TyresAddict – Tyre Custom Metadata for WooCommerce Security & Risk Analysis

The plugin "tyresaddict-woo-tyre-custom-metadata" v2.3.1 presents a mixed security profile. On the positive side, the static analysis reveals a remarkably small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, all detected SQL queries utilize prepared statements, and there are no indications of file operations or external HTTP requests, which are common vectors for exploits. The absence of known vulnerabilities in its history is also a strong positive indicator.

However, a significant concern arises from the output escaping. The analysis shows that 100% of the 29 identified outputs are not properly escaped. This means that any data displayed by the plugin, if it originates from user input or an untrusted source, could potentially be vulnerable to Cross-Site Scripting (XSS) attacks. Additionally, the plugin lacks nonce checks, which are crucial for preventing Cross-Site Request Forgery (CSRF) attacks, especially if any user interaction is processed. The single capability check is a positive sign but doesn't mitigate the lack of nonce checks.

In conclusion, while the plugin demonstrates good practices in minimizing its attack surface and handling database interactions securely, the complete lack of output escaping represents a critical weakness. The absence of nonce checks also contributes to potential security risks. The vulnerability history is currently clean, but the identified code-level issues could lead to vulnerabilities if not addressed. Users should be cautious due to the unescaped output.