WP-Safety

Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management Security & Risk Analysis

wordpress.org/plugins/wp-payment-form

Create payment form, donate button to accept payments and donations. Manage subscription payment, recurring donation with customer/donor management.

4K active installs v4.6.20 PHP 7.1+ WP 4.5+ Updated Apr 16, 2026
donationfundraisingpaymentpayment-pluginstripe-payment
95
A · Safe
CVEs total3
Unpatched0
Last CVEApr 29, 2026
Plugin page Download
Safety Verdict

Is Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management Safe to Use in 2026?

Generally Safe

Score 95/100

Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

3 known CVEsLast CVE: Apr 29, 2026Updated 1mo ago
Risk Assessment

The "wp-payment-form" v4.6.19 plugin exhibits a mixed security posture. On the positive side, a high percentage of SQL queries use prepared statements and output escaping is generally well-implemented. The absence of critical or high severity taint flows is also encouraging. However, significant concerns arise from the large attack surface, particularly the 16 unprotected AJAX handlers, which represent a substantial entry point for potential attacks. The presence of the `unserialize` function is a red flag, as it can lead to remote code execution vulnerabilities if not handled with extreme care and proper input validation.

The plugin's vulnerability history, with two known CVEs (one high and one medium severity), both related to Cross-Site Scripting, indicates a past tendency to have input sanitization issues. While there are currently no unpatched vulnerabilities, this history suggests a recurring pattern of input validation weaknesses that could resurface. The last recorded vulnerability was in August 2022, which is not recent but still within a concerning timeframe.

Overall, while the plugin demonstrates some good security practices in terms of prepared statements and output escaping, the significant number of unprotected AJAX endpoints and the historical prevalence of XSS vulnerabilities warrant caution. The use of `unserialize` without clear context of its sanitization is a critical area of concern. A proactive approach to securing these entry points and ensuring robust input validation is crucial for mitigating risks.

Key Concerns

  • Large number of unprotected AJAX handlers
  • Use of dangerous unserialize function
  • Past high severity vulnerability (XSS)
  • Past medium severity vulnerability (XSS)
  • Low number of nonce checks relative to entry points
  • Bundled TinyMCE library (potential outdatedness)
Vulnerabilities
3 published

Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management Security Vulnerabilities

CVEs by Year

2 CVEs in 2022
2022
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
2

3 total CVEs

CVE-2026-42655medium · 5.3Missing Authorization

Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management <= 4.6.19 - Missing Authorization

Apr 29, 2026 Patched in 4.6.20 (6d)
CVE-2022-2565high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Payment Donations <= 4.2.0 - Unauthenticated Stored Cross-Site Scripting

Aug 10, 2022 Patched in 4.2.1 (531d)
WF-cffe745d-2fe2-4959-9641-9a0ae33bff4c-wp-payment-formmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Simple Payment Donations <= 4.2.0 - Reflected Cross-Site Scripting

Aug 10, 2022 Patched in 4.2.1 (531d)
Version History

Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management Release Timeline

v4.6.20Current
v4.6.191 CVE
CVE-2026-42655
v4.6.181 CVE
CVE-2026-42655
v4.6.171 CVE
CVE-2026-42655
v4.6.161 CVE
CVE-2026-42655
v4.6.151 CVE
CVE-2026-42655
v4.6.141 CVE
CVE-2026-42655
v4.6.131 CVE
CVE-2026-42655
v4.6.121 CVE
CVE-2026-42655
v4.6.111 CVE
CVE-2026-42655
v4.6.101 CVE
CVE-2026-42655
v4.6.91 CVE
CVE-2026-42655
v4.6.81 CVE
CVE-2026-42655
v4.6.71 CVE
CVE-2026-42655
v4.6.61 CVE
CVE-2026-42655
v4.6.51 CVE
CVE-2026-42655
v4.6.41 CVE
CVE-2026-42655
v4.6.31 CVE
CVE-2026-42655
v4.6.21 CVE
CVE-2026-42655
v4.6.11 CVE
CVE-2026-42655
Code Analysis
Analyzed Mar 16, 2026

Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management Code Analysis

Dangerous Functions
2
Raw SQL Queries
5
15 prepared
Unescaped Output
127
1233 escaped
Nonce Checks
4
Capability Checks
27
File Operations
7
External Requests
13
Bundled Libraries
1

