Connect WooCommerce to ActiveCampaign by EqualServing Security & Risk Analysis

The "es-woocommerce-activecampaign" plugin v2.1.11 presents a mixed security picture. On the positive side, there are no reported CVEs, no dangerous functions, and all SQL queries utilize prepared statements, indicating good practices in these areas. The lack of recorded vulnerabilities and common vulnerability types suggests a potentially stable codebase. However, the static analysis reveals significant concerns regarding output escaping, with only 17% of outputs being properly escaped. This leaves the plugin susceptible to Cross-Site Scripting (XSS) attacks, as unescaped user-controlled data could be rendered directly in the browser. Furthermore, the absence of nonce checks and capability checks for any potential entry points, combined with a lack of taint analysis results, raises questions about the thoroughness of the security review. While the attack surface appears minimal and unprotected entry points are reported as zero, the insufficient output escaping is a critical weakness that needs immediate attention.