AI Popup Builder & Popup Maker by OptiMonk Security & Risk Analysis

The "exit-intent-popups-by-optimonk" plugin v2.1.6 presents a mixed security posture. On the positive side, it demonstrates good practices such as using prepared statements for all SQL queries and performing nonce checks on its entry points. It also shows no critical or high severity taint flows, indicating careful handling of potentially malicious input within the analyzed flows. The plugin has no currently unpatched vulnerabilities, which is a strong indicator of maintenance and responsiveness.

However, there are notable concerns. The plugin exposes one AJAX handler without authentication checks, creating a direct attack vector that could be exploited if it handles sensitive operations. A significant portion of its output (70%) is not properly escaped, posing a risk of Cross-Site Scripting (XSS) vulnerabilities. While the plugin has a history of a single medium-severity vulnerability (CSRF), the lack of proper output escaping remains a prevalent risk. The presence of external HTTP requests also warrants careful monitoring.

Overall, while the plugin has strengths in database interaction security and input validation for analyzed flows, the unprotected AJAX endpoint and widespread output escaping issues are significant weaknesses. Users should be aware of these potential XSS risks and the unprotected entry point.