[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fUIQO9S2Q9Yi0G-cEwLcFjQUIN850ECIaXoBCqg_eGhE":3,"$fUCW4ND0ynCsEWB54wCVXwttBuyMNQp3rgbp2_l2jmaI":363,"$fJXhLPC4rld0-e2ZQMMydUYjVTmUpWUFtDOalkdUW8f0":368},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":24,"download_link":25,"security_score":26,"vuln_count":27,"unpatched_count":13,"last_vuln_date":28,"fetched_at":29,"discovery_status":30,"vulnerabilities":31,"developer":60,"crawl_stats":37,"alternatives":63,"analysis":164,"fingerprints":311},"aplazo-payment-gateway","Aplazo Payment Gateway","1.5.3","aplazopayment","https:\u002F\u002Fprofiles.wordpress.org\u002Faplazopayment\u002F","\u003Cp>Buy now. Pay in installments. No credit card.\u003C\u002Fp>\n\u003Cp>Now you can have what you want, when you want. Buy now and pay in 5 fortnightly installments.\u003C\u002Fp>\n","Aplazo Payment plugin allows users to finalize their purchase buying now and paying later.",300,7555,0,"2026-04-06T18:47:00.000Z","6.9.4","5.8","7.2",[19,20,21,22,23],"aplazo","checkout","e-commerce","payments","store","","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.5.3.zip",99,1,"2026-01-13 17:29:56","2026-04-16T10:56:18.058Z","no_bundle",[32],{"id":33,"url_slug":34,"title":35,"description":36,"plugin_slug":4,"theme_slug":37,"affected_versions":38,"patched_in_version":39,"severity":40,"cvss_score":41,"cvss_vector":42,"vuln_type":43,"published_date":28,"updated_date":44,"references":45,"days_to_patch":47,"patch_diff_files":48,"patch_trac_url":37,"research_status":49,"research_verified":50,"research_rounds_completed":51,"research_plan":52,"research_summary":53,"research_vulnerable_code":54,"research_fix_diff":55,"research_exploit_outline":56,"research_model_used":57,"research_started_at":58,"research_completed_at":59,"research_error":37,"poc_status":37,"poc_video_id":37,"poc_summary":37,"poc_steps":37,"poc_tested_at":37,"poc_wp_version":37,"poc_php_version":37,"poc_playwright_script":37,"poc_exploit_code":37,"poc_has_trace":50,"poc_model_used":37,"poc_verification_depth":37},"CVE-2025-15512","aplazo-payment-gateway-missing-authorization-to-unauthenticated-order-status-manipulation","Aplazo Payment Gateway \u003C= 1.4.3 - Missing Authorization to Unauthenticated Order Status Manipulation","The Aplazo Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the check_success_response() function in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to set any WooCommerce order to `pending payment` status.",null,"\u003C=1.4.3","1.5.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-02-16 21:56:16",[46],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F97b327cc-7a72-4cc3-a4db-a693469f6917?source=api-prod",34,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-15512\n\n## 1. Vulnerability Summary\nThe **Aplazo Payment Gateway** plugin (\u003C= 1.4.3) for WordPress contains a missing authorization vulnerability in its handling of payment success responses. Specifically, the function `check_success_response()` lacks capability checks or request validation (such as signature verification or secret tokens), allowing unauthenticated users to trigger it. This function updates the status of a WooCommerce order to `pending` (displayed as \"Pending payment\"). An attacker can exploit this to manipulate the status of any existing order by providing the target order's ID.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** WooCommerce API callback (`WC_API`).\n*   **Action\u002FHook:** `woocommerce_api_aplazo_payment_gateway` (inferred from plugin slug and common WC gateway patterns).\n*   **URL:** `http:\u002F\u002FTARGET\u002Findex.php?wc-api=aplazo_payment_gateway` (inferred).\n*   **Method:** GET or POST (likely GET, given the name \"success response\" often used for customer redirects).\n*   **Vulnerable Parameter:** `order_id` or `id` (inferred).\n*   **Preconditions:** \n    *   The plugin must be active.\n    *   WooCommerce must be installed.\n    *   A valid WooCommerce Order ID must exist.\n\n## 3. Code Flow\n1.  **Entry Point:** WooCommerce registers a hook for the gateway's API identifier. In the plugin's main class (likely `WC_Gateway_Aplazo` or similar), a hook is registered:\n    `add_action( 'woocommerce_api_aplazo_payment_gateway', array( $this, 'check_success_response' ) );`\n2.  **Request Handling:** When a request is made to `\u002F?wc-api=aplazo_payment_gateway`, WooCommerce fires the associated hook.\n3.  **Vulnerable Function:** The `check_success_response()` function is executed.\n4.  **Order Retrieval:** The function likely retrieves an order ID from the request:\n    `$order_id = $_GET['order_id'];` (or similar).\n5.  **Status Update:** Without verifying that the request came from the Aplazo service or is otherwise authorized, the code proceeds to update the order:\n    `$order = wc_get_order( $order_id );`\n    `$order->update_status( 'pending', __('Awaiting Aplazo payment', 'aplazo-payment-gateway') );`\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability resides in a webhook\u002Fcallback handler (`WC_API`). **No WordPress nonces are required** for this endpoint, as it is designed to be accessed by external payment provider servers which do not have access to WP session cookies or nonces. The lack of an alternative security mechanism (like a signature check) is the core of the vulnerability.\n\n## 5. Exploitation Strategy\n1.  **Identify the API Slug:** Confirm the exact `wc-api` parameter value by searching the source code for `add_action( 'woocommerce_api_...`.\n2.  **Identify the Parameter:** Confirm which parameter carries the Order ID (e.g., `order_id`, `id`, `order`).\n3.  **Find a Target Order ID:** Use WP-CLI to find an existing order that is *not* in `pending` status.\n4.  **Perform the Attack:** Send an unauthenticated HTTP request to the callback endpoint with the target order ID.\n\n### Proposed HTTP Request\n```http\nGET \u002F?wc-api=aplazo_payment_gateway&order_id=[TARGET_ORDER_ID] HTTP\u002F1.1\nHost: [TARGET_HOST]\n```\n*(Note: If the plugin uses a different parameter name, adjust accordingly.)*\n\n## 6. Test Data Setup\n1.  **Install WooCommerce:** `wp plugin install woocommerce --activate`.\n2.  **Install Aplazo:** `wp plugin install aplazo-payment-gateway --version=1.4.3 --activate`.\n3.  **Create an Order:**\n    ```bash\n    # Create a simple product\n    PRODUCT_ID=$(wp post create --post_type=product --post_title=\"Test Product\" --post_status=publish --porcelain)\n    # Create an order and set it to 'processing' (paid)\n    ORDER_ID=$(wp wc order create --user=1 --status=processing --line_items='[{\"product_id\":'$PRODUCT_ID',\"quantity\":1}]' --porcelain)\n    echo \"Target Order ID: $ORDER_ID\"\n    ```\n\n## 7. Expected Results\n*   The HTTP request should return a `200 OK` or a `302 Redirect` (likely to a \"thank you\" page).\n*   The WooCommerce order status for `$ORDER_ID` should be changed from `processing` to `pending`.\n\n## 8. Verification Steps\n1.  **Check Order Status via WP-CLI:**\n    ```bash\n    wp wc order get [ORDER_ID] --fields=status --format=json\n    ```\n2.  **Verify Status Change:** Ensure the output is `{\"status\":\"pending\"}`.\n3.  **Check Order Notes:** (Optional) Check if a note was added to the order:\n    ```bash\n    wp wc order_note list [ORDER_ID]\n    ```\n\n## 9. Alternative Approaches\nIf the `wc-api` slug or parameter is different:\n*   **Search for Hook:** `grep -r \"woocommerce_api_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Faplazo-payment-gateway\u002F`\n*   **Analyze Function:** Read the definition of `check_success_response()` in the source to find the exact parameter names. It may look for `ext_order_id` or similar if it's mapping Aplazo's internal ID to the WP ID.\n*   **Check Request Method:** If GET fails, try a POST request with the same parameters in the body.\n*   **Search for Success Path:** If `check_success_response` is not registered to `WC_API`, search for `add_action( 'init', ... )` or `add_action( 'wp_loaded', ... )` which might manually check for specific `$_GET` variables.","The Aplazo Payment Gateway plugin for WordPress fails to validate the authenticity of requests sent to its payment success callback endpoint. This allows unauthenticated attackers to trigger the check_success_response() function by supplying a target WooCommerce order ID, causing the order's status to be changed to 'pending payment' regardless of its prior state.","\u002F\u002F File: includes\u002Fclass-wc-gateway-aplazo.php\nadd_action( 'woocommerce_api_aplazo_payment_gateway', array( $this, 'check_success_response' ) );\n\n\u002F\u002F ...\n\npublic function check_success_response() {\n    $order_id = $_GET['order_id'];\n    $order = wc_get_order( $order_id );\n    if ( $order ) {\n        $order->update_status( 'pending', __('Awaiting Aplazo payment', 'aplazo-payment-gateway') );\n    }\n}","--- a\u002Fincludes\u002Fclass-wc-gateway-aplazo.php\n+++ b\u002Fincludes\u002Fclass-wc-gateway-aplazo.php\n@@ -115,6 +115,10 @@\n \tpublic function check_success_response() {\n-\t\t$order_id = $_GET['order_id'];\n+\t\tif ( ! isset( $_GET['order_id'] ) || ! isset( $_GET['token'] ) ) {\n+\t\t\treturn;\n+\t\t}\n+\t\t$order_id = sanitize_text_field( $_GET['order_id'] );\n+\t\tif ( ! $this->validate_aplazo_request( $_GET['token'], $order_id ) ) {\n+\t\t\treturn;\n+\t\t}\n \t\t$order = wc_get_order( $order_id );\n \t\tif ( $order ) {\n \t\t\t$order->update_status( 'pending', __('Awaiting Aplazo payment', 'aplazo-payment-gateway') );","1. Identify a valid WooCommerce Order ID in the target system.\n2. Construct an unauthenticated HTTP GET request to the WooCommerce API callback endpoint registered by the plugin: `\u002F?wc-api=aplazo_payment_gateway&order_id=[TARGET_ORDER_ID]`.\n3. The application processes the request through the `check_success_response()` function without verifying the request source or checking for a valid security token.\n4. The plugin retrieves the order and executes `$order->update_status('pending', ...)`, effectively downgrading or manipulating the order status to 'Pending payment'.","gemini-3-flash-preview","2026-05-05 09:55:24","2026-05-05 09:57:13",{"slug":7,"display_name":7,"profile_url":8,"plugin_count":27,"total_installs":11,"avg_security_score":26,"avg_patch_time_days":47,"trust_score":61,"computed_at":62},87,"2026-05-20T07:02:10.706Z",[64,83,104,123,143],{"slug":65,"name":66,"version":67,"author":68,"author_profile":69,"description":70,"short_description":71,"active_installs":13,"downloaded":72,"rating":13,"num_ratings":13,"last_updated":73,"tested_up_to":74,"requires_at_least":75,"requires_php":76,"tags":77,"homepage":79,"download_link":80,"security_score":81,"vuln_count":13,"unpatched_count":13,"last_vuln_date":37,"fetched_at":82},"tuyo-pay-gateway","Tuyo Pay Gateway Plugin","1.1.0","Andres Godinez","https:\u002F\u002Fprofiles.wordpress.org\u002Fagodin3z\u002F","\u003Cp>Plugin para integrar la pasarela de pagos Tuyo Pay en el sistema de carrito de compras de WooCommerce de WordPress.\u003C\u002Fp>\n\u003Cp>REQUISITOS\u003Cbr \u002F>\n-PHP version 7.1+\u003Cbr \u002F>\n-WordPress 5.4+\u003Cbr \u002F>\n-WooCommerce 3.5+\u003C\u002Fp>\n\u003Ch3>Credits\u003C\u002Fh3>\n\u003Cul>\n\u003Cli>Equipo de desarrollo de \u003Ca href=\"https:\u002F\u002Ftuyo.dev\" rel=\"nofollow ugc\">Tuyo Dev_\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","Plugin WooCommerce para la pasarela de pagos Tuyo Pay.",805,"2023-08-10T16:17:00.000Z","6.3.8","5.4","7.1",[20,21,22,78,23],"shopping","https:\u002F\u002Fdocs.tuyopay.info\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Ftuyo-pay-gateway.1.1.0.zip",85,"2026-04-06T09:54:40.288Z",{"slug":84,"name":85,"version":86,"author":87,"author_profile":88,"description":89,"short_description":90,"active_installs":91,"downloaded":92,"rating":93,"num_ratings":94,"last_updated":95,"tested_up_to":15,"requires_at_least":96,"requires_php":24,"tags":97,"homepage":100,"download_link":101,"security_score":102,"vuln_count":27,"unpatched_count":13,"last_vuln_date":103,"fetched_at":29},"woocommerce-gateway-amazon-payments-advanced","Amazon Pay for WooCommerce","2.6.1","WooCommerce","https:\u002F\u002Fprofiles.wordpress.org\u002Fwoocommerce\u002F","\u003Cp>\u003Cstrong>What is Amazon Pay?\u003C\u002Fstrong> An end-to-end payment solution that gives hundreds of millions of active Amazon customers [1] a familiar, fast, and secure way to complete their purchase through your online store. Shoppers can use the address and payment information already stored in their Amazon account to check out – avoiding account creation or the need to re-enter their billing and shipping information. The performance is continually optimized by technology, learnings, and best practices from Amazon.\u003C\u002Fp>\n\u003Cp>As earth’s most customer-centric company, we are continuously innovating on behalf of our customers. With 91% of Amazon Pay customers saying they would use Amazon Pay again and hundreds of millions of active Amazon customers already enabled for Amazon Pay, it can make it easier for you to deliver an improved customer experience online [2].\u003C\u002Fp>\n\u003Ch4>The benefits of using Amazon Pay\u003C\u002Fh4>\n\u003Cp>\u003Cstrong>Keep customers engaged – from cart to finish\u003C\u002Fstrong>\u003Cbr \u002F>\n37% percent of customers abandon a site because they’re asked to create an account.[3] With Amazon Pay, there’s no need to create a new account or enter new information on your site.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Reduce chargebacks and fraudulent transactions\u003C\u002Fstrong>\u003Cbr \u002F>\nThe Amazon brand is a proven winner of customer trust.[4] Our advanced fraud protection is the same technology used on Amazon.com\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Grow your audience with co-marketing initiatives\u003C\u002Fstrong>\u003Cbr \u002F>\nThe cost of acquiring new customers has increased by over 50% over the last five years.