Dynific Addons for Elementor (formerly AnyWhere Elementor) Security & Risk Analysis

The 'anywhere-elementor' plugin version 1.2.14 exhibits a generally good security posture based on the static analysis, with no identified dangerous functions, exclusively prepared SQL statements, and a high percentage of properly escaped outputs. The attack surface is minimal, with only one shortcode, and importantly, no unprotected entry points were detected. Taint analysis also shows no critical or high severity vulnerabilities, indicating the code likely handles user input safely in this regard.

However, the plugin's vulnerability history is a significant concern. With two known CVEs, including a high and a medium severity vulnerability, and a recent history of sensitive information exposure and authorization bypass, there's a clear pattern of past security weaknesses. While there are currently no unpatched CVEs for this specific version, the recurring nature of these issues suggests potential underlying architectural flaws or a less rigorous security review process. The absence of nonce checks across its entry points, despite having capability checks, could also be a point of potential weakness if a vulnerability were to arise that bypasses capability checks.

In conclusion, while version 1.2.14 benefits from strong static analysis results and a small attack surface, the historical vulnerability data casts a shadow over its overall trustworthiness. Users should be aware of the plugin's past security incidents and ensure they are always running the latest patched version. The lack of nonce checks on the single shortcode warrants attention as a potential future exploit vector.