Yep, could well be the issue. Can be used to load a backdoor from a HTTP request. Is the code obfuscated? If not, check it carefully.
correct me if im wrong but your string pattern seems to only be searching for numbers?
Its common to hide the numbers with encoding so your search script could not find everything
Never enable loadstring unless you intentionally know what you’re doing and you have safeguards in place.
Please do not buy scripts from developers who encrypt their work or use third party requires (requiring by ID). You need to know what you pay for and how it works.
Good developers will give you the source code with no encryptions/obfuscations for the reason above and will make sure you know how to use it (answer your questions, etc). If the developer is “well known” with good commissions they would be as transparent as possible.
If you want to check for backdoors I’m going to do a shameless plug and send my plugin here : BeeScan | 1.0.0 | Studio Script Scanner for Backdoor Detection. I recommend you install it and run it, then paste the output log here. It performs a script keyword search similar to what @12345koip provides but with a couple more layers of checking