Free Woocommerce Product Table View – Woo Table Pro Security & Risk Analysis

The free-product-table-for-woocommerce plugin exhibits a concerning security posture primarily due to a large number of unprotected AJAX handlers. While the static analysis shows no dangerous functions or SQL injection vulnerabilities (all queries use prepared statements), the lack of authorization checks on 8 out of 9 entry points creates a significant attack surface. This means any authenticated user, regardless of their role, could potentially trigger these AJAX actions, leading to unintended consequences or information disclosure.

The code signals also reveal a worrying trend in output escaping, with only 27% of outputs being properly escaped. This suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities, where attackers could inject malicious scripts into the site via user-controlled input processed by the plugin. The absence of nonce checks on AJAX handlers further exacerbates this risk by making Cross-Site Request Forgery (CSRF) attacks more feasible.

The vulnerability history of 2 unpatched medium severity CVEs, both identified as missing authorization, reinforces the critical need for robust access control. The plugin's pattern of known authorization issues indicates a recurring oversight in securing its functionalities. While the absence of critical or high severity vulnerabilities in the history and the proper use of prepared statements for SQL are positive, the combination of unprotected entry points, poor output escaping, and a history of authorization flaws presents a significant risk.