Gravity Forms payment plugin – Novalnet AG Security & Risk Analysis

The "novalnet-payment-add-on-for-gravity-forms" plugin v3.2.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices by largely utilizing prepared statements for its SQL queries and performing output escaping on most of its outputs. The absence of known vulnerabilities and critical taint flows is also a strong indicator of a generally secure development process. The plugin also doesn't bundle any potentially outdated libraries.

However, significant security concerns arise from the identified attack surface. With two AJAX handlers, both lacking authentication checks, there's a clear vulnerability that could allow unauthorized users to trigger plugin functionality. While there are nonce checks present, their effectiveness is diminished without proper authorization verification on these entry points. The plugin also performs one file operation and one external HTTP request, which, while not inherently insecure, are areas that warrant careful scrutiny for potential exploitation if combined with other vulnerabilities.

Overall, the plugin's lack of historical vulnerabilities is encouraging, suggesting that past development has been responsible. However, the presence of unprotected AJAX endpoints represents a critical weakness that needs immediate attention. The plugin's strengths lie in its SQL and output sanitization, but its attack surface management is a significant area for improvement. The absence of capability checks on AJAX handlers is a notable oversight.