Payment Gateway for Idram Security & Risk Analysis

The "hk-idram-payment-gateway" plugin v2.1.5 demonstrates a mixed security posture. On the positive side, it has no known CVEs and a clean vulnerability history, suggesting a commitment to security or a lack of targeted exploitation. The static analysis shows a minimal attack surface with no unprotected AJAX handlers, REST API routes, or shortcodes. Furthermore, output escaping is generally well-handled, with 95% of outputs properly escaped. However, significant concerns arise from the code analysis. The plugin performs 100% of its SQL queries without prepared statements, which is a major risk for SQL injection vulnerabilities. Additionally, there are no nonce checks or capability checks implemented, meaning actions within the plugin are not protected against CSRF or unauthorized privilege escalation. The taint analysis also reveals a concerning number of flows with unsanitized paths, though no critical or high severity issues were identified in this specific analysis. The combination of raw SQL queries and missing authorization checks creates a substantial risk, despite the absence of past vulnerabilities and a small attack surface.