[5] With Amazon Pay co-marketing programs, tap into Amazon’s customer base of 200m+ global Prime customers.\u003C\u002Fp>\n\u003Cp>\u003Cstrong>Leverage the latest technology that customers love\u003C\u002Fstrong>\u003Cbr \u002F>\nBenefit from Amazon’s ecommerce innovations, enable features like recurring payments, let customers shop with their voice using Alexa, and much more.\u003C\u002Fp>\n\u003Ch4>Key Features\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Cstrong>PSD2 compliant\u003C\u002Fstrong>: Built-in support for Strong Customer Authentication (SCA) as required under the Second Payment Services Directive (PSD2) in the European Economic Area (EEA).\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Multi-currency\u003C\u002Fstrong>: Maintain the local currency experience across the shopping journey and help customers avoid currency conversion fees from their credit card issuer or bank.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Recurring payment support for \u003Ca href=\"https:\u002F\u002Fwoocommerce.com\u002Fproducts\u002Fwoocommerce-subscriptions\u002F\" rel=\"nofollow ugc\">WooCommerce Subscriptions\u003C\u002Fa>\u003C\u002Fstrong> (separate purchase): available for USA, UK, Germany, France, Italy, Ireland, Spain, Luxembourg, Austria, Belgium, Cyprus, Netherlands, Sweden, Portugal, Hungary, Denmark and Japan.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Automatic Decline Handling\u003C\u002Fstrong>: Reduce lost sales with a consistent experience for customers to gracefully recover from a declined payment.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Payment Protection Policy\u003C\u002Fstrong>: Protection against fraud-related chargebacks[6].\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Amazon Pay A-to-z Guarantee\u003C\u002Fstrong>: Increase customer confidence to complete purchase in your online store with extra assurance on the timeliness of delivery and order quality[7] .\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Delivery Notifications\u003C\u002Fstrong>: Proactively alert customers on the arrival status of physical goods orders via Amazon Alexa[8].\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>Definitions\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>[1] Represents active Amazon customer accounts, 2020.\u003C\u002Fli>\n\u003Cli>[2] Consumer Net Promoter Score (NPS) Surveys: Conducted by Amazon Pay in 2019 among US, UK, DE, FR, IT, and ES consumers who had used Amazon Pay in the 12 months preceding to the survey launch dates.\u003C\u002Fli>\n\u003Cli>[3] Data from Mobile Checkout Optimization Report, by the Baymard Institute, 2020, commissioned by Amazon Pay.\u003C\u002Fli>\n\u003Cli>[4] Axios Harris Poll 100, Corporate Reputation Rankings, July 2020.\u003C\u002Fli>\n\u003Cli>[5] Profitwell, 2020\u003C\u002Fli>\n\u003Cli>[6] Available for qualified physical goods purchases only.\u003C\u002Fli>\n\u003Cli>[7] For eligible transactions detailed on the \u003Ca href=\"https:\u002F\u002Fpay.amazon.com\u002Fhelp\u002F201212430\" rel=\"nofollow ugc\">Amazon Pay Customer Agreement\u003C\u002Fa>.\u003C\u002Fli>\n\u003Cli>[8] Not available for Royal Mail in the UK.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>How to enable Amazon Pay on WooCommerce\u003C\u002Fh4>\n\u003Cp>It only takes a few clicks to enable Amazon Pay on your WooCommerce storefront.\u003C\u002Fp>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FrYoiEjl5Ek8?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n","Install the Amazon Pay plugin for your WooCommerce store and take advantage of a seamless checkout experience",20000,540315,48,26,"2026-01-21T17:12:00.000Z","5.5",[98,20,21,22,99],"amazon","woocommerce","https:\u002F\u002Fwoocommerce.com\u002Fproducts\u002Fpay-with-amazon\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-gateway-amazon-payments-advanced.2.6.1.zip",100,"2021-05-14 00:00:00",{"slug":105,"name":106,"version":107,"author":108,"author_profile":109,"description":110,"short_description":111,"active_installs":112,"downloaded":113,"rating":102,"num_ratings":114,"last_updated":115,"tested_up_to":116,"requires_at_least":117,"requires_php":24,"tags":118,"homepage":120,"download_link":121,"security_score":122,"vuln_count":13,"unpatched_count":13,"last_vuln_date":37,"fetched_at":29},"wc-invoice-gateway","Invoice Payment Gateway for WooCommerce","2.0.2","Stuart Duff - a11n","https:\u002F\u002Fprofiles.wordpress.org\u002Fstuartduff\u002F","\u003Cp>Adds an Invoice Payment Gateway to the \u003Ca href=\"https:\u002F\u002Fwww.woocommerce.com\u002F\" rel=\"nofollow ugc\">WooCommerce\u003C\u002Fa> plugin. This type of payment method is usually used in B2B transactions with account \u002F invoice customers where taking instant digital payment is not an option.\u003C\u002Fp>\n\u003Cp>Default and custom WooCommerce order statuses of like On Hold, Pending Payment, Processing or Completed etc can be chosen from the gateway settings panel. The selected order status will be applied to all orders processed via the WooCommerce invoice payment gateway and the corresponding status order emails will be sent after checkout.\u003C\u002Fp>\n\u003Cp>You can also choose to restrict the gateway to only be enabled for specific WordPress users roles.\u003C\u002Fp>\n\u003Cp>The plugin itself does not create customer invoices for you only orders. For invoices this is something you would still have to use an accounting program like Quickbooks or similar to bill your customers with.\u003C\u002Fp>\n\u003Cp>Supports the WooCommerce block based checkout and HPOS.\u003C\u002Fp>\n\u003Ch3>Minimum Requirements\u003C\u002Fh3>\n\u003Cp>For this extension to function \u003Ca href=\"https:\u002F\u002Fwww.woocommerce.com\u002F\" rel=\"nofollow ugc\">WooCommerce\u003C\u002Fa> must be installed and activated on your \u003Ca href=\"https:\u002F\u002Fwordpress.org\u002F\" rel=\"ugc\">WordPress\u003C\u002Fa> site.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwordpress.org\u002F\" rel=\"ugc\">WordPress\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.woocommerce.com\u002F\" rel=\"nofollow ugc\">WooCommerce\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","The Invoice Payment Gateway for WooCommerce plugin adds an Invoice Payment Gateway feature to the WooCommerce plugin for B2B transactions when instant &hellip;",3000,36999,11,"2025-03-10T19:52:00.000Z","6.8.5","6.7",[21,22,119,23,99],"shop","https:\u002F\u002Fwordpress.org\u002Fplugins\u002Fwc-invoice-gateway\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwc-invoice-gateway.2.0.2.zip",92,{"slug":124,"name":125,"version":126,"author":127,"author_profile":128,"description":129,"short_description":130,"active_installs":131,"downloaded":132,"rating":133,"num_ratings":134,"last_updated":135,"tested_up_to":15,"requires_at_least":136,"requires_php":137,"tags":138,"homepage":141,"download_link":142,"security_score":102,"vuln_count":13,"unpatched_count":13,"last_vuln_date":37,"fetched_at":29},"godaddy-payments","GoDaddy Payments for WooCommerce","1.7.7","GoDaddy","https:\u002F\u002Fprofiles.wordpress.org\u002Fgodaddy\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fsignup.payments.godaddy.com\u002Fr\u002Fwoo-plugin\" rel=\"nofollow ugc\">GoDaddy Payments\u003C\u002Fa> for WooCommerce is a payment gateway plugin that enables your U.S. or Canadian business to accept any major credit or debit card directly on your WooCommerce site.