Pay by paynow.pl Security & Risk Analysis

The pay-by-paynow-pl plugin v2.5.10 presents a mixed security posture. On the positive side, the plugin demonstrates good practices by utilizing prepared statements for all SQL queries and has no recorded historical vulnerabilities, suggesting a history of relatively secure development. The absence of dangerous functions, external HTTP requests, and taint analysis findings also contribute to a favorable initial impression. However, significant concerns arise from the attack surface analysis. The plugin exposes two REST API routes without any permission callbacks, making them entirely unprotected and accessible to unauthenticated users. This lack of authorization on entry points is a critical security weakness that could lead to unauthorized actions or data exposure if these endpoints perform sensitive operations. Additionally, the static analysis indicates that a notable percentage of output (29%) is not properly escaped, which could be a vector for cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled carefully before being rendered in the browser. The plugin also lacks nonce checks, which is a common security measure to prevent cross-site request forgery (CSRF) attacks, especially when coupled with unprotected entry points.