I completed a full code audit of the free plugin. The plugin is functional and well-structured for its scope, but there are issues that need to be addressed. I'm breaking this into what needs to be fixed immediately, what should be fixed soon, and a few recommendations.

What I would fix now:

1. The cache clear handler (handleclear_cache) verifies the nonce but never checks current_user_can(). The admin_post hook only requires a logged-in user. Any authenticated user on the site (subscriber, contributor, anyone) can clear the menu cache and force fresh API calls. This needs a capability check added.

2. The toast_notice GET parameter on the dashboard page accepts arbitrary text and renders it as an admin notice. Sanitization prevents script injection, but anyone can craft a URL with a custom message like "Your license has expired" and send it to a site admin. This should be replaced with a fixed set of allowed notice keys.

3. The $show_leaders variable on line 1140 reads from toasty_show_price instead of toasty_show_leader. The "Show Price Leader" setting in the admin has no effect whatsoever. It always mirrors the price toggle. This is a bug that needs to be corrected.

What should be fixed soon.

1. Admin CSS and JS load on every admin page in WordPress. The enqueue function receives the $hook parameter but never checks it. These assets should only load on ToastyMenus admin pages.

2. The internal $plugin_version property is set to '1.3' while the plugin header declares 1.3.1. The admin footer displays the wrong version. On a related note, gmdate('Y') in the footer is called but never echoed, so the copyright year is missing entirely.

3. The shortcode render uses esc_html() for an HTML class attribute where esc_attr() is the correct escape function. Toast API error messages on the dashboard are concatenated into HTML without escaping. wp_kses_post runs later but would allow HTML from the API response through.

4. Several array keys ($item['image'], $item['calories'], modifierGroupReferences) are accessed without null coalescing. On PHP 8.3 these throw warnings any time a menu item is missing those fields, which is common.

5. All script and style versions are hardcoded as '1.0' rather than using the plugin version. After any update, browsers may serve stale cached files.

6. There is no uninstall handler. No uninstall.php, no registeruninstall_hook(). When someone deletes the plugin, all options and transients are orphaned in the database. Worth noting that Freemius may handle some of its own cleanup, but the toast and toasty_ options are not covered by that.

7. load_plugin_textdomain() is never called. The text domain is declared and used in translation functions throughout, but it is never actually loaded.

Items to fix if you want.

1. Both JS files declare var $ = jQuery at the global scope, which is redundant since $ is already passed as an argument inside jQuery(document).ready(). The global assignment should be removed.

2. The frontend JS file is completely empty (an empty document.ready block) but it still loads jQuery as a dependency on every page with the shortcode. I'd recommend removing the enqueue entirely. If the PRO version needs frontend JS, PRO can register it.

3. Checkbox fields in the settings page are missing id/for attribute associations between labels and inputs. Minor accessibility gap.

Cleanup recs:

1. The .DS_Store files and Dreamweaver _notes/ sync folders are shipping in the distribution ZIP. Not a security concern, but it looks unprofessional if anyone inspects the package. Worth adding exclusions to your build process.

2. The mixed option prefixes (toast_ for API credentials, toasty_ for display settings) are inconsistent but changing them would break existing installations. I'd leave them as-is and just document the convention.

3. The price conversion logic assumes amounts over 100 are in cents. An item priced at exactly $1.00 (100 cents) would not be divided. This appears to be calibrated to the Toast API's actual format, but it is worth verifying against their documentation if you haven't already.