EC Stars Rating Security & Risk Analysis

The "ec-stars-rating" plugin v1.0.11 presents a mixed security posture. While it demonstrates good practices in its handling of SQL queries, utilizing prepared statements exclusively, and avoiding file operations and external HTTP requests, significant concerns arise from its attack surface and code analysis. The presence of two unprotected AJAX handlers represents a considerable risk, as these are direct entry points that could be exploited without proper authentication. Furthermore, the taint analysis reveals two flows with unsanitized paths, both flagged as high severity, indicating potential vulnerabilities where user-controlled input could lead to unintended consequences.

The plugin's vulnerability history is also a point of concern. It has a known medium severity CVE that is currently unpatched, dating from June 2025. The common vulnerability type being Cross-site Scripting (XSS) and the fact that a medium-severity vulnerability remains unaddressed suggest a pattern of neglecting security updates or potentially a lack of rigorous security testing before releases.

In conclusion, the plugin exhibits strengths in database interaction and operational security, but the unprotected entry points, high-severity taint flows, and the unpatched historical vulnerability significantly detract from its overall security. Organizations using this plugin should be aware of the potential for XSS and unauthorized actions via its AJAX endpoints and prioritize updating to a version that addresses the known CVE.