Zeno Crypto Checkout for Easy Digital Downloads Security & Risk Analysis

The "zeno-crypto-checkout-for-easy-digital-downloads" plugin v1.0.0 exhibits a concerning security posture primarily due to a lack of proper authentication and authorization checks on its exposed entry points. While the static analysis indicates no dangerous functions, SQL injection vulnerabilities, or unescaped output, the presence of two unprotected REST API routes represents a significant attack surface. This means any unauthenticated user could potentially interact with these routes, leading to unintended consequences or information disclosure. The plugin also performs external HTTP requests, which, in conjunction with unprotected routes, could be exploited for SSRF (Server-Side Request Forgery) if not handled with extreme care. Despite the absence of known CVEs and a clean vulnerability history, the identified unprotected entry points are a critical weakness that needs immediate attention. The presence of nonce checks suggests an awareness of security, but their application is inconsistent, leaving a gap.