Parcel Pro Security & Risk Analysis

The static analysis of woo-parcel-pro v1.9.0 reveals a seemingly low attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events without proper authentication or permission checks. The absence of dangerous functions and the use of prepared statements for all SQL queries are positive indicators of secure coding practices. However, a significant concern arises from the low percentage of properly escaped output (15%), suggesting a high risk of Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's vulnerability history.

The plugin's vulnerability history is alarming, with three known medium-severity CVEs, including XSS, CSRF, and Open Redirect. While none are currently unpatched, the consistent presence of these vulnerability types indicates recurring security weaknesses. The last vulnerability was discovered very recently, highlighting an ongoing need for vigilance and prompt patching. The presence of external HTTP requests without explicit mention of validation or sanitization also warrants attention, as these can be vectors for various attacks.

In conclusion, while the absence of direct entry points and secure SQL handling are strengths, the poor output escaping and historical vulnerability patterns present significant risks. The potential for XSS due to insufficient output sanitization, combined with past CSRF and Open Redirect issues, requires careful consideration. Users should remain cautious and ensure they are running the latest available version and are aware of any security advisories.