WP-Safety

YITH PayPal Express Checkout for WooCommerce Security & Risk Analysis

wordpress.org/plugins/yith-paypal-express-checkout-for-woocommerce

Make payments immediate with PayPal Express Checkout and forget about customers’ complaints about pending orders.

1K active installs v1.56.0 PHP 7.4+ WP 6.7+ Updated Mar 6, 2026
express-checkout-for-woocommercegateway-paypalpaypalpaypal-express-checkoutwoocommerce-paypal-express-checkout
97
A · Safe
CVEs total2
Unpatched0
Last CVEJun 16, 2025
Plugin page Download
Safety Verdict

Is YITH PayPal Express Checkout for WooCommerce Safe to Use in 2026?

Generally Safe

Score 97/100

YITH PayPal Express Checkout for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Jun 16, 2025Updated 28d ago
Risk Assessment

The "yith-paypal-express-checkout-for-woocommerce" plugin, version 1.56.0, exhibits a generally good security posture with several strengths, including 100% of SQL queries using prepared statements and a high rate of output escaping (94%). The presence of 17 nonce checks and 16 capability checks also indicates a commitment to securing core functionalities. However, there are notable concerns, particularly the presence of one AJAX handler without authentication checks, which presents a direct attack vector. The taint analysis revealed one flow with unsanitized paths and a high severity, further underscoring this risk.

The plugin's vulnerability history shows a past prevalence of Cross-Site Request Forgery (CSRF) and Missing Authorization issues, with a high severity vulnerability recorded as recently as June 2025. While currently unpatched CVEs are zero, the historical pattern suggests a potential recurring weakness in authorization and input validation, especially concerning user-facing interactions. The bundled Select2 library, while not inherently a vulnerability, warrants attention for potential outdated versions that could introduce unforeseen security risks.

In conclusion, while the plugin implements many sound security practices, the identified unprotected AJAX handler and the high-severity taint flow are significant weaknesses that require immediate attention. The historical vulnerability patterns also suggest a need for continued vigilance and rigorous testing to prevent future authorization and CSRF-related exploits. Addressing these specific issues will significantly improve the plugin's overall security.

Key Concerns

  • AJAX handler without auth check
  • Taint flow with unsanitized path (High severity)
  • High severity vulnerability in history
  • Bundled library (Select2)
Vulnerabilities
2

YITH PayPal Express Checkout for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
1

2 total CVEs

CVE-2025-48111medium · 4.3Cross-Site Request Forgery (CSRF)

YITH PayPal Express Checkout for WooCommerce <= 1.49.0 - Cross-Site Request Forgery

Jun 16, 2025 Patched in 1.49.1 (10d)
WF-b948574a-0aab-4596-83e6-04be21f78bc1-yith-paypal-express-checkout-for-woocommercehigh · 7.1Missing Authorization

YITH plugins by YITHEMES <= (Various Versions) - Missing Authorization

Nov 11, 2022 Patched in 1.20.1 (438d)
Code Analysis
Analyzed Mar 16, 2026

YITH PayPal Express Checkout for WooCommerce Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
9 prepared
Unescaped Output
90
1506 escaped
Nonce Checks
17
Capability Checks
16
File Operations
0
External Requests
8
Bundled Libraries
1

Bundled Libraries

Select2

SQL Query Safety

100% prepared9 total queries

Output Escaping

94% escaped1596 total outputs
Data Flows
1 unsanitized

Data Flow Analysis

14 flows1 with unsanitized paths
do_shortcode (plugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:279)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

