SMS Contact Form 7 Notifications by ClickSend Security & Risk Analysis

The clicksend-contactform7 plugin version 1.4.0 presents a moderate security risk, primarily due to its handling of entry points and its vulnerability history. While the plugin shows some positive signs like a low number of dangerous functions, the absence of capability checks on its sole AJAX handler is a significant concern. This means that any authenticated user, regardless of their role, could potentially trigger this handler, leading to unauthorized actions if the functionality is sensitive.

The static analysis also indicates that a substantial portion of SQL queries are not prepared, and a noticeable percentage of outputs are not properly escaped, which could lead to SQL injection or cross-site scripting vulnerabilities under certain conditions. The absence of any taint analysis findings is positive, suggesting no obvious complex code flows leading to immediate compromise, but it doesn't negate the risks identified in other areas.

The plugin's vulnerability history, specifically a medium severity CVE for Missing Authorization in 2025, aligns with the identified lack of authorization checks. This pattern suggests a recurring issue with access control within the plugin. While there are no currently unpatched critical or high severity vulnerabilities, the presence of a medium one and the identified authorization weakness highlight areas requiring immediate attention and ongoing vigilance. Overall, the plugin has some good practices but requires significant hardening, especially regarding authorization and input validation.