Yandex Pay and Split Security & Risk Analysis

The yandex-pay-and-split plugin v1.1.7 demonstrates a generally strong security posture, with no known vulnerabilities or critical issues identified in static and taint analysis. The absence of SQL injection vulnerabilities due to the use of prepared statements and a high percentage of properly escaped output are significant strengths. Furthermore, the plugin's attack surface appears minimal, with no AJAX handlers, REST API routes, shortcodes, or cron events exposed without authentication or permission checks, which is a positive indicator. However, the presence of a file operation and external HTTP requests, coupled with a lack of explicit capability checks on the single nonce check, warrants careful consideration. While these might be legitimate functions of the plugin, their implementation could be a potential vector if not handled with robust sanitization and authorization, especially since no taint analysis was performed to confirm their safety. The lack of any recorded past vulnerabilities, while positive, also means there's no historical data to assess how the developers have handled security issues in the past.