YITH PayPal Express Checkout for WooCommerce Attack Surface

Entry Points6
Unprotected1

AJAX Handlers 6

authwp_ajax_yith_paypal_ec_dismiss_notice_messageincludes\class.yith-paypal-ec.php:106
authwp_ajax_yith_plugin_fw_gutenberg_do_shortcodeplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:63
authwp_ajax_yith_plugin_fw_save_toggle_element_metaboxplugin-fw\includes\class-yit-metabox.php:86
authwp_ajax_yith_plugin_fw_save_toggle_elementplugin-fw\includes\class-yit-plugin-panel.php:138
authwp_ajax_yith_bh_onboardingplugin-fw\includes\class-yith-bh-onboarding.php:37
authwp_ajax_yith_create_log_fileplugin-fw\includes\class-yith-system-status.php:101
WordPress Hooks 149
actionadmin_menuincludes\class.yith-paypal-ec-admin.php:72
actionyith_paypal_ec_settings_tabincludes\class.yith-paypal-ec-admin.php:73
actionadmin_enqueue_scriptsincludes\class.yith-paypal-ec-admin.php:76
filteryith_show_plugin_row_metaincludes\class.yith-paypal-ec-admin.php:80
actionwp_enqueue_scriptsincludes\class.yith-paypal-ec-frontend.php:64
actionwoocommerce_proceed_to_checkoutincludes\class.yith-paypal-ec-frontend.php:68
actionwoocommerce_after_add_to_cart_formincludes\class.yith-paypal-ec-frontend.php:73
actionwp_loadedincludes\class.yith-paypal-ec-frontend.php:74
actionwc_ajax_yith_paypal_ec_add_to_cartincludes\class.yith-paypal-ec-frontend.php:75
actionwc_ajax_yith_paypal_ec_cancelled_paymentincludes\class.yith-paypal-ec-frontend.php:76
filterthe_titleincludes\class.yith-paypal-ec-frontend.php:79
filterscript_loader_tagincludes\class.yith-paypal-ec-frontend.php:81
actionwoocommerce_api_yith_paypal_ecincludes\class.yith-paypal-ec-gateway.php:166
actionwoocommerce_order_status_on-hold_to_processingincludes\class.yith-paypal-ec-gateway.php:177
actionwoocommerce_order_status_on-hold_to_completedincludes\class.yith-paypal-ec-gateway.php:178
actionwoocommerce_order_status_on-hold_to_cancelledincludes\class.yith-paypal-ec-gateway.php:179
actionwoocommerce_order_status_on-hold_to_refundedincludes\class.yith-paypal-ec-gateway.php:180
actionwoocommerce_checkout_billingincludes\class.yith-paypal-ec-gateway.php:182
actionyith_paypal_ec_request_a_paymentincludes\class.yith-paypal-ec-gateway.php:187
actionwoocommerce_admin_order_totals_after_totalincludes\class.yith-paypal-ec-gateway.php:193
actionwoocommerce_api_yith_paypal_ecincludes\class.yith-paypal-ec-ipn-handler.php:66
actionyith_paypal_ec_valid_ipn_requestincludes\class.yith-paypal-ec-ipn-handler.php:67
filterwoocommerce_payment_gatewaysincludes\class.yith-paypal-ec.php:93
actionadmin_noticesincludes\class.yith-paypal-ec.php:105
filterallowed_redirect_hostsincludes\class.yith-paypal-ec.php:108
actionwoocommerce_available_payment_gatewaysincludes\class.yith-paypal-ec.php:111
actionwoocommerce_api_yith_paypal_ecincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions-gateway.php:166
actionwoocommerce_order_status_on-hold_to_processingincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions-gateway.php:177
actionwoocommerce_order_status_on-hold_to_completedincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions-gateway.php:178
actionwoocommerce_order_status_on-hold_to_cancelledincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions-gateway.php:179
actionwoocommerce_order_status_on-hold_to_refundedincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions-gateway.php:180
actionwoocommerce_checkout_billingincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions-gateway.php:182
actionwoocommerce_admin_order_totals_after_totalincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions-gateway.php:186
filterwoocommerce_payment_gatewaysincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions.php:62
filteryith_paypal_ec_setting_optionsincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions.php:64
filteryith_paypal_ec_needs_billing_agreementsincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions.php:66
actionyith_paypal_ec_process_order_payment_with_billing_agreementincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions.php:67
filterbluehost/subscriptions/max_failed_attemps_listincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions.php:69
filterbluehost/subscriptions/get_num_of_days_between_attempsincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions.php:70
filterbluehost/subscriptions/from_listincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions.php:71
actionbluehost/subscriptions/renew_subscriptionincludes\integrations\bh-subscriptions\class.yith-paypal-ec-bh-subscriptions.php:73
actionbluehost/framework/plugins_loadedincludes\integrations\class.yith-paypal-ec-integration.php:60
filteryith_paypal_ec_setting_optionsincludes\integrations\class.yith-paypal-ec-subscription.php:59
filteryith_paypal_ec_needs_billing_agreementsincludes\integrations\class.yith-paypal-ec-subscription.php:61
actionyith_paypal_ec_process_order_payment_with_billing_agreementincludes\integrations\class.yith-paypal-ec-subscription.php:62
filterywsbs_max_failed_attemps_listincludes\integrations\class.yith-paypal-ec-subscription.php:64
filterywsbs_get_num_of_days_between_attempsincludes\integrations\class.yith-paypal-ec-subscription.php:65
filterywsbs_from_listincludes\integrations\class.yith-paypal-ec-subscription.php:66
actionwp_loadedincludes\integrations\class.yith-paypal-ec-subscription.php:69
actionyith_paypal_ec_payment_renew_ordersincludes\integrations\class.yith-paypal-ec-subscription.php:70
actionywsbs_renew_subscriptionincludes\integrations\class.yith-paypal-ec-subscription.php:73
actionadmin_noticesinit.php:68
actionplugins_loadedinit.php:82
actionbefore_woocommerce_initinit.php:95
actionelementor/elements/categories_registeredplugin-fw\includes\builders\elementor\class-yith-elementor.php:50
actionelementor/editor/after_enqueue_stylesplugin-fw\includes\builders\elementor\class-yith-elementor.php:52
actionelementor/frontend/after_enqueue_stylesplugin-fw\includes\builders\elementor\class-yith-elementor.php:53
actioninitplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:60
actioninitplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:61
actioninitplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:62
actionwc_ajax_yith_plugin_fw_gutenberg_do_shortcodeplugin-fw\includes\builders\gutenberg\class-yith-gutenberg.php:64
actioninitplugin-fw\includes\class-yit-assets.php:47
