Do Deliver Orders Security & Risk Analysis

The "do-deliver-orders" plugin version 1.9 exhibits a generally good security posture with several positive indicators. The absence of known CVEs and no recorded vulnerabilities in its history suggest a well-maintained and secure codebase. The static analysis reveals a strong adherence to secure coding practices, with 100% of SQL queries using prepared statements and a high percentage (94%) of output properly escaped. Furthermore, the plugin doesn't bundle any external libraries, mitigating risks associated with outdated dependencies. The taint analysis also shows no critical or high severity unsanitized flows, which is a significant strength.

However, there are notable areas of concern, primarily stemming from the attack surface. The plugin exposes 22 AJAX handlers, with a significant two of them lacking any authentication checks. This represents a potential entry point for attackers to trigger unintended actions within the plugin without proper authorization. While the overall code quality is high, these unprotected AJAX endpoints introduce a tangible risk that needs immediate attention. The absence of capability checks is also a weakness, meaning even if AJAX handlers were authenticated, they might not be properly authorized for specific user roles.

In conclusion, "do-deliver-orders" v1.9 is a plugin with many security strengths, particularly in its handling of database interactions and output. The lack of historical vulnerabilities is a strong positive. Nevertheless, the two unprotected AJAX handlers are a critical flaw that overshadows these positives and significantly elevates the risk profile. Addressing these unprotected entry points should be the highest priority to improve the plugin's overall security.