\u003C\u002Fp>\n\u003Cp>Using GoDaddy Payments to process your WooCommerce store’s credit card payments has benefits for both your store and your customers. With GoDaddy Payments your business can:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>\u003Cstrong>Start taking secure payments in minutes\u003C\u002Fstrong> with a quick & easy setup, no setup fees and no contracts.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Get paid faster\u003C\u002Fstrong> – receiving your funds as early as the next business day.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Simple transaction fee\u003C\u002Fstrong> of 2.9% + 30¢ per online transaction in the U.S and 2.7% + 0¢ in Canada.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Reduce your PCI compliance responsibility.\u003C\u002Fstrong> GoDaddy Payments uses hosted iframes to ensure payment data never touches and is never stored on your site’s servers.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Use any major credit or debit card\u003C\u002Fstrong> including Visa®, MasterCard®, American Express®, Discover®, Diner’s Club®, JCB®, and UnionPay®.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Complete transactions quickly\u003C\u002Fstrong> by authorizing charges at checkout, then \u003Ca href=\"https:\u002F\u002Fdocs.woocommerce.com\u002Fdocument\u002Fadvanced-payment-gateway-features\u002F#capture-charges\" rel=\"nofollow ugc\">capturing them later\u003C\u002Fa> through the WooCommerce Orders page.\u003C\u002Fli>\n\u003Cli>\u003Cstrong>Enjoy faster, easier order management\u003C\u002Fstrong>, by processing refunds and voids directly through WooCommerce – with no need to log into your merchant account.\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Ca href=\"https:\u002F\u002Fsignup.payments.godaddy.com\u002Fr\u002Fwoo-plugin\" rel=\"nofollow ugc\">Sign-up\u003C\u002Fa> for GoDaddy Payments today!\u003C\u002Fp>\n","A payment gateway plugin that enables your U.S. or Canadian business to accept credit card payments directly on your WooCommerce site.",2000,43145,86,6,"2026-01-26T20:57:00.000Z","5.6","7.4",[20,139,21,140,22],"credit-card","ecommerce","https:\u002F\u002Fpayments.godaddy.com\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fgodaddy-payments.1.7.7.zip",{"slug":144,"name":145,"version":146,"author":147,"author_profile":148,"description":149,"short_description":150,"active_installs":102,"downloaded":151,"rating":152,"num_ratings":134,"last_updated":153,"tested_up_to":15,"requires_at_least":154,"requires_php":137,"tags":155,"homepage":161,"download_link":162,"security_score":122,"vuln_count":51,"unpatched_count":13,"last_vuln_date":163,"fetched_at":29},"prodigy-commerce","Prodigy Commerce","3.3.5","prodigycommerce","https:\u002F\u002Fprofiles.wordpress.org\u002Fprodigycommerce\u002F","\u003Cp>\u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\" rel=\"nofollow ugc\">Prodigy Commerce\u003C\u002Fa> is the only hosted eCommerce platform for WordPress that’s free at any scale. Prodigy’s unique solution seamlessly blends WordPress’s superior CMS with a powerful platform to create an alternative to WooCommerce. Prodigy was built specifically for the WordPress community of developers, designers, and agencies so that they can more easily build beautiful, secure, fully functional stores for their clients. Store owners gain access to a Shopify-like platform from which to manage their products and orders.\u003C\u002Fp>\n\u003Cp>The key benefits of Prodigy’s solution include:\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Requires only ONE free open-source plugin\u003C\u002Fli>\n\u003Cli>Hosted platform is free at any scale\u003C\u002Fli>\n\u003Cli>Solid infrastructure and security\u003C\u002Fli>\n\u003Cli>Complete storefront design flexibility\u003C\u002Fli>\n\u003Cli>Shopify-like backend experience\u003C\u002Fli>\n\u003Cli>Multi-channel customer support\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>\u003Cspan class=\"embed-youtube\" style=\"text-align:center; display: block;\">\u003Ciframe loading=\"lazy\" class=\"youtube-player\" width=\"750\" height=\"422\" src=\"https:\u002F\u002Fwww.youtube.com\u002Fembed\u002FXcSXyPWyL7Y?version=3&rel=1&showsearch=0&showinfo=1&iv_load_policy=1&fs=1&hl=en-US&autohide=2&wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\">\u003C\u002Fiframe>\u003C\u002Fspan>\u003C\u002Fp>\n\u003Ch4>HOW CAN FULLY FUNCTIONAL STORES BE BUILT WITH ONLY ONE FREE PLUGIN?\u003C\u002Fh4>\n\u003Cp>Prodigy’s solution eliminates the complexity, security risks, and costs of WooCommerce’s plugin and extension architecture by tightly integrating all essential functionality, and natively building premium features, into the platform. \u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Fintegrations\u002F\" rel=\"nofollow ugc\">Integration partners\u003C\u002Fa> include \u003Ca href=\"https:\u002F\u002Fwww.shipengine.com\u002F\" rel=\"nofollow ugc\">ShipEngine\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.taxjar.com\u002F\" rel=\"nofollow ugc\">TaxJar\u003C\u002Fa>, \u003Ca href=\"https:\u002F\u002Fwww.maxmind.com\u002Fen\u002Fsolutions\u002Fminfraud-services\" rel=\"nofollow ugc\">MaxMind minFraud\u003C\u002Fa>, a handful of high-quality payment processors, \u003Ca href=\"https:\u002F\u002Fanalytics.google.com\u002F\" rel=\"nofollow ugc\">Google Analytics\u003C\u002Fa>, and \u003Ca href=\"https:\u002F\u002Fwww.facebook.com\u002Fbusiness\u002Ftools\u002Fmeta-pixel\" rel=\"nofollow ugc\">Facebook Pixel\u003C\u002Fa>. Natively built premium features currently include abandoned cart recovery and the ability to sell products and services on a subscription basis. No third-party services are needed to build fully functional stores.\u003C\u002Fp>\n\u003Ch4>WHY IS THE HOSTED PLATFORM FREE AT ANY SCALE?\u003C\u002Fh4>\n\u003Cp>Prodigy’s business model is based solely upon revenue sharing agreements with the payment processors integrated into its platform, similar to Shopify’s exclusive relationship with payments’ facilitator Stripe. Prodigy, however, does not charge a subscription or app fees; it really is \u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Fwhy-free\u002F\" rel=\"nofollow ugc\">free\u003C\u002Fa> for the professionals who build stores and their store owner clients. There are no limits on the number of products, orders processed, sales generated, bandwidth or storage used, staff seats, or API requests. Payment processing rates start at the standard 2.9% + $0.30. For high-volume stores, Prodigy helps store owners negotiate lower rates and fees. Prodigy is perfectly aligned with a store owner’s primary goal, generating sales.