Classic Addons – WPBakery Page Builder Security & Risk Analysis

The static analysis of Classic Addons WP Bakery Page Builder Addons v3.7 shows a generally strong security posture with several good practices in place. The plugin boasts a high percentage of properly escaped outputs and utilizes prepared statements exclusively for SQL queries, which significantly mitigates common vulnerabilities. The absence of dangerous functions, file operations, and external HTTP requests further contributes to its security. Furthermore, the fact that all identified entry points have at least one nonce check is a positive sign, indicating an effort to prevent CSRF attacks.

However, a significant concern arises from the plugin's vulnerability history. With a total of three known CVEs, two of which are high severity, and past instances of critical vulnerabilities like Remote File Inclusion and Path Traversal, this indicates a recurring pattern of security weaknesses. The presence of Cross-Site Scripting as a common vulnerability type, even if not explicitly flagged in the current static analysis, is concerning given the past issues.

While the current version (v3.7) shows no unpatched vulnerabilities and a clean taint analysis, the historical context cannot be ignored. The plugin has a history of critical security flaws, suggesting a need for more robust and consistent security practices. The lack of capability checks on its single AJAX handler, coupled with the past vulnerabilities, presents a potential risk if the AJAX handler processes user input without proper authorization, even if current taint analysis shows no issues. This history warrants careful monitoring and a cautious approach to its deployment.