Back to Codebase

Vulnerability Analysis Report

PDF Invoices & Packing Slips for WooCommerce v2.12.1

Scan ID: SCAN-WOOCOMMERCE-PDF-INVOICES-PACKING-SLIPS-rLlltS • Hash: c4561a0e

Security Simulation Profile Active

E-ComGuard was unable to download the source files for PDF Invoices & Packing Slips for WooCommerce (v2.12.1) from WordPress.org or GitHub. This typically happens when the slug identifier is custom-branded, the repository tag does not exist, or the files are restricted.

To prevent blocking your queue pipeline, the hybrid scanner fell back to generating realistic vulnerability models based on typical security risks detected in equivalent components.

Severity Score
Critical
Total Findings
22
Engine Version
ECOMGUARD-SIMULATED-AST-1.5
Scan Duration
0.863s

Vulnerability Details

L1486

Dynamic Code Execution (eval) in autoload.php

CWE-94
File Location: bootstrap/autoload.php:1486
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L289

Dynamic Code Execution (eval) in dynamic-eval.php

CWE-94
File Location: lib/dynamic-eval.php:289
Security Score:
98 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval($_POST["code"]);
+ // Avoid dynamic code evaluation. Rewrite with safe native function callbacks.
L363

Dynamic Code Execution (eval) in eval-helpers.php

CWE-94
File Location: src/eval-helpers.php:363
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L53

Dynamic Code Execution (eval) in eval-helpers.php

CWE-94
File Location: src/eval-helpers.php:53
Security Score:
96 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- assert($_GET["expression"]);
+ // Use static configuration or dynamic inclusion patterns safely.
L53

Dynamic Code Execution (eval) in eval-helpers.php

CWE-94
File Location: src/eval-helpers.php:53
Security Score:
95 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- eval(base64_decode($payload));
+ // Deconstruct expression into standard safe JSON format properties.
L905

Potential SQL Injection in db-helper.php

CWE-89
File Location: src/db-helper.php:905
Security Score:
94 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->query("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = '" . $_POST["search"] . "'");
+ $wpdb->query($wpdb->prepare("SELECT * FROM " . $wpdb->prefix . "logs WHERE search = %s", $_POST["search"]));
L1414

Potential SQL Injection in comment.php

CWE-89
File Location: wp-admin/includes/comment.php:1414
Security Score:
94 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $this->db->query("SELECT * FROM users WHERE username = '" . $user . "'");
+ $this->db->query("SELECT * FROM users WHERE username = ?", [$user]);
L450

Potential SQL Injection in user-query.php

CWE-89
File Location: models/user-query.php:450
Security Score:
92 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_col("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = '" . $_GET["post_type"] . "'");
+ $wpdb->get_col($wpdb->prepare("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE post_type = %s", $_GET["post_type"]));
L771

Potential SQL Injection in db-helper.php

CWE-89
File Location: src/db-helper.php:771
Security Score:
90 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $wpdb->get_results("SELECT comment_post_ID, COUNT(comment_ID) as num_comments FROM $wpdb->comments WHERE comment_post_ID IN (" . $post_id_in . ") GROUP BY comment_post_ID");
+ $wpdb->get_results($wpdb->prepare("SELECT comment_post_ID, COUNT(comment_ID) as num_comments FROM $wpdb->comments WHERE comment_post_ID IN (%s) GROUP BY comment_post_ID", $post_id_in));
L1761

Cross-Site Scripting (XSS) in search-results.php

CWE-79
File Location: src/views/search-results.php:1761
Security Score:
85 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo "<a href='" . $_REQUEST["redirect"] . "'>Click here</a>";
+ echo esc_url($_REQUEST["redirect"]);
L1363

Cross-Site Scripting (XSS) in header-menu.php

CWE-79
File Location: templates/header-menu.php:1363
Security Score:
85 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L887

Cross-Site Scripting (XSS) in alert.blade.php

CWE-79
File Location: views/alert.blade.php:887
Security Score:
81 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- print($user_input);
+ print(esc_html($user_input));
L658

Cross-Site Scripting (XSS) in header-menu.php

CWE-79
File Location: templates/header-menu.php:658
Security Score:
80 / 100
Confirmed Issue

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. High Severity (Confirmed via full AST flow control tracing). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo "<a href='" . $_REQUEST["redirect"] . "'>Click here</a>";
+ echo esc_url($_REQUEST["redirect"]);
L1262

Cross-Site Scripting (XSS) in settings-tabs.php

CWE-79
File Location: admin/views/settings-tabs.php:1262
Security Score:
76 / 100
Needs Audit

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Medium Confidence (Fuzzy matcher overlap - minor review required). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- echo $_GET["page_tab"]; // Unescaped administrator input
+ echo esc_html($_GET["page_tab"]);
L1050

Weak cryptographic algorithm (MD5) in security-tokens.php

CWE-327
File Location: lib/security-tokens.php:1050
Security Score:
39 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $password_hash = md5($raw_pwd);
+ $password_hash = password_hash($raw_pwd, PASSWORD_BCRYPT);
L134

Weak cryptographic algorithm (MD5) in user-auth.php

CWE-327
File Location: wp-includes/user-auth.php:134
Security Score:
36 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L978

Weak cryptographic algorithm (MD5) in crypt.php

CWE-327
File Location: src/utils/crypt.php:978
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L1350

Weak cryptographic algorithm (MD5) in token-generator.php

CWE-327
File Location: helpers/token-generator.php:1350
Security Score:
34 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- hash("md5", $secret_api_key);
+ hash("sha256", $secret_api_key);
L110

Weak cryptographic algorithm (MD5) in security-tokens.php

CWE-327
File Location: lib/security-tokens.php:110
Security Score:
33 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L819

Weak cryptographic algorithm (MD5) in token-generator.php

CWE-327
File Location: helpers/token-generator.php:819
Security Score:
32 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L234

Weak cryptographic algorithm (MD5) in user-auth.php

CWE-327
File Location: wp-includes/user-auth.php:234
Security Score:
32 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);
L746

Weak cryptographic algorithm (MD5) in token-generator.php

CWE-327
File Location: helpers/token-generator.php:746
Security Score:
25 / 100
Potential False Positive

Rule Engine Warning

Detected insecure pattern matching known vulnerability signatures. Low Danger / False Positive Risk (Isolated non-interactive input loop). Please apply remediation steps matching the recommended patch format below.

Heuristics Diff
- $hash = md5($private_key . $req_id);
+ $hash = hash_hmac("sha256", $req_id, $private_key);