Donorbox – Free Recurring Donation Plugin and Fundraising Platform Security & Risk Analysis

The donorbox-donation-form plugin v7.1.12 exhibits a mixed security posture. The static analysis reveals good practices in several key areas. There are no dangerous functions, all SQL queries use prepared statements, and all identified outputs are properly escaped. The absence of file operations and external HTTP requests further contributes positively to its security. Furthermore, the attack surface, while consisting of two shortcodes, is noted as having no unprotected entry points. The taint analysis also shows no identified flows with unsanitized paths, indicating a lack of evident code-level vulnerabilities in this version.

However, the plugin's vulnerability history presents a significant concern. With two known medium-severity CVEs, both historically related to Cross-site Scripting (XSS), and a last vulnerability recorded in April 2022, there's an indication of past weaknesses in input sanitization or output encoding. While there are currently no unpatched vulnerabilities, the recurring nature of XSS issues suggests a potential for these to reappear if not rigorously addressed in future development. The lack of explicit nonce checks and capability checks in the static analysis, while not directly flagged as vulnerabilities due to the absence of unprotected entry points, could represent a potential area for concern if the attack surface were to expand or change in future versions.

In conclusion, while the current version of donorbox-donation-form v7.1.12 appears to be free of critical or high-severity code-level vulnerabilities based on the static and taint analysis, its past history of medium-severity XSS vulnerabilities warrants careful consideration. Users should ensure they are running the absolute latest version, as the absence of unpatched CVEs is a positive sign. However, the historical pattern should prompt ongoing vigilance.