Envíos Coordinadora Woocommerce (Oficial) – WordPress plugin Security & Risk Analysis

The plugin 'coordinadora' v1.1.32 presents a mixed security posture. On the positive side, the static analysis reveals a commendably small attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events exposed. Furthermore, the code signals show no dangerous functions, all SQL queries utilize prepared statements, and file operations are absent. The low number of external HTTP requests and a single capability check suggest a relatively contained plugin. However, a significant concern is the presence of one unpatched medium severity CVE related to Exposure of Sensitive Information to an Unauthorized Actor. This historical vulnerability, even if in the past, indicates a potential weakness that has not yet been addressed and could be exploited if similar issues re-emerge or if the existing vulnerability is still exploitable.

The lack of taint analysis results is neutral, as it could mean no significant flows were found or that the analysis was not comprehensive. The 80% proper output escaping is good but leaves room for improvement. The absence of nonce checks is a potential vulnerability if any of the (currently 0) entry points were to become exposed in future versions or if the count is inaccurate. Despite the small attack surface and good coding practices in SQL and file operations, the single unpatched CVE is a critical flag. The plugin's strengths lie in its contained attack surface and robust internal data handling, but the historical and unaddressed vulnerability overshadows these positives, warranting caution.