Shipway Experience – Tracking & Notification Security & Risk Analysis

The shipway-shipment-tracking-and-notify v3.0 plugin exhibits a generally positive security posture based on the static analysis. The absence of any identified vulnerabilities in its history, combined with zero critical or high severity taint flows, suggests a well-maintained codebase. Furthermore, the plugin has a minimal attack surface with only one shortcode and no AJAX handlers or REST API routes requiring authentication, which is a good practice for reducing exposure. However, there are significant areas of concern regarding data handling and authorization. The fact that 100% of SQL queries are not using prepared statements is a critical risk, potentially leading to SQL injection vulnerabilities. Coupled with a very low percentage of properly escaped output (18%), this indicates a high likelihood of cross-site scripting (XSS) vulnerabilities. The complete absence of nonce and capability checks is alarming, meaning that any authenticated user, regardless of their role, could potentially trigger sensitive actions or view restricted data through the shortcode or other unmonitored entry points.