Cost of Goods Manager for WooCommerce Security & Risk Analysis

The "cost-of-goods-manager-for-woocommerce" v1.0.9 plugin exhibits a concerning security posture primarily due to a lack of authentication on its sole AJAX handler. This significant oversight exposes a direct entry point for potential attacks, as any unauthenticated user could theoretically trigger this functionality. While the static analysis did not reveal any dangerous functions, external requests, or file operations, the absence of proper authorization for the AJAX endpoint is a critical flaw that greatly increases the attack surface. Furthermore, all SQL queries are executed without prepared statements, indicating a high risk of SQL injection vulnerabilities. The low percentage of properly escaped output further exacerbates the risk of cross-site scripting (XSS) attacks. The plugin's vulnerability history is clean, with no recorded CVEs. This might suggest a low profile or recent development, but it does not negate the immediate and evident risks identified in the static analysis. In conclusion, while the plugin has a clean history and avoids some common pitfalls like bundled libraries or dangerous functions, the unprotected AJAX handler and widespread lack of SQL prepared statements and output escaping present serious security weaknesses that require urgent attention.