Async JavaScript Security & Risk Analysis

The 'async-javascript' plugin version 2.21.08.31 presents a mixed security posture. While the static analysis reveals a generally low number of critical code-level vulnerabilities, with no identified critical or high severity taint flows and a good percentage of SQL queries utilizing prepared statements, there are notable concerns. The presence of an unprotected AJAX handler significantly increases the attack surface, as it lacks authentication checks, making it a potential entry point for unauthorized actions. Furthermore, the output escaping is only properly implemented in 43% of cases, which could lead to Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not handled carefully. The vulnerability history indicates two past medium severity CVEs, both related to Cross-Site Scripting, and while currently unpatched, this pattern suggests a recurring susceptibility to injection attacks. In conclusion, the plugin shows some good practices like using prepared statements and nonce checks, but the unprotected AJAX endpoint and insufficient output escaping, coupled with a history of XSS vulnerabilities, warrant careful consideration and mitigation.