Bulk Auto Image Title Attribute (Image Title tag) optimizer (Image SEO) Security & Risk Analysis

The 'bulk-image-title-attribute' plugin v2.0.1 presents a mixed security posture. While it shows strengths in avoiding dangerous functions, SQL injection vulnerabilities (as evidenced by the high percentage of prepared statements), and file operations, significant concerns arise from its attack surface. Two AJAX handlers are present, and critically, both lack authentication checks. This creates an open door for unauthenticated users to potentially trigger plugin functionality, which could be exploited if vulnerabilities exist within these handlers.

The vulnerability history, specifically a known medium-severity CVE for Cross-Site Scripting (XSS) that is currently unpatched, is a substantial red flag. The fact that the last vulnerability was in 2025 suggests a recent or ongoing issue that has not been addressed. While taint analysis shows no critical or high severity flows, the presence of an unpatched XSS vulnerability, combined with unprotected AJAX endpoints, significantly elevates the risk. This indicates that while some secure coding practices are followed, there are critical blind spots in securing entry points and a failure to address disclosed vulnerabilities.

In conclusion, the plugin has positive aspects like minimal external dependencies and a good approach to SQL querying. However, the unprotected AJAX handlers and the unpatched XSS vulnerability are serious issues that could lead to malicious exploitation. Users should exercise extreme caution and ideally await a patch for the known CVE before relying on this plugin.