Please report suspected vulnerabilities privately through GitHub security advisories for this repository.

Do not open public issues for credential exposure, webhook verification bypass, or order-status reconciliation issues.

• MakePay key secrets must stay in CS-Cart payment processor settings.
• Hosted checkout return parameters are not trusted as proof of payment.
• Signed webhooks are required before marking orders paid.