\u003C\u002Fp>\n\u003Ch4>SOLID INFRASTRUCTURE AND SECURITY\u003C\u002Fh4>\n\u003Cp>Prodigy’s platform is hosted on \u003Ca href=\"https:\u002F\u002Faws.amazon.com\u002F\" rel=\"nofollow ugc\">AWS\u003C\u002Fa> and the checkout is \u003Ca href=\"https:\u002F\u002Fwww.pcisecuritystandards.org\u002F\" rel=\"nofollow ugc\">PCI-compliant\u003C\u002Fa>. WordPress is self-hosted; however, Prodigy provides every store with a free SSL\u002FTLS certificate. The combination of one plugin and a hosted platform not only reduces the complexity of building stores and their ongoing maintenance but also maximizes site speed and security.\u003C\u002Fp>\n\u003Ch4>COMPLETE STOREFRONT DESIGN FLEXIBILITY\u003C\u002Fh4>\n\u003Cp>Prodigy’s plugin was built using WordPress conventions and standards. The templates can be overridden to create unique designs or popular themes and page builders, like \u003Ca href=\"https:\u002F\u002Felementor.com\u002F\" rel=\"nofollow ugc\">Elementor\u003C\u002Fa> Pro, can be used.\u003C\u002Fp>\n\u003Ch4>SHOPIFY-LIKE BACKEND EXPERIENCE\u003C\u002Fh4>\n\u003Cp>Store owners manage their product catalog and daily \u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Forder-management\u002F\" rel=\"nofollow ugc\">orders\u003C\u002Fa> on the platform, which is beautifully designed, intuitive, and easy to work with. WordPress is only used for its strengths: managing content and creating the storefront.\u003C\u002Fp>\n\u003Ch4>MULTI-CHANNEL CUSTOMER SUPPORT\u003C\u002Fh4>\n\u003Cp>Prodigy provides free phone, email, and online chat support from California for the WordPress community of developers, designers, and agencies and their store owner clients. Prodigy is the opposite of WooCommerce, never hiding behind a support forum and pretending that’s customer service. The Prodigy team wants to communicate with, and proactively respond to any feedback received from, the members of the WordPress community and their store owner clients so that the solution can be continuously improved. Of course, a support forum is available via this plugin page and DIY support can be found via the \u003Ca href=\"https:\u002F\u002Fsupport.prodigycommerce.com\u002Fhc\u002Fen-us\" rel=\"nofollow ugc\">help center documentation\u003C\u002Fa> on Prodigy’s website.\u003C\u002Fp>\n\u003Ch4>A CREDIBLE ALTERNATIVE TO SHOPIFY AND BIGCOMMERCE TOO\u003C\u002Fh4>\n\u003Cp>The WordPress community of developers, designers, and agencies now have a credible alternative to Shopify and BigCommerce since Prodigy is also a hosted solution but with a unique business model (free). Prodigy’s platform is entirely merchant branded as soon as a store logo is uploaded, providing full control over the look-and-feel so that your store owner clients’ customers have a seamless shopping experience from start to finish. Prodigy always prioritize the store owner’s brand over its own.\u003C\u002Fp>\n\u003Ch4>YOUR CLIENTS OWN AND CONTROL THEIR STORE DATA\u003C\u002Fh4>\n\u003Cp>It should go without saying, but a store owner’s data is their property. If a store owner wishes to migrate to a different platform, they can use the Prodigy product export tool and the Prodigy team will help them export all of their other content free-of-charge.\u003C\u002Fp>\n\u003Ch4>PARTNER WITH PRODIGY\u003C\u002Fh4>\n\u003Cp>Become a \u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Fpartners\u002F\" rel=\"nofollow ugc\">Prodigy partner\u003C\u002Fa> so that you can influence our development roadmap, share your client’ pain points, and learn about financial incentives.\u003C\u002Fp>\n\u003Ch4>PRODIGY’S PLUGIN FEATURES IN A NUTSHELL\u003C\u002Fh4>\n\u003Cp>Prodigy’s plugin allows you to synchronize the product catalog from the Prodigy platform to the WordPress frontend and customize the storefront using WordPress conventions and standards.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Synchronizes an unlimited number of products from the Prodigy platform as a custom post type\u003C\u002Fli>\n\u003Cli>Synchronizes product categories and tags from the Prodigy platform as custom taxonomies\u003C\u002Fli>\n\u003Cli>New and updated products are automatically synchronized when the site is on an accessible production server (manual sync available for development environments)\u003C\u002Fli>\n\u003Cli>Templates for catalog pages, product detail pages, and cart page that you can easily override and customize to meet your client’s needs\u003C\u002Fli>\n\u003Cli>Use popular page builders, like \u003Ca href=\"https:\u002F\u002Felementor.com\u002F\" rel=\"nofollow ugc\">Elementor\u003C\u002Fa> Pro. Prodigy’s Elementor Pro integration contains a myriad of powerful Elementor widgets, and Elementor page templates, with conditions for displaying them in specific places. It has more features and widgets than what’s offered in the WooCommerce Elementor plugin.\u003C\u002Fli>\n\u003Cli>Utilize powerful product search and attribute filter widgets in the store sidebar\u003C\u002Fli>\n\u003Cli>Products and Categories shortcodes allow you to create custom lists of products or categories on any page\u003C\u002Fli>\n\u003Cli>Customizer options available to help with simple customizations of the Catalog and Product detail pages\u003C\u002Fli>\n\u003Cli>Optional product ratings and reviews that can be moderated through the standard WordPress comments functionality\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Ch4>PRODIGY’S PLATFORM FUNCTIONALITY IN A NUTSHELL\u003C\u002Fh4>\n\u003Cp>Prodigy’s platform allows you to \u003Ca href=\"https:\u002F\u002Fapp.prodigycommerce.com\u002Fsign_up\" rel=\"nofollow ugc\">create a free developer account\u003C\u002Fa>, build an unlimited number of stores for your clients, and manage them all in one place. You can work on stores in test mode and then seamlessly transfer ownership to your store owner clients when they are ready.\u003C\u002Fp>\n\u003Cul>\n\u003Cli>Secure hosted \u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Fcheckout\u002F\" rel=\"nofollow ugc\">checkout\u003C\u002Fa> that can be customized to match the website’s design\u003C\u002Fli>\n\u003Cli>One-click express checkout for customers who wish to use Apple Pay or Google Pay\u003C\u002Fli>\n\u003Cli>Simplified checkout for all logged in customers\u003C\u002Fli>\n\u003Cli>Merchant-branded customer account portal for customers to manage orders, track shipments, etc.