CoinPayments.net Payment Gateway for WooCommerce Security & Risk Analysis

This plugin exhibits a concerning security posture primarily due to a significant lack of input validation and authorization checks, despite a clean taint analysis and no raw SQL queries. The static analysis reveals a single unprotected REST API route, which represents a direct entry point for potential attacks. Furthermore, none of the identified outputs are properly escaped, increasing the risk of cross-site scripting (XSS) vulnerabilities if user-supplied data is included in these outputs. The vulnerability history shows a past critical vulnerability related to deserialization, indicating a potential for complex and severe exploits if similar weaknesses are re-introduced. While the plugin demonstrates good practices in avoiding dangerous functions and utilizing prepared statements for SQL, the unprotected API route and poor output escaping are significant weaknesses that could be exploited. The absence of nonce and capability checks on the identified entry point is a critical oversight.