WeShareAI – AI-Powered Share Buttons (formerly E-MAILiT) Security & Risk Analysis

The e-mailit plugin v13.0.0 exhibits a mixed security posture. On the positive side, the static analysis reveals a clean slate regarding dangerous functions, SQL queries (all prepared), file operations, and external HTTP requests. The presence of nonce checks is also a good sign. However, the extremely low percentage of properly escaped output (7%) is a significant concern, indicating a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's vulnerability history which points to XSS as a common issue.

The plugin's attack surface appears to be minimal with no apparent AJAX handlers, REST API routes, shortcodes, or cron events exposed without authentication. Taint analysis also shows no critical or high severity flows, suggesting that direct code execution or data compromise through these vectors might be less likely. Nevertheless, the lack of capability checks on any identified entry points (though none were found) and the poor output escaping practices present substantial risks.

The vulnerability history, specifically one unpatched medium severity CVE related to XSS, reinforces the concerns raised by the static analysis. This suggests a pattern of vulnerabilities in this area that has not been fully addressed. While the plugin demonstrates strengths in several core security areas, the widespread lack of output escaping and the lingering unpatched XSS vulnerability significantly lower its overall security standing.