Robokassa Shortcode Security & Risk Analysis

The robokassa-shortcode plugin v1.4.1 demonstrates a mixed security posture. On the positive side, it has no known vulnerabilities (CVEs) and its SQL queries are all properly prepared, indicating good practices in data sanitization for database interactions. The plugin also has a very small attack surface, with only one shortcode and no AJAX handlers, REST API routes, or cron events. Furthermore, taint analysis shows no identified flows with unsanitized paths, which is a strong indicator against critical injection vulnerabilities.

However, significant concerns exist regarding output escaping and the use of dangerous functions. A low percentage (29%) of outputs are properly escaped, leaving the plugin susceptible to cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled carefully before being displayed. The presence of the `create_function` function is a known security risk, as it can lead to code injection if used with unsanitized input. The absence of nonce checks and capability checks on its single entry point (the shortcode) means that any authenticated user could potentially trigger the shortcode's functionality, regardless of their intended permissions.

Given the lack of historical vulnerabilities, it's possible these weaknesses haven't been exploited or discovered yet. However, the combination of unescaped output and the use of `create_function` represents a tangible risk. While the overall attack surface is small, these specific code signals warrant attention to prevent potential security breaches.