TrackingMore Order Tracking for WooCommerce (Free plan available) Security & Risk Analysis

The "trackingmore-woocommerce-tracking" plugin v1.1.6 exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and performing a reasonable number of capability checks and nonce checks. There are no recorded vulnerabilities (CVEs) in its history, which suggests a generally secure development history or lack of public discovery. However, a significant concern arises from the presence of four AJAX handlers that lack authentication checks. This creates a substantial attack surface, as any unauthenticated user could potentially interact with these endpoints, leading to unintended actions or information disclosure if not carefully handled internally.

The static analysis reveals no critical or high-severity taint flows, indicating that sensitive data is likely handled appropriately within the codebase. However, the output escaping is only properly implemented for 47% of the outputs, which is a notable weakness. While not a direct vulnerability in itself without a specific exploit path, it increases the risk of cross-site scripting (XSS) vulnerabilities if user-supplied data is reflected in the output without proper sanitization.

In conclusion, while the plugin has strengths in its SQL handling and a clean vulnerability history, the unprotected AJAX endpoints and insufficient output escaping present clear security risks. The lack of authentication on these entry points is the most immediate and impactful concern, requiring immediate attention to secure these handlers.