Estonian Shipping Methods for WooCommerce Security & Risk Analysis

The "estonian-shipping-methods-for-woocommerce" plugin, in version 1.7.2, exhibits a mixed security posture. On the positive side, the static analysis reveals no detected attack surface in terms of AJAX handlers, REST API routes, shortcodes, or cron events that lack authentication or permission checks. Furthermore, the code does not utilize dangerous functions, performs file operations, or generate SQL queries without prepared statements, indicating good development practices in these areas. The high percentage of properly escaped output is also a positive sign.

However, significant concerns arise from the vulnerability history and specific code signals. The existence of one unpatched medium severity CVE of type "Exposure of Sensitive Information to an Unauthorized Actor," with the last vulnerability reported in the future (2025-09-22), is a critical red flag. While the static analysis shows no critical or high taint flows and a limited number of flows overall, the presence of an external HTTP request without further context or sanitization checks could be a potential vector if it interacts with the unpatched vulnerability. The absence of nonce checks and capability checks across the board is a notable weakness, even with the current zero attack surface, as it offers no fallback security if new entry points were introduced or if the current analysis missed something.

In conclusion, while the plugin demonstrates sound practices in avoiding common code vulnerabilities like raw SQL and dangerous functions, the unpatched CVE presents a substantial immediate risk. The lack of comprehensive authorization checks (nonces and capabilities) further compounds this risk by leaving potential gaps for exploitation. This plugin should be treated with caution, and the unpatched vulnerability must be addressed urgently.