Smart Related Products – AI-Inspired Recommendations for WooCommerce Security & Risk Analysis

The "ai-related-products" plugin v2.0.8 exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and a high percentage of properly escaped outputs, several concerning factors warrant attention. The absence of nonce checks and capability checks on its entry points, particularly its single shortcode, is a significant weakness. This means that any authenticated user could potentially trigger the functionality associated with this shortcode without proper authorization checks, opening the door for various attacks if the shortcode's output or functionality is not strictly controlled.

The vulnerability history reveals a pattern of past security issues, specifically cross-site scripting (XSS) vulnerabilities. The presence of a currently unpatched medium-severity vulnerability from late 2025 is a critical concern. This indicates that the plugin's developers may not be consistently addressing security flaws promptly, or that users are not updating to patched versions. While the static analysis didn't reveal new critical taint flows or dangerous functions in this version, the historical pattern coupled with the lack of authorization checks on the shortcode suggests a potential for future vulnerabilities, especially if the shortcode handles user-supplied data.

In conclusion, the plugin has strengths in its database query handling and output sanitization. However, the lack of robust authorization checks on its entry points and the unpatched historical vulnerability significantly detract from its overall security. Users should exercise caution and prioritize updating to a version that addresses the known CVE. The development team should implement nonce and capability checks for all entry points and ensure timely patching of all security vulnerabilities.