Metorik – Reports & Email Automation for WooCommerce Security & Risk Analysis

The metorik-helper plugin version 2.0.10 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices with a high percentage of SQL queries using prepared statements and properly escaped output. The absence of dangerous functions and taint flows with critical or high severity suggests a generally well-coded backend. However, significant concerns arise from the attack surface analysis. The plugin exposes one REST API route without any permission callbacks, creating a direct and unprotected entry point for potential attackers. This lack of authorization on a REST API endpoint is a critical weakness that could allow unauthorized actions or data exposure.

The vulnerability history reveals one known medium-severity CVE, which was last patched on 2024-07-10. While currently unpatched CVEs are zero, the presence of a past CSRF vulnerability indicates a recurring area of concern for this plugin. Coupled with the unprotected REST API endpoint, this suggests a need for increased vigilance regarding input validation and access control. In conclusion, while the plugin has strengths in secure coding practices like prepared statements and output escaping, the unprotected REST API route presents a significant and immediate security risk that overshadows these positives. The past vulnerability history, though resolved, warrants attention to ensure similar issues do not re-emerge.