Click & Pledge CONNECT Security & Risk Analysis

The plugin 'click-pledge-connect' v25.09000000-WP6.8.2 exhibits a mixed security posture. On the positive side, the static analysis indicates a strong adherence to secure coding practices, with 100% of AJAX handlers and REST API routes protected by authentication checks. The vast majority of SQL queries (99%) utilize prepared statements, and a significant portion of outputs (83%) are properly escaped, which are excellent indicators. However, there are several areas of concern. The taint analysis reveals 4 flows with unsanitized paths, including 2 of high severity, suggesting potential vulnerabilities where user input might not be adequately validated before being used in sensitive operations. Additionally, the presence of 2 file operations and the bundling of a library (DataTables) could introduce risks if not managed carefully or if the library is outdated. The vulnerability history is particularly concerning, with 2 previously discovered CVEs, one critical and one high, both related to SQL injection. While the current version shows no unpatched CVEs, the historical pattern of SQL injection vulnerabilities, especially critical ones, indicates a recurring weakness in how user input is handled. The last vulnerability being in July 2025 is also a recent occurrence. Overall, while the plugin implements many good security practices, the identified taint flows and historical vulnerability patterns necessitate careful review and ongoing vigilance to mitigate potential risks.