Free Shipping Bar: Amount Left for Free Shipping for WooCommerce Security & Risk Analysis

The plugin "amount-left-free-shipping-woocommerce" v2.5.3 exhibits a mixed security posture. While the static analysis reveals no immediately exploitable dangerous functions, SQL injection vulnerabilities, or external HTTP requests, several areas raise concerns. A significant portion of output is not properly escaped (46%), which could lead to Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not adequately sanitized before being displayed. Furthermore, the absence of nonce checks and capability checks for the identified entry points (shortcodes) is a notable weakness, potentially allowing for unauthorized actions or information disclosure if these shortcodes are susceptible to manipulation.

The vulnerability history, with two medium-severity CVEs related to Cross-Site Scripting, reinforces the concern about output escaping. Although these vulnerabilities are listed as patched, the pattern suggests a recurring issue with handling user input securely. The last vulnerability occurring in late 2025 implies the data might be forward-looking or represent a hypothetical scenario, but it still points to past exploitable weaknesses. The zero unpatched CVEs is positive, but the historical context warrants caution.

In conclusion, the plugin has strengths in its use of prepared statements for SQL and the absence of critical taint flows. However, the insufficient output escaping and lack of security checks on its shortcode entry points represent significant potential risks. The historical XSS vulnerabilities underscore the need for rigorous code review and testing, especially concerning how user-generated content is handled.