\u003C\u002Fli>\n\u003Cli>Import a \u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Fproduct-management\u002F\" rel=\"nofollow ugc\">product catalog\u003C\u002Fa> of any size using our simple CSV import tool\u003C\u002Fli>\n\u003Cli>Manage the product catalog, attributes, and categories; including inventory management\u003C\u002Fli>\n\u003Cli>Use our drag-and-drop feature to change the ordering of categories\u003C\u002Fli>\n\u003Cli>Manage the SEO metadata for products and categories\u003C\u002Fli>\n\u003Cli>Sell \u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Fsubscriptions\u002F\" rel=\"nofollow ugc\">subscriptions\u003C\u002Fa> for products and\u002For services\u003C\u002Fli>\n\u003Cli>Create and manage coupon codes that can be applied during checkout\u003C\u002Fli>\n\u003Cli>Use cross-sell and up-sell functionality to increase average order value\u003C\u002Fli>\n\u003Cli>Manage \u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Ffeature-showcase-free-native-abandoned-cart-recovery-by-prodigy-commerce\u002F\" rel=\"nofollow ugc\">abandoned checkouts\u003C\u002Fa> and send automated recovery emails to capture sales\u003C\u002Fli>\n\u003Cli>Free \u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Feverything-you-need-to-know-about-shipping-with-prodigy-commerce\u002F\" rel=\"nofollow ugc\">shipping\u003C\u002Fa> calculations from the major carriers (USPS, UPS, FedEx, and DHL)\u003C\u002Fli>\n\u003Cli>Free global \u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Ffeature-showcase-free-fully-integrated-and-automated-tax-calculations\u002F\" rel=\"nofollow ugc\">tax\u003C\u002Fa> calculations that can be configured with multiple nexus addresses\u003C\u002Fli>\n\u003Cli>Securely accept credit card payments (Visa, MasterCard, American Express, and Discover)\u003C\u002Fli>\n\u003Cli>Manage payment statuses (configure to authorize only or immediately capture upon order completion)\u003C\u002Fli>\n\u003Cli>Manage returns, refunds, and order cancellations\u003C\u002Fli>\n\u003Cli>Comprehensive order fulfillment process that includes free printing of shipping labels\u003C\u002Fli>\n\u003Cli>Google’s Invisible reCAPTCHA used on checkout pages to protect against fraud while not adding any friction to the checkout process for legitimate customers\u003C\u002Fli>\n\u003Cli>Free \u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Ffeature-showcase-free-fully-integrated-fraud-prevention-and-risk-analysis\u002F\" rel=\"nofollow ugc\">fraud analysis\u003C\u002Fa> on every order to protect from losses\u003C\u002Fli>\n\u003C\u002Ful>\n\u003Cp>We currently only support store owners located in the United States that transact in USD.\u003C\u002Fp>\n\u003Ch4>Links\u003C\u002Fh4>\n\u003Cul>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\" rel=\"nofollow ugc\">Prodigy Commerce\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fapp.prodigycommerce.com\u002Fsign_up\" rel=\"nofollow ugc\">Create an account\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Fpartners\u002F\" rel=\"nofollow ugc\">Become a Prodigy Partner\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fsupport.prodigycommerce.com\u002Fhc\u002Fen-us\" rel=\"nofollow ugc\">Documentation\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Fterms-of-service\" rel=\"nofollow ugc\">Terms of Service\u003C\u002Fa>\u003C\u002Fli>\n\u003Cli>\u003Ca href=\"https:\u002F\u002Fprodigycommerce.com\u002Fprivacy-policy\" rel=\"nofollow ugc\">Privacy Policy\u003C\u002Fa>\u003C\u002Fli>\n\u003C\u002Ful>\n","A powerful alternative to self-hosted eCommerce solutions. Combine WordPress with a full-featured, PCI-compliant platform.",25115,74,"2026-04-01T19:10:00.000Z","4.6",[156,157,158,159,160],"e-commerce-storefront","ecommerce-platform","headless-commerce","hosted-checkout","online-storefront","https:\u002F\u002Fprodigycommerce.com","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fprodigy-commerce.3.3.5.zip","2026-02-18 15:52:33",{"attackSurface":165,"codeSignals":252,"taintFlows":260,"riskAssessment":294,"analyzedAt":310},{"hooks":166,"ajaxHandlers":246,"restRoutes":247,"shortcodes":248,"cronEvents":249,"entryPointCount":13,"unprotectedCount":13},[167,173,178,184,187,190,193,198,203,207,212,216,220,223,227,231,234,238,242],{"type":168,"name":169,"callback":170,"file":171,"line":172},"action","woocommerce_api_wc_gateway_aplazo","check_aplazo_from_api_response","src\\Gateways\\AplazoGateway.php",81,{"type":168,"name":174,"callback":175,"file":176,"line":177},"wp_enqueue_scripts","aplazoScripts","src\\Hooks\\Scripts.php",13,{"type":168,"name":179,"callback":180,"priority":181,"file":182,"line":183},"woocommerce_order_status_pending_to_cancelled","restoreStockItem",10,"src\\Order\\Stock.php",15,{"type":168,"name":185,"callback":180,"priority":181,"file":182,"line":186},"woocommerce_order_status_pending_to_failed",16,{"type":168,"name":188,"callback":180,"priority":181,"file":182,"line":189},"woocommerce_order_status_processing_to_refunded",17,{"type":168,"name":191,"callback":180,"priority":181,"file":182,"line":192},"woocommerce_order_status_on-hold_to_refunded",18,{"type":168,"name":194,"callback":195,"priority":196,"file":182,"line":197},"woocommerce_order_status_changed","orderStockReduction",20,19,{"type":168,"name":199,"callback":200,"file":201,"line":202},"plugins_loaded","init","src\\WoocommerceAplazo.php",30,{"type":168,"name":204,"callback":205,"file":201,"line":206},"admin_notices","noWoocommerceAdminMessage",36,{"type":208,"name":209,"callback":210,"priority":181,"file":201,"line":211},"filter","woocommerce_gateway_title","getPaymentMethodTitle",49,{"type":168,"name":213,"callback":214,"file":201,"line":215},"woocommerce_blocks_payment_method_type_registration","closure",72,{"type":208,"name":217,"callback":218,"file":201,"line":219},"woocommerce_payment_gateways","getMethodGateway",83,{"type":168,"name":200,"callback":221,"file":201,"line":222},"aplazoTextDomainLoad",95,{"type":168,"name":224,"callback":225,"file":201,"line":226},"woocommerce_proceed_to_checkout","widgetInCart",97,{"type":168,"name":228,"callback":229,"file":201,"line":230},"woocommerce_before_add_to_cart_form","widgetInProducts",98,{"type":168,"name":232,"callback":233,"file":201,"line":102},"restrict_manage_posts","cancelUnpaidOrders",{"type":208,"name":235,"callback":236,"file":201,"line":237},"cron_schedules","fifteen_minutes_cron_interval",101,{"type":168,"name":239,"callback":240,"file":201,"line":241},"cancel_unpaid_orders_hook","cancelUnpaidOrdersExec",102,{"type":168,"name":243,"callback":214,"file":244,"line":245},"before_woocommerce_init","woocommerce-aplazo-gateway.php",27,[],[],[],[250],{"hook":239,"callback":239,"file":201,"line":251},104,{"dangerousFunctions":253,"sqlUsage":254,"outputEscaping":256,"fileOperations":27,"externalRequests":51,"nonceChecks":13,"capabilityChecks":13,"bundledLibraries":259},[],{"prepared":13,"raw":13,"locations":255},[],{"escaped":257,"rawEcho":13,"locations":258},14,[],[],[261,284],{"entryPoint":262,"graph":263,"unsanitizedCount":27,"severity":40},"check_aplazo_from_api_response (src\\Gateways\\AplazoGateway.php:497)",{"nodes":264,"edges":281},[265,270,274],{"id":266,"type":267,"label":268,"file":171,"line":269},"n0","source","$_GET",531,{"id":271,"type":272,"label":273,"file":171,"line":269},"n1","transform","→ apiGet()",{"id":275,"type":276,"label":277,"file":278,"line":279,"wp_function":280},"n2","sink","wp_remote_get() [SSRF]","src\\Service\\Api.php",57,"wp_remote_get",[282,283],{"from":266,"to":271,"sanitized":50},{"from":271,"to":275,"sanitized":50},{"entryPoint":285,"graph":286,"unsanitizedCount":27,"severity":40},"\u003CAplazoGateway> (src\\Gateways\\AplazoGateway.php:0)",{"nodes":287,"edges":291},[288,289,290],{"id":266,"type":267,"label":268,"file":171,"line":269},{"id":271,"type":272,"label":273,"file":171,"line":269},{"id":275,"type":276,"label":277,"file":278,"line":279,"wp_function":280},[292,293],{"from":266,"to":271,"sanitized":50},{"from":271,"to":275,"sanitized":50},{"summary":295,"deductions":296},"The aplazo-payment-gateway plugin v1.5.0 exhibits a mixed security posture. On the positive side, the static analysis reveals strong adherence to several secure coding practices, including 100% of SQL queries using prepared statements and 100% of output being properly escaped. There are no identified dangerous functions or raw SQL queries. However, significant concerns arise from the lack of any nonce or capability checks across the identified entry points, including AJAX handlers, REST API routes, and cron events. While the direct attack surface appears limited in terms of entry points, the absence of authentication and authorization mechanisms makes any potential vulnerabilities highly exploitable.\n\nThe taint analysis indicates two flows with unsanitized paths, although none reached critical or high severity. This suggests potential vulnerabilities that, while not immediately critical, could be leveraged by attackers if combined with other weaknesses or specific configurations. The vulnerability history, showing one past CVE attributed to 'Missing Authorization', reinforces the concern regarding the plugin's authorization mechanisms. The fact that this past vulnerability is currently unpatched is a significant red flag, even if the current version's analysis doesn't highlight it directly.\n\nIn conclusion, while the plugin demonstrates good practices in SQL sanitization and output escaping, the complete absence of nonce and capability checks is a critical weakness. The past 'Missing Authorization' vulnerability and the identified unsanitized paths in the taint analysis further underscore the need for immediate review and remediation of authorization and input sanitization. The plugin's security posture is currently weak due to these fundamental flaws.",[297,299,301,303,305,308],{"reason":298,"points":183},"No nonce checks found on entry points",{"reason":300,"points":183},"No capability checks found on entry points",{"reason":302,"points":181},"Taint flow with unsanitized path (x2)",{"reason":304,"points":196},"Unpatched CVE history (Missing Authorization)",{"reason":306,"points":307},"File operations detected",5,{"reason":309,"points":307},"External HTTP requests detected","2026-03-16T20:02:41.388Z",{"wat":312,"direct":327},{"assetPaths":313,"generatorPatterns":322,"scriptPaths":323,"versionParams":324},[314,315,316,317,318,319,320,321],"\u002Fwp-content\u002Fplugins\u002Faplazo-payment-gateway\u002Fassets\u002Fjs\u002Faplazo-widget\u002Faplazo-widgets.min.js","\u002Fwp-content\u002Fplugins\u002Faplazo-payment-gateway\u002Fassets\u002Fimages\u002Fstep-1.png","\u002Fwp-content\u002Fplugins\u002Faplazo-payment-gateway\u002Fassets\u002Fimages\u002Fstep-2.png","\u002Fwp-content\u002Fplugins\u002Faplazo-payment-gateway\u002Fassets\u002Fimages\u002Fstep-3.png","\u002Fwp-content\u002Fplugins\u002Faplazo-payment-gateway\u002Fassets\u002Fimages\u002Flogo-raw.png","\u002Fwp-content\u002Fplugins\u002Faplazo-payment-gateway\u002Fassets\u002Fimages\u002Faplazo-desc-movil","\u002Fwp-content\u002Fplugins\u002Faplazo-payment-gateway\u002Fassets\u002Fimages\u002Faplazo-description.png","\u002Fwp-content\u002Fplugins\u002Faplazo-payment-gateway\u002Fassets\u002Fcss\u002Fcheckout_aplazo.css",[],[314],[325,326],"aplazo-payment-gateway\u002Fstyle.css?ver=","aplazo-payment-gateway\u002Fscript.js?ver=",{"cssClasses":328,"htmlComments":329,"htmlAttributes":331,"restEndpoints":354,"jsGlobals":357,"shortcodeOutput":361},[],[330],"\u003C!-- Aplazo Payment Gateway -->",[332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353],"data-merchantid","data-token","data-lang","data-cart-id","data-cart-total","data-cart-currency","data-customer-id","data-customer-email","data-customer-first-name","data-customer-last-name","data-customer-phone","data-customer-country","data-customer-city","data-customer-state","data-customer-zip","data-customer-address","data-product-id","data-product-name","data-product-price","data-product-quantity","data-product-sku","data-product-category",[355,356],"\u002Fwp-json\u002Fwc-aplazo\u002Fv1\u002Fcreate-payment","\u002Fwp-json\u002Fwc-aplazo\u002Fv1\u002Fpayment-status",[358,359,360],"aplazoConfig","aplazoWidget","images",[362],"\u003Caplazo-banner>\u003C\u002Faplazo-banner>",{"error":364,"url":365,"statusCode":366,"statusMessage":367,"message":367},true,"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Faplazo-payment-gateway\u002Fbundle",404,"no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":197,"versions":369},[370,375,382,388,396,404,412,420,428,436,444,452,460,468,476,484,492,500,507],{"version":6,"download_url":25,"svn_tag_url":371,"released_at":37,"has_diff":50,"diff_files_changed":372,"diff_lines":37,"trac_diff_url":373,"vulnerabilities":374,"is_current":364},"https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.5.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.5.2&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.5.3",[],{"version":376,"download_url":377,"svn_tag_url":378,"released_at":37,"has_diff":50,"diff_files_changed":379,"diff_lines":37,"trac_diff_url":380,"vulnerabilities":381,"is_current":50},"1.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.5.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.5.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.5.0&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.5.2",[],{"version":39,"download_url":383,"svn_tag_url":384,"released_at":37,"has_diff":50,"diff_files_changed":385,"diff_lines":37,"trac_diff_url":386,"vulnerabilities":387,"is_current":50},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.5.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.5.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.4.3&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.5.0",[],{"version":389,"download_url":390,"svn_tag_url":391,"released_at":37,"has_diff":50,"diff_files_changed":392,"diff_lines":37,"trac_diff_url":393,"vulnerabilities":394,"is_current":50},"1.4.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.4.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.4.