Paymento – Non-Custodial Crypto Payment Gateway for WooCommerce Security & Risk Analysis

The "paymento-crypto-gateway" plugin version 1.2.1 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by ensuring all SQL queries utilize prepared statements and all output is properly escaped. It also avoids dangerous functions and file operations. However, significant security concerns arise from its attack surface and the lack of robust authorization checks.

The static analysis reveals a notable risk with 2 out of 3 REST API routes lacking permission callbacks. This means that unauthorized users could potentially interact with these endpoints, leading to unintended actions or information disclosure. While the taint analysis did not find critical or high-severity issues, the presence of one flow with an unsanitized path warrants attention, even if its immediate impact is unclear without further context.

The plugin's vulnerability history is clean, with no recorded CVEs. This suggests that historically, the plugin has not been a target for publicly disclosed vulnerabilities. However, the absence of vulnerabilities does not equate to perfect security, especially given the identified weaknesses in the attack surface. The lack of nonce checks is also a concern, particularly if any of the unprotected REST API routes are involved in state-changing operations.