Chatra Live Chat + ChatBot + Cart Saver Security & Risk Analysis

The 'chatra-live-chat' plugin v1.0.11 exhibits a mixed security posture. While the static analysis shows a commendably small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events exposed without authentication, and all SQL queries utilizing prepared statements, there are significant concerns regarding output escaping and historical vulnerabilities. The fact that only 33% of output is properly escaped indicates a moderate risk of Cross-Site Scripting (XSS) vulnerabilities, especially since XSS is a common type of historical vulnerability for this plugin. The presence of one unpatched medium-severity CVE, last reported in 2025, is a critical weakness that directly exposes users to known exploits. This highlights a failure in timely patching and ongoing security maintenance. In conclusion, while the foundational code structure is relatively clean with respect to direct attack vectors, the plugin suffers from inadequate output sanitization and a lack of promptness in addressing security flaws, making it a moderate to high risk, primarily due to the unpatched CVE and XSS potential.