Bizuno Accounting – Powerful ERP & Accounting for WordPress Security & Risk Analysis

The bizuno-accounting plugin version 7.3.7 presents a mixed security posture. While there are no recorded historical vulnerabilities or critical taint analysis findings, the static analysis reveals significant areas of concern. The plugin has two AJAX handlers, both of which lack proper authentication checks. This creates a substantial attack surface where unauthenticated users could potentially interact with sensitive plugin functionality. Additionally, the plugin uses raw SQL queries without prepared statements, which is a common vector for SQL injection vulnerabilities. While the plugin does have some output escaping in place, its effectiveness is limited by the presence of unescaped outputs.

The absence of recorded CVEs is a positive sign, suggesting the plugin may have been developed with some security awareness or has not been a target of extensive research. However, the static analysis findings, particularly the unprotected AJAX endpoints and the unparameterized SQL queries, indicate potential weaknesses that could be exploited. The limited number of entry points is a strength, but the lack of security controls on these entry points overshadows this advantage. A balanced conclusion would be that while the plugin has avoided public vulnerabilities to date, the presence of exploitable patterns in its code warrants caution and suggests a need for immediate remediation of the identified security flaws.