Contact Form by Supsystic Security & Risk Analysis

The static analysis of 'contact-form-by-supsystic' v1.7.36 reveals several concerning security indicators despite a seemingly small attack surface. The presence of two 'unserialize' function calls is a significant red flag, as unserialization vulnerabilities are notoriously difficult to detect and can lead to remote code execution if untrusted data is processed. While no specific taint flows with unsanitized paths were identified in this analysis, the inherent risk of 'unserialize' remains high. The plugin also shows a substantial number of file operations and external HTTP requests, which, without detailed analysis of their context, could potentially be vectors for further compromise. Furthermore, only 35% of output is properly escaped, indicating a moderate risk of Cross-Site Scripting (XSS) vulnerabilities. The historical vulnerability data is particularly alarming, with 9 known CVEs, one of which is currently unpatched. The common types of past vulnerabilities, including Code Injection, CSRF, XSS, and SQL Injection, strongly suggest recurring security weaknesses within the plugin's codebase. This pattern, combined with the unpatched CVE, indicates a lack of consistent security maintenance or a recurring struggle to address fundamental security flaws. While the plugin has some strengths, such as the majority of SQL queries using prepared statements and the presence of some nonce and capability checks, these are outweighed by the serious risks associated with unserialization, insufficient output escaping, and a significant history of exploitable vulnerabilities, including an unpatched one.