AI Chatbot for WordPress by Customerly Security & Risk Analysis

The customerly plugin v2.5.4 exhibits a mixed security posture. On the positive side, the absence of known CVEs and the use of prepared statements for all SQL queries are strong indicators of good security practices. The plugin also avoids dangerous functions, file operations, and external HTTP requests, further minimizing common attack vectors. However, a significant concern is the presence of one unprotected AJAX handler, which represents a direct entry point for potential attackers. While taint analysis found no issues, and output escaping is present for most outputs, the lack of proper authorization checks on this AJAX endpoint is a critical oversight. This single unprotected entry point, combined with zero nonce checks and zero capability checks, exposes the plugin to potential unauthorized actions if the AJAX handler performs sensitive operations. The vulnerability history is clean, which is excellent, but this doesn't negate the immediate risks identified in the static analysis. Overall, the plugin has a solid foundation in many security areas, but the unprotected AJAX handler is a glaring weakness that needs immediate attention to mitigate risks.