Dangerous Functions Found

unserializereturn @unserialize(trim($wppayform_data), ['allowed_classes' => false]);boot\wppayform-globals.php:160
unserializereturn @unserialize(trim($data), ['allowed_classes' => false]);boot\wppayform-globals.php:174

Bundled Libraries

TinyMCE

SQL Query Safety

75% prepared20 total queries

Output Escaping

91% escaped1360 total outputs
Data Flows · Security
6 unsanitized

Data Flow Analysis

11 flows6 with unsanitized paths
showSuccessMessage (app\Modules\PaymentMethods\Stripe\StripeHostedHandler.php:590)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
16 unprotected

Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management Attack Surface

Entry Points20
Unprotected16

AJAX Handlers 18

authwp_ajax_wpf_submit_formapp\Hooks\actions.php:138
noprivwp_ajax_wpf_submit_formapp\Hooks\actions.php:139
authwp_ajax_wpf_leader_board_renderapp\Hooks\actions.php:142
noprivwp_ajax_wpf_leader_board_renderapp\Hooks\actions.php:143
authwp_ajax_wppayform_background_processapp\Hooks\actions.php:280
noprivwp_ajax_wppayform_background_processapp\Hooks\actions.php:281
authwp_ajax_paymattic_pro_version_update_notice_dismissapp\Modules\Exterior\ProcessDemoPage.php:133
authwp_ajax_wpf_save_stripe_settingsapp\Modules\PaymentMethods\Stripe\Stripe.php:41
authwp_ajax_wpf_get_stripe_settingsapp\Modules\PaymentMethods\Stripe\Stripe.php:42
authwp_ajax_wppayform_sca_inline_confirm_paymentapp\Modules\PaymentMethods\Stripe\StripeInlineHandler.php:38
noprivwp_ajax_wppayform_sca_inline_confirm_paymentapp\Modules\PaymentMethods\Stripe\StripeInlineHandler.php:39
authwp_ajax_wppayform_sca_inline_confirm_payment_setup_intentsapp\Modules\PaymentMethods\Stripe\StripeInlineHandler.php:44
noprivwp_ajax_wppayform_sca_inline_confirm_payment_setup_intentsapp\Modules\PaymentMethods\Stripe\StripeInlineHandler.php:45
authwp_ajax_wppayform_pdf_admin_ajax_actionsapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:33
authwp_ajax_wppayform_pdf_downloadapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:76
authwp_ajax_wppayform_pdf_download_publicapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:77
noprivwp_ajax_wppayform_pdf_download_publicapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:78
authwp_ajax_wppayform_pdf_download_dashboardapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:79

