Recently Viewed Product for WooCommerce Security & Risk Analysis

The plugin "recently-viewed-products-for-woocommerce" version 2.0.0 exhibits a generally strong security posture based on the provided static analysis. The plugin demonstrates good practices by utilizing prepared statements for all SQL queries and properly escaping a very high percentage (97%) of its outputs. Importantly, the static analysis found no dangerous functions, file operations, external HTTP requests, or any taint flows, which significantly reduces the risk of common web vulnerabilities like SQL injection, file inclusion, or remote code execution. The lack of any recorded CVEs further reinforces this positive assessment, indicating a history of secure development.

However, there are some areas that warrant attention. The plugin has zero nonce checks and zero capability checks across its entry points. While the current analysis shows no unprotected entry points (AJAX handlers, REST API routes), the absence of these fundamental security controls means that if any new entry points are introduced or if existing ones are modified without proper authorization checks, the plugin could become vulnerable to CSRF or privilege escalation attacks. The presence of a shortcode, while having no inherent vulnerability, represents a potential avenue for user input that, without proper validation and sanitization within its handler, could lead to issues, especially given the lack of output escaping on some of its outputs and the absence of capability checks.