Безопасные переводы Тинькофф для WooCommerce Security & Risk Analysis

The plugin "wc-tinkoff-secure-deal-payment-gateway" version 1.0.1 presents a significant security risk due to its handling of entry points. While the plugin demonstrates good practices in database interaction with 100% prepared statements for SQL queries and has no known vulnerability history, the presence of 4 AJAX handlers without any authentication or capability checks is a major concern. This means any user, regardless of their role or logged-in status, can trigger these AJAX actions, opening a substantial attack surface to potential manipulation.

Furthermore, the taint analysis indicates 2 flows with unsanitized paths, which, although not classified as critical or high severity, still represent a risk. The lack of nonce checks on AJAX handlers exacerbates this by allowing these potentially unsanitized flows to be triggered without proper validation. While the plugin avoids dangerous functions and file operations, and external HTTP requests are present, the primary weakness lies in the unprotected AJAX endpoints and the identified unsanitized data flows. The absence of known CVEs is a positive sign, suggesting a generally well-maintained codebase in terms of historical security issues, but it doesn't mitigate the immediate risks posed by the current static and taint analysis findings.