Saphali LiqPay for donate Security & Risk Analysis

The "saphali-liqpay-for-donate" plugin v1.0.3 exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and having a single nonce check, significant concerns arise from its attack surface. Specifically, two AJAX handlers lack authentication checks, presenting a clear entry point for unauthorized actions. The plugin also has a history of medium severity vulnerabilities, with a past Cross-Site Scripting (XSS) issue, indicating a recurring tendency for input sanitization and output escaping to be potential weak points.

Despite the absence of critical or high severity issues in the current static analysis and a lack of currently unpatched CVEs, the unprotected AJAX handlers are a serious risk. The 74% output escaping rate, while not critically low, suggests that some outputs may still be vulnerable to XSS if certain conditions are met. The presence of an external HTTP request, while not inherently dangerous, warrants attention in conjunction with other identified weaknesses. Overall, the plugin's strengths in SQL handling are overshadowed by its unprotected entry points and a history of vulnerabilities that require careful consideration and ongoing monitoring.