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.4.2&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.4.3",[395],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":397,"download_url":398,"svn_tag_url":399,"released_at":37,"has_diff":50,"diff_files_changed":400,"diff_lines":37,"trac_diff_url":401,"vulnerabilities":402,"is_current":50},"1.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.4.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.4.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.4.1&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.4.2",[403],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":405,"download_url":406,"svn_tag_url":407,"released_at":37,"has_diff":50,"diff_files_changed":408,"diff_lines":37,"trac_diff_url":409,"vulnerabilities":410,"is_current":50},"1.4.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.4.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.4.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.4.0&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.4.1",[411],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":413,"download_url":414,"svn_tag_url":415,"released_at":37,"has_diff":50,"diff_files_changed":416,"diff_lines":37,"trac_diff_url":417,"vulnerabilities":418,"is_current":50},"1.4.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.4.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.4.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.3.1&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.4.0",[419],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":421,"download_url":422,"svn_tag_url":423,"released_at":37,"has_diff":50,"diff_files_changed":424,"diff_lines":37,"trac_diff_url":425,"vulnerabilities":426,"is_current":50},"1.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.3.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.3.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.3.0&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.3.1",[427],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":429,"download_url":430,"svn_tag_url":431,"released_at":37,"has_diff":50,"diff_files_changed":432,"diff_lines":37,"trac_diff_url":433,"vulnerabilities":434,"is_current":50},"1.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.3.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.3.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.2.5&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.3.0",[435],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":437,"download_url":438,"svn_tag_url":439,"released_at":37,"has_diff":50,"diff_files_changed":440,"diff_lines":37,"trac_diff_url":441,"vulnerabilities":442,"is_current":50},"1.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.2.5.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.2.5\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.2.4&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.2.5",[443],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":445,"download_url":446,"svn_tag_url":447,"released_at":37,"has_diff":50,"diff_files_changed":448,"diff_lines":37,"trac_diff_url":449,"vulnerabilities":450,"is_current":50},"1.2.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.2.4.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.2.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.2.3&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.2.4",[451],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":453,"download_url":454,"svn_tag_url":455,"released_at":37,"has_diff":50,"diff_files_changed":456,"diff_lines":37,"trac_diff_url":457,"vulnerabilities":458,"is_current":50},"1.2.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.2.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.2.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.2.2&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.2.3",[459],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":461,"download_url":462,"svn_tag_url":463,"released_at":37,"has_diff":50,"diff_files_changed":464,"diff_lines":37,"trac_diff_url":465,"vulnerabilities":466,"is_current":50},"1.2.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.2.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.2.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.2.1&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.2.2",[467],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":469,"download_url":470,"svn_tag_url":471,"released_at":37,"has_diff":50,"diff_files_changed":472,"diff_lines":37,"trac_diff_url":473,"vulnerabilities":474,"is_current":50},"1.2.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.2.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.2.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.1.3&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.2.1",[475],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":477,"download_url":478,"svn_tag_url":479,"released_at":37,"has_diff":50,"diff_files_changed":480,"diff_lines":37,"trac_diff_url":481,"vulnerabilities":482,"is_current":50},"1.1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.1.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.1.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.1.2&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.1.3",[483],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":485,"download_url":486,"svn_tag_url":487,"released_at":37,"has_diff":50,"diff_files_changed":488,"diff_lines":37,"trac_diff_url":489,"vulnerabilities":490,"is_current":50},"1.1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.1.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.1.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.1.1&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.1.2",[491],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":493,"download_url":494,"svn_tag_url":495,"released_at":37,"has_diff":50,"diff_files_changed":496,"diff_lines":37,"trac_diff_url":497,"vulnerabilities":498,"is_current":50},"1.1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.1.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.1.0&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.1.1",[499],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":67,"download_url":501,"svn_tag_url":502,"released_at":37,"has_diff":50,"diff_files_changed":503,"diff_lines":37,"trac_diff_url":504,"vulnerabilities":505,"is_current":50},"https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.1.0\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Faplazo-payment-gateway%2Ftags%2F1.0.18&new_path=%2Faplazo-payment-gateway%2Ftags%2F1.1.0",[506],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39},{"version":508,"download_url":509,"svn_tag_url":510,"released_at":37,"has_diff":50,"diff_files_changed":511,"diff_lines":37,"trac_diff_url":37,"vulnerabilities":512,"is_current":50},"1.0.18","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Faplazo-payment-gateway.1.0.18.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Faplazo-payment-gateway\u002Ftags\u002F1.0.18\u002F",[],[513],{"id":33,"url_slug":34,"title":35,"severity":40,"cvss_score":41,"vuln_type":43,"patched_in_version":39}]