Elements Plus! Security & Risk Analysis

The Elements Plus plugin v2.16.5 exhibits a mixed security posture. On one hand, its code analysis shows excellent practices regarding SQL queries, with 100% using prepared statements, and a very high rate of output escaping. The absence of dangerous functions, file operations, external HTTP requests, and taint flows is also positive. However, there are significant concerns related to its attack surface. The plugin exposes two AJAX handlers, both of which lack any authentication checks, creating a substantial risk of unauthorized actions. The complete absence of nonce checks on these AJAX endpoints further exacerbates this risk, making them prime targets for Cross-Site Request Forgery (CSRF) attacks.

The vulnerability history indicates a past pattern of medium-severity Cross-site Scripting (XSS) vulnerabilities. While there are no currently unpatched CVEs, the recurring nature of XSS suggests that input sanitization or output escaping within dynamically generated content might not be consistently robust. The last vulnerability being in September 2025 is also unusual and potentially an artifact of data entry, but if it were accurate, it would suggest a recent exposure.

In conclusion, while Elements Plus demonstrates strengths in data handling and output sanitization, the unauthenticated AJAX endpoints represent a critical weakness. The historical XSS vulnerabilities, even if resolved, warrant continued vigilance regarding user-supplied data. The plugin needs immediate attention to secure its AJAX handlers to mitigate the risk of unauthorized execution and potential data manipulation.