EveryPay Payment Gateway for WooCommerce Security & Risk Analysis

The "everypay-payment-gateway" plugin v3.8 exhibits a mixed security posture. On the positive side, it has no recorded vulnerabilities (CVEs) and demonstrates good practices in output escaping, with 84% of outputs properly escaped. It also avoids the use of dangerous functions and has a limited number of file operations and external HTTP requests. However, there are notable concerns regarding its attack surface. The plugin exposes 5 AJAX handlers, with a significant portion (2 out of 5) lacking authentication checks, presenting a potential entry point for unauthorized actions. While taint analysis shows no critical or high-severity flows, the presence of unprotected AJAX handlers is a direct risk.

The vulnerability history shows a clean slate, which is a strong indicator of diligent development and a commitment to security. This suggests that past versions may have been well-maintained or that the codebase is generally robust. Despite the lack of past vulnerabilities, the current code analysis reveals a weakness in the handling of AJAX requests. The presence of unprotected AJAX endpoints, even without a history of exploitation, represents a clear and present danger that could be leveraged if an attacker discovers them. In conclusion, while the plugin has strengths in its lack of historical vulnerabilities and good output sanitization, the unprotected AJAX handlers are a significant weakness that requires immediate attention to improve its overall security.