3DPrint Lite Security & Risk Analysis

The 3dprint-lite v2.1.3.9 plugin exhibits a mixed security posture. While it demonstrates good practices in output escaping (95%) and nonce checks (29), and has no known unpatched CVEs, significant concerns exist regarding its attack surface and past vulnerability history. The presence of two unprotected AJAX handlers presents a direct entry point for unauthenticated attackers, which is a substantial risk given the total of three entry points. Furthermore, 2 out of 19 analyzed taint flows had unsanitized paths, although these were not classified as critical or high severity. This suggests a potential for vulnerabilities that might not be immediately obvious through static analysis alone.

The plugin's vulnerability history is particularly alarming, with a total of 7 known CVEs, including one previously critical vulnerability. The common types of vulnerabilities (SQL Injection, CSRF, Unrestricted Upload) indicate recurring weaknesses in how the plugin handles user input and performs sensitive operations. While the most recent vulnerability was in 2025, this past record suggests a pattern of security flaws that require diligent monitoring and prompt patching. The plugin does utilize prepared statements for a majority of its SQL queries (61%), which is a positive sign, but the remaining percentage, coupled with the history of SQL injection, warrants caution.

In conclusion, while the plugin has made strides in secure coding practices, the unprotected AJAX handlers and the historical prevalence of severe vulnerabilities are significant weaknesses. The potential for further issues, as hinted by the unsanitized taint flows, requires a high level of vigilance. It is recommended to prioritize patching any new vulnerabilities immediately and to thoroughly review and secure the unprotected AJAX endpoints.