I can't, in good conscience, recommend anyone run this software on their webserver.
There's a few reasons why:
1) It appears to be vulnerable to various forms of
XSS attacks, and doesn't actually follow decent PHP standards. It relies on
register_globals to be turned on, which exposes it to a bunch of interesting issues.
2) It relies on the team-skyzen.fr website to be up at all times. There's an update check that explicitly uses a 0 timeout, so if that website is ever down, this will stop working.
3) Related to that, a number of assets are used from team-skyzen.fr website (such as stylesheets). Best case, the website is down and these aren't displayed. Worst case, team-skyzen.fr is hacked and someone uses the css to redirect all the payments to their own account.
4) Related to that (again), this plugin seems to send the email and IP of anyone who uses it back to the team-skyzen.fr website (install.php line 1417)
5) "No, we encrypt your FTP informations in md5 + sha1, that makes them indecipherable." This sentence is meaningless. MD5 and SHA1 are both one way hashes. This means that if you use them on the FTP password, you can never get the original password back. This would mean that were they actually hashed (they aren't!) with one or both of these functions, the script would be unable to log into FTP. The only use of md5 in the entire plugin is hashing the value from
uniqid
6) There's a smxx file in the archive, but I'm not seeing any source for it. It's entirely possible this is the same plugin that is attached to the initial post, but I'm unsure.
So, given that this is a site that needs to be secure, or people's payment information is going to be stolen.. I really can't recommend anyone use this unless it gets some major work.