Shortcodes 2

[wppayform] app\Hooks\Handlers\DependencyHandler.php:58
[wppayform_reciept] app\Hooks\Handlers\DependencyHandler.php:77
WordPress Hooks 106
actioncurrent_screenapp\Hooks\actions.php:24
actionadmin_headapp\Hooks\actions.php:27
actionadmin_enqueue_scriptsapp\Hooks\actions.php:33
actionwp_print_scriptsapp\Hooks\actions.php:57
actionwp_enqueue_scriptsapp\Hooks\actions.php:61
actionadmin_initapp\Hooks\actions.php:67
actionplugins_loadedapp\Hooks\actions.php:86
filterlogin_redirectapp\Hooks\actions.php:95
filterwppayform/print_stylesapp\Hooks\actions.php:129
filterplugin_row_metaapp\Hooks\actions.php:180
filteruser_can_richeditapp\Hooks\Handlers\AdminMenuHandler.php:216
filteradmin_footer_textapp\Hooks\Handlers\AdminMenuHandler.php:335
filterupdate_footerapp\Hooks\Handlers\AdminMenuHandler.php:355
actionpayment_handle_after_hundred_percent_discountapp\Hooks\Handlers\SubmissionHandler.php:372
actionwppayform/after_transaction_data_insertapp\Hooks\Scheduler\PendingPaymentExpirationHandler.php:14
actionwppayform/process_expirationapp\Hooks\Scheduler\PendingPaymentExpirationHandler.php:15
actionplugins_loadedapp\Modules\ActionScheduler\ActionScheduler.php:8
actionplugins_loadedapp\Modules\ActionScheduler\ActionScheduler.php:11
actionwp_footerapp\Modules\Builder\Render.php:411
actionwp_footerapp\Modules\Builder\Render.php:438
filtertemplate_includeapp\Modules\Exterior\ProcessDemoPage.php:108
actionadmin_noticesapp\Modules\Exterior\ProcessDemoPage.php:137
filterwp_handle_upload_prefilterapp\Modules\File\FileHandler.php:54
filterupload_dirapp\Modules\File\FileHandler.php:55
filterwp_handle_uploadapp\Modules\File\FileHandler.php:57
filterwppayform/customer_dashboard/menusapp\Modules\FluentCommunity\FluentCommunity.php:9
filterwppayform/form_componentsapp\Modules\FormComponents\BaseComponent.php:23
actionwp_enqueue_scriptsapp\Modules\FormComponents\BaseComponent.php:25
filterwppayform/choose_payment_method_for_submissionapp\Modules\FormComponents\ChoosePaymentMethodComponent.php:17
filterwppayform/validate_data_on_submission_customer_emailapp\Modules\FormComponents\CustomerEmailComponent.php:17
actionwp_footerapp\Modules\FormComponents\CustomPhoneNumber.php:140
actionwp_footerapp\Modules\FormComponents\DateComponent.php:220
filterwppayform/validate_component_on_save_currency_switcherapp\Modules\FormComponents\DemoCurrencySwitcherComponent.php:19
filterwppayform/validate_component_on_save_tabular_productsapp\Modules\FormComponents\DemoTabularProductsComponent.php:18
filterwppayform/validate_component_on_save_tax_payment_inputapp\Modules\FormComponents\DemoTaxItemComponent.php:18
filterwppayform/validate_component_on_save_payment_itemapp\Modules\FormComponents\DonationComponent.php:19
filterwppayform/validate_component_on_save_hidden_inputapp\Modules\FormComponents\HiddenInputComponent.php:16
filterwppayform/validate_component_on_save_item_quantityapp\Modules\FormComponents\ItemQuantityComponent.php:16
filterwppayform/validate_data_on_submission_item_quantityapp\Modules\FormComponents\ItemQuantityComponent.php:17
filterwppayform/validate_component_on_save_payment_itemapp\Modules\FormComponents\PaymentItemComponent.php:18
actionwp_dashboard_setupapp\Modules\Integrations\DashboardWidget.php:15
filtermce_external_pluginsapp\Modules\Integrations\TinyMceBlock.php:49
filtermce_buttonsapp\Modules\Integrations\TinyMceBlock.php:50
actionenqueue_block_editor_assetsapp\Modules\Integrations\TinyMceBlock.php:90
filterwppayform/dynamic_payment_calculationapp\Modules\NumericCalculation\NumericCalculation.php:14
actionwppayform/payment_method_choose_element_render_offlineapp\Modules\PaymentMethods\Offline\OfflineElement.php:19
filterwppayform/available_payment_methodsapp\Modules\PaymentMethods\Offline\OfflineElement.php:20
filterwppayform/choose_payment_method_for_submissionapp\Modules\PaymentMethods\Offline\OfflineProcessor.php:23
actionwppayform/form_submission_make_payment_offlineapp\Modules\PaymentMethods\Offline\OfflineProcessor.php:24
actionwppayform/offline_action_subcr_syncapp\Modules\PaymentMethods\Offline\OfflineProcessor.php:26
actionwppayform/offline_action_subcr_status_changeapp\Modules\PaymentMethods\Offline\OfflineProcessor.php:28
actionwppayform/offline_action_subcr_payment_status_changeapp\Modules\PaymentMethods\Offline\OfflineProcessor.php:30
filterwppayform/form_entryapp\Modules\PaymentMethods\Offline\OfflineProcessor.php:32
filterwppayform_payment_method_settings_mapper_offlineapp\Modules\PaymentMethods\Offline\OfflineSettings.php:20
filterwppayform_payment_method_settings_validation_offlineapp\Modules\PaymentMethods\Offline\OfflineSettings.php:21
filterwppayform/parsed_entryapp\Modules\PaymentMethods\Stripe\Stripe.php:27
filterwppayform/submission_data_formattedapp\Modules\PaymentMethods\Stripe\Stripe.php:28
