Among the issues identified are:
- No SQL escaping.
- No HTML escaping.
- Some additional SQL (again, unescaped) gets executed only when a certain global variable ($cart_log_id) is set, so may be more vulnerable when combined with certain themes or plugins.
Reason for the 'Use with caution' result
The plugin contains or is likely to contain a vulnerability which could be exploited by a privileged user to affect the site’s confidentiality, integrity or availability in a manner exceeding their privileges:
No SQL escaping, no HTML escaping.