Payment Gateway for EVOCABANK Security & Risk Analysis

The payment-gateway-for-evocabank plugin v1.0.8 exhibits a mixed security posture. On the positive side, there are no known CVEs, a very small attack surface with no apparent unprotected entry points, and no dangerous functions or file operations identified. The vulnerability history is clean, suggesting a history of reasonably secure development. However, significant concerns arise from the static analysis. The presence of a single SQL query that does not use prepared statements is a critical risk, potentially leading to SQL injection vulnerabilities. Furthermore, a concerning 6 out of 6 taint flows were found with unsanitized paths, indicating that data processed by the plugin might not be adequately validated or cleaned before being used, which could lead to various injection attacks if these flows are exposed to untrusted input. The lack of capability checks and nonce checks, coupled with a high percentage of improperly escaped outputs, further exacerbates these risks, as sensitive operations or data display might be vulnerable to unauthorized access or cross-site scripting (XSS) attacks respectively.