Pickupp Delivery for eCommerce Shops using WooCommerce Security & Risk Analysis

The "wc-pickupp" v2.4.3 plugin exhibits a mixed security posture. While it demonstrates good practices by utilizing prepared statements for all SQL queries and generally good output escaping, significant concerns arise from its attack surface and vulnerability history. The presence of unprotected REST API routes represents a clear entry point for potential attacks that are not properly authenticated or authorized. Furthermore, the plugin has a history of critical vulnerabilities, specifically improper control of filename for include/require statements, indicating a recurring weakness that could be exploited for remote code execution. The fact that a critical vulnerability from 2025 remains unpatched is a major red flag and suggests a lack of proactive security maintenance.

While the static analysis doesn't reveal any dangerous functions or critical taint flows in this specific version, the historical data and the exposed REST API routes are substantial risks. The absence of nonce and capability checks on entry points, combined with the historical pattern of file inclusion vulnerabilities, paints a picture of a plugin that, despite some good coding practices, is susceptible to serious exploitation. The unpatched critical vulnerability from the past, coupled with unprotected REST API endpoints, warrants immediate attention and remediation. Users should be highly cautious, and the plugin developers must address the unpatched vulnerability and secure all entry points.