DLM Changelog Add-on Security & Risk Analysis

The 'dlm-changelog' v1.2.1 plugin presents a mixed security posture. While it demonstrates good practices by avoiding dangerous functions, performing all SQL queries with prepared statements, and having no file operations or external HTTP requests, significant concerns arise from its attack surface and output escaping practices. The presence of one AJAX handler without authentication checks is a notable vulnerability, as it can be triggered by any user, potentially leading to unauthorized actions or information disclosure depending on its functionality. Furthermore, the low percentage of properly escaped output across 17 total outputs suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site, which could compromise user sessions or deface the website. The absence of known CVEs and past vulnerabilities is a positive indicator of its development history, suggesting the developers may be responsive to security issues. However, the current static analysis reveals critical weaknesses that overshadow this positive history, particularly the unprotected AJAX endpoint and the prevalent unescaped output, which represent immediate threats.