Woo Purchased Products Security & Risk Analysis

The "woo-purchased-products" plugin v1.1 presents a concerning security posture due to a significant lack of security controls. While the absence of dangerous functions, SQL injection vulnerabilities through prepared statements, file operations, and external HTTP requests are positive signs, the plugin suffers from critical omissions. The most glaring issue is a single AJAX handler that lacks any authentication or capability checks, creating a direct entry point for attackers. Furthermore, the extremely low percentage of properly escaped output (17%) suggests a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site.

The plugin's vulnerability history is clean, which might suggest a generally stable codebase. However, this is overshadowed by the fundamental security flaws identified in the static analysis. The lack of nonce checks on the AJAX handler is a significant oversight that makes it susceptible to Cross-Site Request Forgery (CSRF) attacks. In conclusion, while the plugin avoids some common pitfalls, the unprotected AJAX handler and widespread unescaped output create substantial risks that require immediate attention. The plugin's strengths in avoiding raw SQL and dangerous functions are completely undermined by its direct, unprotected entry points and potential for XSS.