Buttonizer – Social Media Share Buttons, Social Icons, & Social Feeds Security & Risk Analysis

The facebook-pagelike-widget plugin v7.0.0 presents a mixed security posture. While it demonstrates good practices by using prepared statements for all SQL queries and having a reasonable number of nonce and capability checks, significant concerns arise from its attack surface and output escaping. The plugin exposes 8 entry points, with a concerning 6 of these being unprotected, primarily due to the lack of permission callbacks on all 6 REST API routes. This large unprotected attack surface increases the risk of unauthorized actions or information disclosure. Additionally, only 52% of output is properly escaped, leaving a substantial portion vulnerable to cross-site scripting (XSS) attacks, which aligns with its historical vulnerability types. The plugin has a history of 2 medium severity CVEs, both related to XSS, indicating a recurring weakness that, while currently patched, suggests a need for diligent code review and secure coding practices. The taint analysis did not reveal critical or high severity issues, which is a positive sign, but the presence of unsanitized paths warrants attention. Overall, the plugin has strengths in database interaction but weaknesses in access control for its API endpoints and output sanitization, creating a moderate to high risk profile.