actionelementor/editor/before_enqueue_stylesplugin-fw\includes\class-yit-assets.php:48
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-assets.php:50
actioninitplugin-fw\includes\class-yit-assets.php:52
actionshould_load_block_editor_scripts_and_stylesplugin-fw\includes\class-yit-assets.php:53
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-icons.php:970
actionwp_enqueue_scriptsplugin-fw\includes\class-yit-icons.php:971
actionadd_meta_boxesplugin-fw\includes\class-yit-metabox.php:80
actionsave_postplugin-fw\includes\class-yit-metabox.php:81
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-metabox.php:82
filteryit_icons_screen_idsplugin-fw\includes\class-yit-metabox.php:84
filteradmin_body_classplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:93
actionadmin_initplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:94
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:95
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:96
actionadmin_bar_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:97
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:98
actionadmin_initplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:99
filterwoocommerce_screen_idsplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:100
filterwoocommerce_admin_settings_sanitize_optionplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:102
actionyith_plugin_fw_get_field_afterplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:104
actionadmin_action_yith_plugin_fw_save_toggle_elementplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:105
filterwoocommerce_admin_settings_sanitize_optionplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:106
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:108
actionadmin_initplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:109
filteryith_plugin_fw_premium_landing_uriplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:112
actionwoocommerce_admin_field_boxinfoplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:126
actionwoocommerce_admin_field_yith-fieldplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:127
filterwoocommerce_admin_settings_sanitize_optionplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:129
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:132
filteradd_menu_classesplugin-fw\includes\class-yit-plugin-panel-woocommerce.php:134
filteradmin_body_classplugin-fw\includes\class-yit-plugin-panel.php:121
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:122
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel.php:123
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel.php:124
actionadmin_bar_menuplugin-fw\includes\class-yit-plugin-panel.php:125
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:126
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel.php:128
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:129
filteryith_plugin_fw_premium_landing_uriplugin-fw\includes\class-yit-plugin-panel.php:132
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel.php:137
actionall_admin_noticesplugin-fw\includes\class-yit-plugin-panel.php:242
actionadmin_footerplugin-fw\includes\class-yit-plugin-panel.php:243
filterparent_fileplugin-fw\includes\class-yit-plugin-panel.php:245
filtersubmenu_fileplugin-fw\includes\class-yit-plugin-panel.php:246
actionadmin_menuplugin-fw\includes\class-yit-plugin-panel.php:259
filteradd_menu_classesplugin-fw\includes\class-yit-plugin-panel.php:260
filterremovable_query_argsplugin-fw\includes\class-yit-plugin-panel.php:261
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-panel.php:1081
actionadmin_initplugin-fw\includes\class-yit-plugin-panel.php:1082
actionadmin_footerplugin-fw\includes\class-yit-plugin-panel.php:1213
actionadmin_initplugin-fw\includes\class-yit-plugin-subpanel.php:44
actionadmin_menuplugin-fw\includes\class-yit-plugin-subpanel.php:45
actionadmin_bar_menuplugin-fw\includes\class-yit-plugin-subpanel.php:46
actionadmin_initplugin-fw\includes\class-yit-plugin-subpanel.php:47
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-plugin-subpanel.php:48
actionadmin_enqueue_scriptsplugin-fw\includes\class-yit-pointers.php:118
actionadmin_initplugin-fw\includes\class-yit-pointers.php:119
actionyith_bh_onboardingplugin-fw\includes\class-yith-bh-onboarding.php:36
actionwp_dashboard_setupplugin-fw\includes\class-yith-dashboard.php:146
actionadmin_enqueue_scriptsplugin-fw\includes\class-yith-dashboard.php:147
actionadmin_initplugin-fw\includes\class-yith-post-type-admin.php:65
actioncurrent_screenplugin-fw\includes\class-yith-post-type-admin.php:67
actionedit_form_topplugin-fw\includes\class-yith-post-type-admin.php:70
actionmanage_posts_extra_tablenavplugin-fw\includes\class-yith-post-type-admin.php:119
actionmanage_posts_extra_tablenavplugin-fw\includes\class-yith-post-type-admin.php:120
actionrestrict_manage_postsplugin-fw\includes\class-yith-post-type-admin.php:122
filterrequestplugin-fw\includes\class-yith-post-type-admin.php:123
filterlist_table_primary_columnplugin-fw\includes\class-yith-post-type-admin.php:125
filterpost_row_actionsplugin-fw\includes\class-yith-post-type-admin.php:126
filterpage_row_actionsplugin-fw\includes\class-yith-post-type-admin.php:127
filterdefault_hidden_columnsplugin-fw\includes\class-yith-post-type-admin.php:129
actiondisable_months_dropdownplugin-fw\includes\class-yith-post-type-admin.php:137
filteradmin_body_classplugin-fw\includes\class-yith-system-status.php:95
actionadmin_menuplugin-fw\includes\class-yith-system-status.php:96
actionadmin_initplugin-fw\includes\class-yith-system-status.php:97
actionadmin_noticesplugin-fw\includes\class-yith-system-status.php:98
actionadmin_enqueue_scriptsplugin-fw\includes\class-yith-system-status.php:99
actioninitplugin-fw\includes\class-yith-system-status.php:100
filteryith_plugin_fw_privacy_guide_contentplugin-fw\includes\privacy\class-yith-privacy-plugin-abstract.php:39
actionadmin_initplugin-fw\includes\privacy\class-yith-privacy.php:50
actionplugins_loadedplugin-fw\init.php:94
filterextra_theme_headersplugin-fw\yit-functions.php:602
filteryit_title_special_charactersplugin-fw\yit-functions.php:726
filterplugin_row_metaplugin-fw\yit-plugin.php:56
actionadmin_noticesplugin-fw\yit-plugin.php:298
actionplugins_loadedplugin-fw\yit-plugin.php:300
actionshutdownplugin-fw\yit-woocommerce-compatibility.php:765

