Morkva Liqpay Extended Security & Risk Analysis

The mrkv-liqpay-extended plugin v0.8.6 exhibits a concerning security posture primarily due to its unprotected AJAX handlers. While the plugin demonstrates good practices in its handling of SQL queries by exclusively using prepared statements and shows no recorded vulnerability history, the presence of four AJAX handlers without any authentication or authorization checks presents a significant attack surface. This means any unauthenticated user could potentially interact with these handlers, leading to unintended actions or information disclosure depending on their functionality. The taint analysis reveals two flows with unsanitized paths, which, although not classified as critical or high severity, warrants attention as these could potentially be exploited if they interact with user-supplied input. The plugin also has a 50% rate of properly escaped output, indicating that some data displayed to users may not be adequately sanitized, potentially opening the door for cross-site scripting (XSS) vulnerabilities. In conclusion, while the absence of known CVEs and robust SQL handling are positive signs, the lack of security checks on a substantial portion of its entry points is a critical weakness that elevates the risk profile of this plugin.