EchBay – JPEG, PNG image compression Security & Risk Analysis

The echbay-optimize-images plugin version 1.1.2 presents a mixed security posture. On the positive side, the plugin has a remarkably small attack surface with zero identified AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, there are no recorded vulnerabilities (CVEs) in its history, suggesting a history of relatively secure development or limited exposure. However, the static analysis reveals significant concerns regarding code quality and potential security weaknesses.

The most critical issue is the presence of a high-severity taint flow, indicating that unsanitized data is being processed in a way that could lead to vulnerabilities if exploited. Coupled with this, the plugin's handling of SQL queries is problematic. It uses two SQL queries, neither of which utilizes prepared statements, making it vulnerable to SQL injection attacks. Additionally, a very low percentage (7%) of output escaping suggests that sensitive data displayed to users might not be properly sanitized, opening the door for cross-site scripting (XSS) vulnerabilities.

While the lack of known CVEs is reassuring, it should not be seen as a guarantee of complete security, especially given the identified code quality issues. The absence of explicit capability checks and nonce checks on any entry points (which there are none) means that if entry points were ever introduced, they would likely be unprotected. In conclusion, the plugin's minimal attack surface is a strength, but the significant code-level vulnerabilities in data handling and SQL query practices represent a substantial risk that requires immediate attention.