Яндекс Доставка Security & Risk Analysis

The plugin 'yandex-go-delivery' v1.13 exhibits a generally positive security posture based on the provided static analysis. A notable strength is the complete absence of identified CVEs, indicating a history of stable and likely well-maintained code. The static analysis reveals no dangerous functions, critical or high severity taint flows, or SQL queries that are not prepared, all of which are excellent indicators of secure coding practices.

However, there are significant areas for concern. The most glaring issue is the complete lack of any nonce checks or capability checks. This means that any functionality exposed by the plugin, even if it's not directly through AJAX or REST APIs, could potentially be triggered by any authenticated user, regardless of their role or intended permissions. The low percentage of properly escaped output is also a significant risk, as it leaves the plugin vulnerable to Cross-Site Scripting (XSS) attacks. Any data processed or displayed by the plugin that is not properly escaped could be manipulated by an attacker to inject malicious scripts.

In conclusion, while the plugin avoids common critical vulnerabilities like unpatched CVEs and insecure SQL queries, its failure to implement fundamental security checks like nonces and capability checks, coupled with a high rate of unescaped output, presents a substantial risk of Cross-Site Scripting and privilege escalation. The absence of any attack surface in the reported metrics is a positive sign, but it doesn't negate the inherent risks introduced by poor output sanitization and lack of authorization checks on its internal operations.