Goal Tracker – Custom Event Tracking for GA4 Security & Risk Analysis

The 'goal-tracker-ga' plugin version 1.1.6 exhibits a mixed security posture. On the positive side, it demonstrates good practices by avoiding dangerous functions, performing all SQL queries using prepared statements, and having no recorded vulnerability history, which suggests a generally well-maintained codebase. However, a significant concern arises from the static analysis, which reveals one unprotected AJAX handler. This represents a direct entry point into the plugin's functionality that is not protected by authentication or capability checks, potentially allowing unauthenticated users to trigger sensitive actions.

While the taint analysis shows no critical or high-severity flows, the lack of nonce checks on the identified AJAX handler is a critical omission. This, combined with the single unprotected entry point, creates a notable risk of Cross-Site Request Forgery (CSRF) attacks or other unauthorized actions if this AJAX endpoint performs any state-changing operations. The absence of known CVEs is a positive indicator, but it does not negate the risks presented by the uncovered attack vector in the current version. The overall security is therefore weakened by this single, albeit potentially significant, oversight.