Connector to CiviCRM with CiviMcRestFace Security & Risk Analysis

The plugin 'connector-civicrm-mcrestface' v1.0.12 exhibits a mixed security posture. While the static analysis shows a remarkably small attack surface with no identified unprotected entry points (AJAX, REST API, shortcodes, cron), and no dangerous functions or file operations, there are concerning areas related to input sanitization and authorization.

The code analysis reveals that a significant portion of SQL queries (71%) are not using prepared statements, which is a major risk for SQL injection vulnerabilities. Furthermore, only 61% of output is properly escaped, leaving room for Cross-Site Scripting (XSS) attacks. The absence of any nonce checks is a significant security oversight, particularly for any potential, even if currently undetected, AJAX operations.

The vulnerability history is particularly worrying, with two medium-severity CVEs previously recorded for Cross-site Scripting and Missing Authorization. The fact that these vulnerabilities have been patched is positive, but the recurring nature of these common vulnerability types suggests a historical pattern of insecure coding practices that could resurface. The plugin's last vulnerability was in April 2025, which is in the future, suggesting potential data entry error or an indicator of a known but not yet exploited vulnerability. Overall, the lack of identified vulnerabilities in the current static analysis is offset by the historical data and the identified weaknesses in SQL and output handling.