All Post Contact Form Security & Risk Analysis

The 'allpost-contactform' plugin, version 1.8.2, presents a mixed security posture. While the static analysis indicates a good practice in terms of its limited attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events, and SQL queries are 100% prepared, significant concerns remain. The 35% proper output escaping is a considerable weakness, suggesting potential for cross-site scripting (XSS) vulnerabilities where user-supplied data is rendered without adequate sanitization. Furthermore, the taint analysis revealing three flows with unsanitized paths, even without critical or high severity, warrants attention as it indicates potential entry points for malicious data manipulation.

The plugin's vulnerability history is highly concerning. It has a single known CVE, which is critical, and it is currently unpatched. This critical vulnerability is categorized as 'Unrestricted Upload of File with Dangerous Type,' which is a severe security flaw that could allow attackers to upload malicious files to the server. The fact that the last vulnerability was very recent (October 2024) and remains unpatched indicates a lack of timely security patching by the developer, posing an immediate and significant risk to users. While the plugin shows some positive security habits, the presence of an unpatched critical vulnerability and a high percentage of improperly escaped output significantly elevates the overall risk.