Buttonizer – Live Chat, AI Chatbot, Call, Chat, Contact Button Security & Risk Analysis

The "button-contact-vr" plugin, version 5.0.6, exhibits a mixed security posture. While it demonstrates good practices in areas like SQL query preparation and output escaping, a significant concern arises from its attack surface. With 10 total entry points, a disproportionate 9 are found to be unprotected, meaning they lack proper authorization checks. This creates a substantial risk, as unauthenticated users could potentially interact with these endpoints.

The static analysis also reveals taint flows with unsanitized paths, indicating a potential for vulnerabilities where user-supplied data could be mishandled. Although no critical or high severity taint flows were found, and the plugin has no currently unpatched CVEs, the history of 3 medium severity CVEs, all related to Cross-site Scripting (XSS), is a worrying pattern. This suggests a recurring issue with how user input is processed, even if recent versions have addressed specific instances.

In conclusion, the plugin has strengths in secure coding for SQL and output handling. However, the high number of unprotected REST API routes and the historical XSS vulnerabilities represent significant weaknesses that require attention to mitigate potential risks.