Apperr – Android and iOS App builder for WooCommerce and WordPress Security & Risk Analysis

The "apperr" plugin v0.1.0 exhibits a concerning security posture due to a high number of unprotected entry points. With 7 out of 8 identified entry points lacking authentication checks, the plugin is highly susceptible to unauthorized access and execution of potentially malicious actions. While the plugin demonstrates good practices in its use of prepared statements for SQL queries and has no recorded vulnerability history, the significant number of unprotected AJAX handlers presents a critical risk. The taint analysis, although showing no critical or high severity unsanitized flows, is limited by the small number of flows analyzed, and the presence of unsanitized paths is a red flag requiring further investigation.

The plugin's strengths lie in its avoidance of dangerous functions, secure SQL handling, and a clean vulnerability history. However, these positives are heavily outweighed by the critical weakness of unprotected AJAX endpoints. The lack of nonce checks on these handlers further exacerbates the risk, making cross-site request forgery (CSRF) attacks highly feasible. The low percentage of properly escaped output is also a concern, potentially leading to cross-site scripting (XSS) vulnerabilities.