WC Correios Easy Tracking Code Security & Risk Analysis

The "wc-correios-easy-tracking-code" plugin v1.3.0 exhibits a mixed security posture. On the positive side, the code demonstrates good practices regarding SQL queries, exclusively using prepared statements, and there are no identified dangerous functions, file operations, or external HTTP requests. The absence of any recorded vulnerability history (CVEs) is also a strong indicator of a relatively secure codebase historically.

However, significant concerns arise from the static analysis. The plugin exposes two AJAX entry points, and alarmingly, both lack any form of authentication or capability checks. This creates a substantial attack surface for unauthorized actions. Furthermore, while only three output operations were analyzed, one-third of them were not properly escaped, indicating a potential for cross-site scripting (XSS) vulnerabilities if user-supplied data is involved in these outputs. The complete lack of nonce checks on AJAX handlers is a critical omission that exacerbates the risk posed by the unprotected entry points.

In conclusion, despite a clean vulnerability history and good SQL practices, the plugin's security is severely undermined by unprotected AJAX handlers and a notable lack of input sanitization and output escaping in certain areas. The potential for exploiting these unprotected entry points, especially combined with potential XSS vulnerabilities, presents a moderate to high risk for WordPress sites using this plugin.