DragDropr – Visual Drag & Drop Page Builder Security & Risk Analysis

The dragdropr plugin v1.0.4 presents a mixed security picture. On the positive side, the static analysis reveals a remarkably small attack surface with zero identified entry points, including AJAX handlers, REST API routes, shortcodes, and cron events. This is a strong indication of good initial design practices from a security perspective. Furthermore, the plugin has no recorded vulnerability history, suggesting a well-maintained codebase or a lack of past exploitable issues. The absence of dangerous functions and file operations is also a positive sign.

However, several critical concerns emerge from the code analysis. The single SQL query is not using prepared statements, posing a significant risk of SQL injection. While the attack surface is zero, the lack of capability checks and nonce checks on any potential (even if currently zero) entry points is a concern, as it implies a lack of fundamental security measures. The output escaping rate is worryingly low at 37%, meaning a substantial portion of user-facing output is vulnerable to cross-site scripting (XSS) attacks. The taint analysis, while not finding critical or high-severity flows, did identify two flows with unsanitized paths, which could potentially lead to path traversal vulnerabilities if an entry point were ever introduced.

In conclusion, while the plugin benefits from a minimal attack surface and a clean vulnerability history, the presence of raw SQL queries, poor output escaping, and the absence of fundamental security checks like capability and nonce checks represent substantial security weaknesses that require immediate attention. These flaws, if exploited, could lead to serious security breaches.