EngageBay Landing Pages – Responsive landing pages for lead generation and conversions Security & Risk Analysis

The engagebay-landing-page-builder v2.1 plugin exhibits a generally strong security posture, as evidenced by the absence of known vulnerabilities and a lack of critical or high severity taint flows. The code demonstrates good practices such as using prepared statements for all SQL queries and implementing nonce and capability checks, contributing to a reduced attack surface. The static analysis reveals no dangerous functions or file operations, further bolstering its security. However, a significant concern arises from the low percentage of properly escaped output, with only 20% of 51 outputs being adequately sanitized. This creates a potential risk for cross-site scripting (XSS) vulnerabilities, especially if user-supplied data is not consistently handled with care. The presence of external HTTP requests, while not inherently a vulnerability, warrants attention for potential information leakage or reliance on external services that could be compromised. Overall, while the plugin has a clean vulnerability history and a good foundation in secure coding principles, the unescaped output is a notable weakness that requires immediate attention to mitigate potential XSS risks. Strengthening output sanitization is paramount for a truly secure plugin.