SmobilPay for e-commerce – Mobile Money Gateway for WooCommerce Security & Risk Analysis

The e-nkap-woocommerce-gateway plugin version 1.0.8 exhibits a mixed security posture. On the positive side, it demonstrates excellent practices in output escaping, with all 47 detected outputs being properly escaped. Furthermore, there are no recorded vulnerabilities (CVEs) in its history, suggesting a potentially stable and well-maintained codebase. The absence of dangerous functions, file operations, and external HTTP requests also contributes to a reduced attack surface in those specific areas.

However, there are significant concerns regarding the plugin's entry points. Out of 3 total entry points, 2 are unprotected. Specifically, there are 2 REST API routes that lack permission callbacks, exposing them to unauthorized access. While the static analysis did not reveal any dangerous functions or critical taint flows, the presence of unprotected entry points is a substantial risk. The static analysis also found 8 SQL queries, with 50% not using prepared statements, which could potentially lead to SQL injection vulnerabilities if not handled carefully.

In conclusion, while the plugin has strong output handling and a clean vulnerability history, the lack of proper authentication and authorization on its REST API routes represents a critical security weakness. The SQL query practices also warrant attention. Addressing these unprotected entry points and reinforcing SQL query security should be the primary focus for improving the plugin's overall security.