CamPay Shortcode Payment Gateway Security & Risk Analysis

The "campay-shortcode-payment-gateway" plugin version 1.6 exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and maintaining a high percentage of properly escaped output, mitigating common data leakage and injection risks. The absence of known CVEs and bundled libraries further contributes to a relatively stable history. However, significant concerns arise from its attack surface and authentication mechanisms. With three identified entry points, two of which lack any authentication or capability checks, the plugin exposes itself to potential unauthorized access and execution of sensitive functions. The presence of the 'assert' dangerous function, although not explicitly linked to a taint flow in this analysis, warrants caution as it can be misused in certain contexts. The complete lack of nonce checks on AJAX handlers is a critical oversight that could allow for Cross-Site Request Forgery (CSRF) attacks.