Syspay Security & Risk Analysis

wordpress.org/plugins/syspay-for-woocommerce

Syspay payment gateway plugin for WooCommerce.

10 active installs v2.2.5 PHP 8.0.0+ WP 6.0.1+ Updated Mar 4, 2026
checkoutonline-paymentpaiementpaymentsyspay
100
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Syspay Safe to Use in 2026?

Generally Safe

Score 100/100

Syspay has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 4mo ago
Risk Assessment

The syspay-for-woocommerce v2.2.5 plugin presents several security concerns despite a clean vulnerability history. The most significant issue lies in its attack surface, with two AJAX handlers identified, neither of which have authentication checks. This means any unauthenticated user can trigger these actions, potentially leading to unintended consequences or exploitation if the underlying logic is vulnerable.

While the static analysis did not reveal critical or high severity taint flows, it did flag that all three analyzed flows had unsanitized paths. Furthermore, a substantial portion of SQL queries (60%) are not using prepared statements, increasing the risk of SQL injection vulnerabilities. The lack of nonce checks on AJAX handlers is a direct invitation for Cross-Site Request Forgery (CSRF) attacks. The fact that there are no recorded CVEs is a positive sign, suggesting a general lack of discovered vulnerabilities in the past. However, the current code analysis reveals significant weaknesses that could be exploited, making the lack of past CVEs potentially due to a lack of thorough auditing or a recent shift in the plugin's codebase.

In conclusion, while the plugin has no known historical vulnerabilities, the current version exhibits critical security flaws. The unprotected AJAX endpoints, unsanitized taint flows, and reliance on unprepared SQL statements represent a high-risk profile. The absence of nonce and capability checks on critical entry points amplifies these risks. This plugin requires immediate attention and remediation to secure its attack surface and sanitize data processing.

Key Concerns

  • AJAX handlers without authentication checks
  • Unsanitized paths in taint analysis flows
  • SQL queries not using prepared statements
  • Lack of nonce checks on AJAX handlers
  • Lack of capability checks on entry points
  • Unescaped output detected
Vulnerabilities
None known

Syspay Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Syspay Release Timeline

v2.2.5Current
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v1.68
v1.58
Code Analysis
Analyzed Mar 17, 2026

Syspay Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
2 prepared
Unescaped Output
6
9 escaped
Nonce Checks
0
Capability Checks
0
File Operations
1
External Requests
0
Bundled Libraries
0

SQL Query Safety

40% prepared5 total queries

Output Escaping

60% escaped15 total outputs
Data Flows · Security
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
syspay_init_gateway_class (syspay-payment.php:143)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Syspay Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 2

authwp_ajax_save_device_parametersyspay-payment.php:75
noprivwp_ajax_save_device_parametersyspay-payment.php:76
WordPress Hooks 9
actionwoocommerce_blocks_checkout_block_registrationsyspay-payment.php:51
filterwc_order_statusessyspay-payment.php:119
filterwoocommerce_payment_gatewayssyspay-payment.php:131
actioninitsyspay-payment.php:132
actionplugins_loadedsyspay-payment.php:133
actionbefore_woocommerce_initsyspay-payment.php:136
actionwp_enqueue_scriptssyspay-payment.php:196
actionwoocommerce_store_api_checkout_update_order_from_requestsyspay-payment.php:197
filterscript_loader_tagsyspay-payment.php:350
Maintenance & Trust

Syspay Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedMar 4, 2026
PHP min version8.0.0
Downloads3K

Community Trust

Rating100/100
Number of ratings1
Active installs10
Developer Profile

Syspay Developer Profile

SysPay

1 plugin · 10 total installs

94
trust score
Avg Security Score
100/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Syspay

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/syspay-for-woocommerce/assets/js/checkout/block.js
Script Paths
/wp-content/plugins/syspay-for-woocommerce/assets/js/checkout/block.js

HTML / DOM Fingerprints

JS Globals
syspay_params
REST Endpoints
/wp-json/syspay/v1/webhook/wp-json/syspay/v1/webhook-ems
FAQ

Frequently Asked Questions about Syspay