filterwppayform/entry_transactions_stripeapp\Modules\PaymentMethods\Stripe\Stripe.php:30
filterwppayform/choose_payment_method_for_submissionapp\Modules\PaymentMethods\Stripe\Stripe.php:31
actionwppayform/after_submission_data_insert_stripeapp\Modules\PaymentMethods\Stripe\Stripe.php:37
actionwppayform/form_submission_make_payment_stripeapp\Modules\PaymentMethods\Stripe\Stripe.php:38
filterwppayform/checkout_varsapp\Modules\PaymentMethods\Stripe\Stripe.php:44
filterwppayform/submitted_payment_items_stripeapp\Modules\PaymentMethods\Stripe\Stripe.php:49
actionwppayform/subscription_settings_sync_stripeapp\Modules\PaymentMethods\Stripe\Stripe.php:52
actionwppayform/subscription_settings_cancel_stripeapp\Modules\PaymentMethods\Stripe\Stripe.php:55
actionwppayform/capture_authorized_amount_stripeapp\Modules\PaymentMethods\Stripe\Stripe.php:58
filterwppayform/validate_gateway_api_stripeapp\Modules\PaymentMethods\Stripe\StripeCardElementComponent.php:18
actionwppayform/payment_method_choose_element_render_stripeapp\Modules\PaymentMethods\Stripe\StripeCardElementComponent.php:22
filterwppayform/available_payment_methodsapp\Modules\PaymentMethods\Stripe\StripeCardElementComponent.php:23
filterwppayform/checkout_varsapp\Modules\PaymentMethods\Stripe\StripeCardElementComponent.php:117
actionwppayform/frameless_pre_render_page_stripe_hosted_successapp\Modules\PaymentMethods\Stripe\StripeHostedHandler.php:33
actionwppayform/frameless_body_stripe_hosted_successapp\Modules\PaymentMethods\Stripe\StripeHostedHandler.php:34
actionwppayform/frameless_pre_render_page_stripe_hosted_cancelapp\Modules\PaymentMethods\Stripe\StripeHostedHandler.php:35
actionwppayform/frameless_body_stripe_hosted_cancelapp\Modules\PaymentMethods\Stripe\StripeHostedHandler.php:36
filterwppayform/process_refund_stripeapp\Modules\PaymentMethods\Stripe\StripeHostedHandler.php:37
filterwppayform/form_submission_make_payment_stripe_inlineapp\Modules\PaymentMethods\Stripe\StripeInlineHandler.php:33
actioninitapp\Modules\PaymentMethods\Stripe\StripeListener.php:27
filterwppayform/stripe_onetime_payment_metadataapp\Modules\PaymentMethods\Stripe\StripeListener.php:28
filterwppayform_global_settings_componentsapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:30
filterwppayform_single_entry_widgetsapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:35
filterwppayform_email_attachmentsapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:37
actionwppayform_addons_page_render_fluent_pdf_settingsapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:39
filterwppayform/all_shortcodesapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:59
filterwppayform/all_placeholdersapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:60
filterwppayform_shortcode_parser_callback_pdf.download_linkapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:62
filterwppayform_shortcode_parser_callback_pdf.download_link.publicapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:69
filterwppayform_dashboard_entry_invoice_urlapp\Modules\PDF\Manager\WPPayFormPdfBuilder.php:81
filterwppayform_single_entry_widgetsapp\Services\Integrations\FluentCrm\FluentCrmInit.php:17
filterwppayform_customer_profileapp\Services\Integrations\FluentCrm\FluentCrmInit.php:18
actionwppayform/after_payment_status_changeapp\Services\Integrations\FluentCrm\FluentCrmInit.php:20
actionwppayform/subscription_payment_canceledapp\Services\Integrations\FluentCrm\FluentCrmInit.php:21
filterwppayform_notifying_async_fluentsupportapp\Services\Integrations\FluentSupport\Bootstrap.php:38
filterwppayform_single_entry_widgetsapp\Services\Integrations\FluentSupport\FluentSupport.php:13
filterwppayform_customer_profileapp\Services\Integrations\FluentSupport\FluentSupport.php:14
filterwppayform_global_addonsapp\Services\Integrations\IntegrationManager.php:38
filterwppayform_global_notification_typesapp\Services\Integrations\IntegrationManager.php:68
filterwppayform_get_available_form_integrationsapp\Services\Integrations\IntegrationManager.php:70
filterwppayform_global_notification_active_typesapp\Services\Integrations\IntegrationManager.php:85
actionwppayform_chained_mailchimp_interest_groupsapp\Services\Integrations\MailChimp\MailChimpIntegration.php:33
filterwppayform_global_notification_feedsapp\Services\Integrations\Slack\Bootstrap.php:36
filterwppayform_notifying_async_slackapp\Services\Integrations\Slack\Bootstrap.php:38
filterwppayform_global_notification_active_typesapp\Services\Integrations\Slack\SlackNotificationActions.php:18
actionwppayform_integration_notify_slackapp\Services\Integrations\Slack\SlackNotificationActions.php:25
actionplugins_loadedboot\app.php:22
actionadmin_noticesboot\app.php:25
actionwppayform_loading_appboot\app.php:39
Maintenance & Trust

Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 16, 2026
PHP min version7.1
Downloads157K

Community Trust

Rating96/100
Number of ratings42
Active installs4K
Alternatives

Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management Alternatives

Buy Me a Coffee button & widgets – Fundraise with Stripe and PayPal

Buy Me a Coffee button & widgets – Fundraise with Stripe and PayPal

buy-me-coffee

A
100

Easy way to collect donations like "buy me a coffee" directly your own Stripe and PayPal for free.

50 No CVEs
Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions

Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions

wp-full-stripe-free

A
94

🚀 Create Stripe payment forms for WordPress. Accept credit cards, Apple Pay, donations, subscriptions & more. Easy setup, no coding needed!

10K 5 CVEs
Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More

Better Payment – Instant Payments, Donations, Fundraising with Subscriptions & More

better-payment

A
100

Better Payment allows you to automate payment transactions to manage payments, donations, subscriptions, sell products, etc on your Elementor website.

6K No CVEs
Buy Him a Beer

Buy Him a Beer

buy-him-a-beer

A
85

This plugin allows users to add a "Buy Him a Beer" button to their website.

10 No CVEs
MYFUNDBOX – Recurring payments for Donation Form

MYFUNDBOX – Recurring payments for Donation Form

myfundbox-recurring-payments-for-donation-form

A
85

Reliable and secure donation Management plugin.With MYFUNDBOX you can transform the way you accept online donations.

10 No CVEs
Developer Profile

Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management Developer Profile

WPManageNinja

5 plugins · 30K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
295 days
View full developer profile
Detection Fingerprints

How We Detect Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/wp-payment-form/assets/css/wppayform_deactivate.css/wp-content/plugins/wp-payment-form/assets/js/wppayform_deactivate.js/wp-content/plugins/wp-payment-form/assets/css/twenty-twenty-one-fix.css/wp-content/plugins/wp-payment-form/assets/css/payforms-admin.css/wp-content/plugins/wp-payment-form/assets/css/payforms-print.css
Script Paths
/wp-content/plugins/wp-payment-form/assets/js/wppayform_deactivate.js
Version Parameters
wp-payment-form/assets/css/wppayform_deactivate.css?ver=wp-payment-form/assets/js/wppayform_deactivate.js?ver=wp-payment-form/assets/css/twenty-twenty-one-fix.css?ver=wp-payment-form/assets/css/payforms-admin.css?ver=wp-payment-form/assets/css/payforms-print.css?ver=

HTML / DOM Fingerprints

CSS Classes
wppayform-container
HTML Comments
Form Submission HandlerLeaderboard render Handlerintegrationintegration on payment success+1 more
Data Attributes
data-wppf-form-id
JS Globals
WPPAYFORM_VERSIONWPPAYFORM_URLWPPAYFORM_DIR
REST Endpoints
/wp-json/wp-payform/v1/submit/wp-json/wp-payform/v1/leaderboard
FAQ

Frequently Asked Questions about Paymattic – Secure, Simple Payment & Donation with Subscription Payments, Recurring Donations, Customer Management