Live Shopping & Shoppable Videos For WooCommerce Security & Risk Analysis

The "live-shopping-video-streams" v2.2.0 plugin exhibits significant security concerns despite some positive indicators. The static analysis reveals a concerningly small attack surface, but critically, one of the entry points, a REST API route, lacks proper permission callbacks. Furthermore, the presence of the `exec` function, a dangerous function, is a red flag, indicating potential for arbitrary code execution if exploited through an insecure input. The taint analysis shows one flow with an unsanitized path, which could lead to unintended behavior or vulnerabilities. While the plugin demonstrates good practice with 100% of its SQL queries using prepared statements, this is overshadowed by the lack of proper authorization checks and the dangerous function. The vulnerability history, with two medium severity CVEs, both currently unpatched and including common types like Missing Authorization, strongly suggests a recurring pattern of insecure development practices. The most recent vulnerability being "unpatched" as of December 31, 2025, is also a serious indicator of ongoing neglect.

In conclusion, while the plugin utilizes prepared statements for SQL, its security posture is poor due to a lack of authorization checks on its REST API, the use of a dangerous function (`exec`), and a history of unpatched vulnerabilities. The unsanitized path in taint analysis further compounds these risks. This plugin should be considered high-risk and requires immediate attention to address the identified vulnerabilities and implement robust security checks.