accept payments with Stripe & PayPal. Sell ebooks, software & more.

40K 40 CVEs

Contact Form 7 – PayPal & Stripe Add-on

contact-form-7-paypal-add-on

Easily add PayPal and Stripe to Contact Form 7. Accept credit card payments with Stripe & PayPal on your site today. Offical PayPal & Stripe Partner.

8K 5 CVEs

Simple Payment Module for Divi

wpz-payments-free

A payment module for Divi that supports both Stripe and PayPal!

50 No CVEs

WooCommerce PayPal Payments

woocommerce-paypal-payments

100

PayPal's latest payment processing solution. Accept PayPal, Pay Later, credit/debit cards, alternative digital wallets and bank accounts.

800K 1 CVE

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

pretty-link

🌠 The best WordPress link management, branding, tracking, sharing and payments plugin. Easily make pretty & trackable shortlinks. 🔗

300K 8 CVEs

Developer Profile

WP Express Checkout (Fast Payments via PayPal & Stripe) Developer Profile

mra13

15 plugins · 210K total installs

trust score

Avg Security Score

95/100

Avg Patch Time

616 days

View full developer profile

Detection Fingerprints

How We Detect WP Express Checkout (Fast Payments via PayPal & Stripe)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/wp-express-checkout/assets/css/admin.css/wp-content/plugins/wp-express-checkout/assets/js/admin.js

Script Paths

/wp-content/plugins/wp-express-checkout/assets/js/admin.js

Version Parameters

wp-express-checkout/assets/css/admin.css?ver=wp-express-checkout/assets/js/admin.js?ver=

HTML / DOM Fingerprints

CSS Classes

wpec-products-adminwpec-orders-adminwpec-ppec-productswpec-paypal-express-checkout-buttonwpec-stripe-checkout-button

HTML Comments

+2 more

Data Attributes

data-wpec-product-iddata-wpec-currencydata-wpec-amountdata-wpec-button-textdata-wpec-payment-methoddata-wpec-stripe-publishable-key

JS Globals

window.wpec_ajax_object

REST Endpoints

/wp-json/wpec/v1/create-payment-intent/wp-json/wpec/v1/process-payment/wp-json/wpec/v1/validate-coupon

Shortcode Output

[wp_express_checkout][wpec_product_details][wpec_payment_form]

FAQ

WP Express Checkout (Fast Payments via PayPal & Stripe) Security & Risk Analysis

Is WP Express Checkout (Fast Payments via PayPal & Stripe) Safe to Use in 2026?

Generally Safe

Key Concerns

WP Express Checkout (Fast Payments via PayPal & Stripe) Security Vulnerabilities

CVEs by Year

Severity Breakdown

WP Express Checkout (Fast Payments via PayPal & Stripe) Release Timeline

WP Express Checkout (Fast Payments via PayPal & Stripe) Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

WP Express Checkout (Fast Payments via PayPal & Stripe) Attack Surface

AJAX Handlers 30

Shortcodes 6

WP Express Checkout (Fast Payments via PayPal & Stripe) Maintenance & Trust

Maintenance Signals

Community Trust

WP Express Checkout (Fast Payments via PayPal & Stripe) Alternatives

Easy Digital Downloads – eCommerce Payments and Subscriptions made easy

Contact Form 7 – PayPal & Stripe Add-on

Simple Payment Module for Divi

WooCommerce PayPal Payments

PrettyLinks – Affiliate Links, Link Branding, Link Tracking, Marketing and Stripe Payments Plugin

WP Express Checkout (Fast Payments via PayPal & Stripe) Developer Profile

How We Detect WP Express Checkout (Fast Payments via PayPal & Stripe)

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about WP Express Checkout (Fast Payments via PayPal & Stripe)