ElIoT Pro Passwordless Login Security & Risk Analysis

The "eliot-pro" v1.0 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and properly escaping a high percentage of its output. There are no recorded vulnerabilities, including CVEs, which suggests a generally stable and well-maintained codebase in the past. The absence of file operations and dangerous functions further contributes to a perceived lower risk profile. However, the plugin has a significant security concern: a single REST API route that lacks proper permission callbacks. This creates an unprotected entry point that could be exploited by unauthenticated users. The static analysis also indicates zero nonce checks, which is a concern for AJAX handlers, although there are no AJAX handlers to begin with. The lack of taint analysis results might be due to the plugin's limited complexity or the analysis tool's capabilities. Overall, while the plugin shows strengths in database interaction and output handling, the unprotected REST API route is a critical vulnerability that needs immediate attention. The absence of vulnerabilities in its history is a positive indicator but does not negate the current identified risk.