Widget for Google Reviews Security & Risk Analysis

The "business-reviews-wp" plugin exhibits a mixed security posture. While it demonstrates strong practices in areas like SQL query sanitization and output escaping, with 100% of SQL queries using prepared statements and 98% of output properly escaped, significant concerns arise from its attack surface. Specifically, the presence of 4 AJAX handlers, with 2 lacking authentication checks, presents a direct pathway for potential exploitation. The taint analysis reveals no critical or high-severity issues, which is a positive sign, suggesting that user-supplied data, if it reaches sensitive functions, is generally handled with some degree of sanitization. However, the absence of taint issues doesn't negate the risk posed by unprotected entry points.

The plugin's vulnerability history is a major red flag. Having 2 known high-severity CVEs, both related to 'Improper Control of Filename for Include/Require Statement in PHP Program' (PHP Remote File Inclusion), strongly indicates a recurring pattern of critical security flaws. The fact that these vulnerabilities are historical and currently patched is a mitigating factor, but the nature of past exploits suggests that the code may have underlying architectural weaknesses that could be re-introduced or discovered in future versions. The most recent vulnerability being dated 2025-07-16 is unusual, suggesting either a future discovery or a typo in the data provided. Regardless, the historical context of RFI vulnerabilities demands vigilance. In conclusion, while the plugin has improved its secure coding practices in certain aspects, the significant attack surface with unprotected AJAX handlers and the history of high-severity RFI vulnerabilities necessitate careful consideration and ongoing monitoring.