Frenet Shipping Gateway for WooCommerce – Correios, Etiquetas e Rastreio Security & Risk Analysis

The "woo-shipping-gateway" v2.1.22 plugin exhibits a mixed security posture. While it demonstrates good practices by using prepared statements for all SQL queries and avoiding dangerous functions, several significant concerns exist. The primary weakness lies in its attack surface, with 2 AJAX handlers identified, both of which lack authentication checks. This means any unauthenticated user could potentially trigger these handlers, leading to unintended actions or information disclosure. Furthermore, the absence of nonce checks on these AJAX endpoints exacerbates this risk, making them susceptible to Cross-Site Request Forgery (CSRF) attacks. The plugin also has a notable percentage of output that is not properly escaped, which could lead to Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is involved in these outputs. The vulnerability history shows no recorded CVEs, which is a positive indicator of past security efforts, suggesting it hasn't been a frequent target for known vulnerabilities. However, the identified weaknesses in the current version, particularly the unprotected AJAX handlers and insufficient output escaping, present a clear and present danger that outweighs the lack of past vulnerabilities.