Storelly ERP – B2B Inventory & Multi-Location POS for WooCommerce Security & Risk Analysis

This plugin exhibits a concerning security posture due to a significant number of unprotected AJAX handlers, which represent a substantial attack surface. While the static analysis indicates good practices in other areas, such as the absence of dangerous functions, the prevalent use of prepared statements for SQL queries, and high output escaping, the unprotected AJAX endpoints overshadow these strengths. The lack of nonce checks and capability checks on a majority of its entry points means that any authenticated user could potentially trigger these AJAX actions, leading to unintended consequences or exploitation if vulnerabilities exist within the handler logic. The absence of known CVEs and a clean vulnerability history is positive, suggesting a generally secure development approach for past issues. However, the identified attack surface without proper authentication is a critical oversight that requires immediate attention. Overall, while the plugin demonstrates good coding practices in many aspects, the unprotected AJAX handlers introduce a significant and unmitigated risk.