Review Stars Count For WooCommerce Security & Risk Analysis

The "review-stars-count-for-woocommerce" v2.0 plugin presents a concerning security posture, primarily due to a lack of proper authentication and validation checks on its entry points. All three identified AJAX handlers are unprotected, creating a significant attack surface that could be exploited by unauthenticated users. The plugin also demonstrates poor coding practices with 100% of its SQL queries not using prepared statements, and a very low percentage of output being properly escaped. Furthermore, taint analysis indicates flows with unsanitized paths, though no critical or high severity issues were reported in this specific analysis.

The plugin's vulnerability history is also a major red flag. It has one known medium-severity CVE, which is currently unpatched. The common vulnerability type being SQL Injection, coupled with the static analysis revealing raw SQL queries, strongly suggests a recurring pattern of insecure database interaction. This unpatched vulnerability and the overall lack of security best practices in the code point to a significant risk of compromise, potentially leading to data breaches or unauthorized modifications.

While the plugin has no identified dangerous functions, file operations, or external HTTP requests, and no bundled libraries that might be outdated, these strengths are heavily overshadowed by the critical deficiencies in authentication, data sanitization, and the presence of an unpatched vulnerability. The overall recommendation is to exercise extreme caution when using this plugin and to prioritize updating or replacing it.