Checkout Field Manager (Checkout Manager) for WooCommerce Security & Risk Analysis

The WooCommerce Checkout Manager plugin v7.8.8 exhibits a mixed security posture. On the positive side, the static analysis reveals a zero-attack surface for AJAX handlers, REST API routes, shortcodes, and cron events, with no identified dangerous functions. The plugin also demonstrates good practices in output escaping, with 93% of outputs properly handled, and includes nonce and capability checks. However, the presence of two SQL queries that do not utilize prepared statements is a significant concern, potentially leading to SQL injection vulnerabilities. The plugin also makes one external HTTP request, which could be a vector for various attacks if not handled securely.

The plugin's vulnerability history is a major red flag. With a total of 5 known CVEs, including one high-severity vulnerability, and past occurrences of missing authorization and cross-site scripting, it indicates a pattern of past security weaknesses. The fact that there are currently no unpatched vulnerabilities is a positive sign, but the history suggests a need for continued vigilance and thorough auditing. The last recorded vulnerability in 2026 suggests the data might be future-looking or include placeholders, but the historical trends remain a valid concern.

In conclusion, while the current version shows some improvements in its attack surface and output escaping, the reliance on raw SQL queries and the concerning history of multiple vulnerabilities, particularly those related to authorization and XSS, necessitate caution. Developers should prioritize addressing the unparameterized SQL queries and remain aware of the plugin's past security issues when considering its use.