Ajax Contact Forms (ACF SP) Security & Risk Analysis

The 'ajax-contact-forms' plugin version 1.0.1 exhibits a concerning security posture due to several identified weaknesses in its static analysis. While the plugin demonstrates good practice by exclusively using prepared statements for SQL queries and avoiding file operations and external HTTP requests, it suffers from a lack of fundamental security checks on its exposed entry points. Specifically, two AJAX handlers are present without any authentication or capability checks, creating a significant attack surface that could be exploited by unauthenticated users. Furthermore, the plugin lacks nonce checks entirely, which are crucial for preventing Cross-Site Request Forgery (CSRF) attacks, particularly on its AJAX endpoints. The presence of the `create_function` in the code signals is also a red flag, as this function is deprecated and can lead to security vulnerabilities if not handled with extreme care.

Despite these identified code-level risks, the vulnerability history for 'ajax-contact-forms' is notably clean, with no recorded CVEs. This absence of known vulnerabilities could indicate either a lack of prior security scrutiny or that past versions have been well-maintained and patched effectively. However, the current static analysis findings highlight immediate and preventable risks that could lead to future vulnerabilities. The plugin's overall security is weakened by its unprotected AJAX handlers and the absence of nonce and capability checks, which are critical for maintaining security in WordPress plugins.