Premmerce Wholesale Pricing for WooCommerce Security & Risk Analysis

The static analysis of Premmerce WooCommerce Wholesale Pricing v1.1.12 reveals a mixed security posture. While the plugin demonstrates good practices in key areas such as SQL query preparation (100% using prepared statements) and a low number of entry points with no apparent unprotected ones, there are significant concerns. The taint analysis shows 3 flows with unsanitized paths, indicating potential vulnerabilities that could be exploited if they interact with sensitive operations, even though no critical or high severity issues were flagged in this specific analysis. The plugin's vulnerability history is a major red flag, with a significant number of past high and medium severity vulnerabilities, including SQL injection, PHP remote file inclusion, and missing authorization. The fact that the last vulnerability was in 2025-11-17, and is described as 'unpatched' if that date were in the past, strongly suggests a pattern of introducing security flaws that require patching.

Despite the current static analysis not flagging critical or high severity taint flows, the historical pattern of high-severity vulnerabilities and the presence of unsanitized paths in the taint analysis warrant caution. The plugin has a history of critical types of vulnerabilities that have been addressed in the past. The current static analysis shows 70% proper output escaping, meaning 30% of outputs are potentially unescaped, which can lead to XSS vulnerabilities. The presence of nonce checks and capability checks is positive, but the overall history suggests a need for rigorous and ongoing security testing. A balanced conclusion is that while some secure coding practices are employed, the historical vulnerability landscape and current taint analysis results indicate potential for exploitable weaknesses.