Scheduled Events 1

yith_paypal_ec_payment_renew_orders
Maintenance & Trust

YITH PayPal Express Checkout for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 6, 2026
PHP min version7.4
Downloads151K

Community Trust

Rating88/100
Number of ratings7
Active installs1K
Alternatives

YITH PayPal Express Checkout for WooCommerce Alternatives

PayPal Express Checkout For Woo

PayPal Express Checkout For Woo

woo-paypal-express-checkout

A
85

PayPal Express Checkout for WooCommerce. Develop by Official PayPal Partner.

60 No CVEs
WooCommerce PayPal Payments

WooCommerce PayPal Payments

woocommerce-paypal-payments

A
100

PayPal's latest payment processing solution. Accept PayPal, Pay Later, credit/debit cards, alternative digital wallets and bank accounts.

800K 1 CVE
Redirection for Contact Form 7

Redirection for Contact Form 7

wpcf7-redirect

A
88

Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.

200K 14 CVEs
Payment Plugins for PayPal WooCommerce

Payment Plugins for PayPal WooCommerce

pymntpl-paypal-woocommerce

A
100

Developed exclusively between Payment Plugins and PayPal, PayPal for WooCommerce integrates with PayPal's newest API's.

90K No CVEs
Donations via PayPal

Donations via PayPal

paypal-donations

A
100

Easy, simple setup to add a PayPal Donation button as a Widget or with a shortcode.

20K 1 CVE
Developer Profile

YITH PayPal Express Checkout for WooCommerce Developer Profile

YITHEMES

33 plugins · 1.1M total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
411 days
View full developer profile
Detection Fingerprints

How We Detect YITH PayPal Express Checkout for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/yith-paypal-express-checkout-for-woocommerce/assets/js/yith-paypal-ec-admin.js/wp-content/plugins/yith-paypal-express-checkout-for-woocommerce/assets/js/yith-paypal-ec-admin.min.js
Script Paths
js/yith-paypal-ec-admin.jsjs/yith-paypal-ec-admin.min.js
Version Parameters
yith-paypal-express-checkout-for-woocommerce/assets/js/yith-paypal-ec-admin.js?ver=yith-paypal-express-checkout-for-woocommerce/assets/js/yith-paypal-ec-admin.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
yith-paypal-ec-admin
HTML Comments
<!-- Plugin Framework Loader --><!-- YITH PayPal Express Checkout for WooCommerce --><!-- Exit if accessed directly --><!-- This file belongs to the YIT Framework. -->+5 more
Data Attributes
data-yith_paypal_ec_admin
JS Globals
yith_paypal_ec_admin
FAQ

Frequently Asked Questions about YITH PayPal Express Checkout for WooCommerce