Invelity GLS ParcelShop Security & Risk Analysis

The invelity-gls-parcelshop plugin exhibits several significant security concerns, primarily stemming from its unprotected entry points and lack of robust security checks. The presence of three AJAX handlers without any authentication or capability checks creates a substantial attack surface that could be exploited by unauthenticated users. This is further exacerbated by the use of the `unserialize` function, a known vector for object injection vulnerabilities, especially when the input source is not strictly controlled. While the plugin has no recorded vulnerability history, this should not be interpreted as a guarantee of current security, as the code itself presents inherent risks.

The static analysis reveals a low percentage of properly escaped output and a notable absence of nonce checks on AJAX requests, both of which increase the likelihood of cross-site scripting (XSS) vulnerabilities. The moderate use of prepared statements for SQL queries is a positive sign, but the remaining raw SQL queries could still pose a risk if they are susceptible to SQL injection. The taint analysis did not reveal any critical or high-severity unsanitized paths, which is a small positive, but the overall lack of security hardening in the entry points is a major weakness.