CM Video Lessons Manager – Simplify video lessons management for better education Security & Risk Analysis

The "cm-video-lesson-manager" v1.8.10 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for all SQL queries and has a history of no recorded vulnerabilities, suggesting a generally well-maintained codebase. However, significant concerns arise from its attack surface. Three out of eight identified entry points, specifically AJAX handlers, lack authentication checks, presenting a direct pathway for unauthenticated attackers to interact with potentially sensitive functionalities. Furthermore, the presence of the "unserialize" function, identified as a dangerous function, warrants caution, as improper handling of serialized data can lead to remote code execution vulnerabilities. While the taint analysis did not reveal critical or high severity issues, the existence of flows with unsanitized paths is a red flag that requires further investigation to ensure no exploitable vulnerabilities exist within these flows.

The absence of any past CVEs is a strong positive indicator of the plugin's security history. This suggests that the developers have either been diligent in patching any discovered issues promptly or that the plugin has not been a significant target for vulnerability research. However, this historical absence does not negate the risks identified in the static analysis. The combination of unprotected AJAX endpoints and the use of "unserialize" introduces inherent risks that need to be addressed, regardless of past vulnerability records. In conclusion, while the plugin benefits from secure SQL practices and a clean vulnerability history, the unauthenticated AJAX endpoints and the use of "unserialize" represent clear security weaknesses that should be prioritized for remediation.