AgilityFeat's Click To Call Security & Risk Analysis

The "agilityfeats-click-to-call" plugin version 0.5.0 exhibits several significant security concerns. The most prominent issue is the presence of three AJAX handlers that lack any authentication or capability checks. This exposes a substantial attack surface, allowing any unauthenticated user to potentially trigger these handlers. Additionally, the plugin performs two SQL queries without using prepared statements, which could lead to SQL injection vulnerabilities if user input is not properly sanitized before being passed to these queries. The output escaping is also a concern, with 58% of outputs properly escaped, leaving the remaining 42% potentially vulnerable to cross-site scripting (XSS) attacks. The absence of any recorded vulnerabilities in its history might suggest a lack of prior discovery or exploitation, but this does not negate the immediate risks identified in the static analysis. While the plugin doesn't use dangerous functions, perform file operations, external HTTP requests, or bundle libraries, the identified unauthenticated entry points and insecure SQL practices are critical weaknesses that demand immediate attention.