Migración de Medio de Pago Webpay Plus SOAP a REST de Transbank para WooCommerce Security & Risk Analysis

The static analysis of "wc-transbank-webpay-plus-rest" v2021.03.22 reveals a generally positive security posture in terms of its direct attack surface and SQL handling. The absence of AJAX handlers, REST API routes, shortcodes, and cron events with unprotected entry points is a significant strength, limiting potential direct exploitation vectors. Furthermore, all SQL queries are confirmed to use prepared statements, mitigating the risk of SQL injection vulnerabilities in that area. The plugin also exhibits no known vulnerabilities in its history, suggesting a good track record.

However, the analysis also highlights critical areas for concern. A striking 100% of output operations are not properly escaped. This lack of output escaping is a major security flaw, as it opens the door to Cross-Site Scripting (XSS) vulnerabilities. Any dynamic data displayed by the plugin that is not properly sanitized before being rendered in the browser could be exploited by attackers to inject malicious scripts, leading to session hijacking, credential theft, or defacement.

While the plugin's direct attack surface is small and SQL queries are secure, the pervasive issue with output escaping presents a significant risk. The presence of bundled libraries, Guzzle and TCPDF v1.0, could also pose a risk if they are outdated and contain known vulnerabilities, though this is not explicitly stated. The vulnerability history is clean, which is positive, but it does not negate the immediate risks identified in the code analysis.