Total processing card payments for WooCommerce Security & Risk Analysis

The "totalprocessing-card-payments" plugin v7.3 presents a mixed security posture with some positive aspects but notable areas of concern. The presence of 8 unprotected AJAX handlers significantly expands the attack surface, potentially allowing unauthenticated users to trigger sensitive actions. While the plugin largely utilizes prepared statements for SQL queries (65%), the remaining 35% may still be susceptible to SQL injection if not handled carefully. The high percentage of unsanitized paths in taint analysis (16 out of 20 flows) is a major red flag, indicating a strong likelihood of path traversal vulnerabilities, especially given the plugin's history of such issues. Furthermore, only 54% of output is properly escaped, increasing the risk of cross-site scripting (XSS) attacks, which aligns with the plugin's historical vulnerability types.

Despite these concerns, the plugin does not appear to bundle outdated libraries and has no currently unpatched CVEs. The existence of 3 CVEs in its history, particularly a high-severity one related to path traversal and medium-severity ones for XSS, suggests a recurring pattern of input sanitization and output escaping deficiencies. While the current version may have fixed past vulnerabilities, the high number of unprotected entry points and unsanitized taint flows indicate that the underlying architectural weaknesses may persist, making it a prime target for attackers. Therefore, while there are some positive indicators, the significant number of unprotected entry points and the concerning taint analysis results warrant cautious evaluation.