Ni Purchase Order(PO) For WooCommerce Security & Risk Analysis

The "ni-purchase-orderpo-for-woocommerce" plugin version 1.2.3 exhibits several security concerns that warrant attention. While the plugin does utilize prepared statements for a majority of its SQL queries and has a history of only low-severity vulnerabilities, the static analysis reveals significant weaknesses. The presence of an unprotected AJAX handler represents a critical entry point that could be exploited by unauthenticated users, leading to potential unauthorized actions or data manipulation.

Furthermore, the low percentage of properly escaped output (43%) suggests a risk of Cross-Site Scripting (XSS) vulnerabilities, as user-supplied data might be rendered directly in the browser without proper sanitization. The lack of nonce and capability checks on its single entry point is a major concern, directly contributing to the unprotected attack surface. While no critical or high-severity taint flows were detected, the combination of unprotected entry points and insufficient output escaping presents a notable security risk.

The plugin's vulnerability history shows a single low-severity "Unrestricted Upload of File with Dangerous Type" vulnerability in late 2023, which is now patched. This indicates that while the developers have addressed past issues, the current version still carries inherent risks due to its static analysis findings. The overall security posture is mixed, with some good practices in SQL handling but significant gaps in input validation and authorization for its AJAX endpoint.