Shipping Gateway Per Product for WooCommerce Security & Risk Analysis

The plugin exhibits a concerning security posture due to its unprotected AJAX endpoints, which represent its entire attack surface. While the plugin does not appear to have a history of known vulnerabilities, this is overshadowed by the immediate risks identified in the static analysis. The presence of two AJAX handlers without any authentication checks is a significant oversight, potentially allowing unauthenticated users to trigger plugin functionality. Furthermore, the extremely low percentage of properly escaped output (3%) indicates a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, as user-supplied data might be directly rendered without adequate sanitization. Although there are no raw SQL queries and taint analysis shows no critical or high severity flows, the lack of output escaping and unprotected AJAX handlers are critical weaknesses. The bundled Freemius library, while common, should also be monitored for potential vulnerabilities. Overall, while the absence of known historical vulnerabilities is positive, the current code analysis reveals significant and immediate security risks that require urgent attention.