Affiliate Power – Sales Tracking for Affiliate Marketers Security & Risk Analysis

The "affiliate-power" plugin v2.5.0 exhibits a mixed security posture. While it demonstrates some good practices such as a high percentage of SQL queries using prepared statements and a reasonable number of nonce and capability checks, significant concerns arise from its attack surface and output sanitization. The presence of an unprotected AJAX handler creates a direct entry point for potential attacks, especially when combined with other identified weaknesses.

The static analysis reveals a concerning lack of proper output escaping, with only 19% of outputs being correctly sanitized. This, coupled with a taint analysis indicating flows with unsanitized paths, suggests a susceptibility to Cross-Site Scripting (XSS) vulnerabilities. The use of the dangerous `unserialize` function, while not directly linked to a specific vulnerability in the provided data, is a known risk factor that can lead to Remote Code Execution if not handled with extreme caution and validation.

The vulnerability history shows one past medium severity CVE related to XSS, which aligns with the findings from the static analysis. Although there are no currently unpatched vulnerabilities, the pattern of past XSS issues highlights a persistent area of weakness. In conclusion, while the plugin has some strengths, the unprotected entry points and significant output escaping deficiencies, combined with the historical XSS vulnerability, elevate the risk profile. It's crucial to address these specific code-level issues to improve the overall security of the plugin.