Feature Box Addon for WPBakery Page Builder (formerly Visual Composer) Security & Risk Analysis

The security posture of the "feature-box-addon-for-wpbakery-page-builder" plugin version 2.0.2 appears to be generally good, with several strong security practices observed in the static analysis. The complete absence of dangerous functions, raw SQL queries, file operations, external HTTP requests, and the consistent use of prepared statements for SQL and proper output escaping are all positive indicators. The plugin also demonstrates a focus on controlling its entry points, with all five shortcodes having capability checks, and no unprotected AJAX handlers or REST API routes identified. The lack of any recorded vulnerabilities in its history further suggests a well-maintained and secure codebase.

However, there are some areas that warrant attention and contribute to a slightly less than perfect security score. The most significant concern is the complete absence of nonce checks across all identified entry points. While capability checks are present on the shortcodes, the lack of nonces means that an attacker could potentially replay or forge requests to these shortcodes if they could trick a logged-in user into triggering them, particularly if other vulnerabilities exist in the broader WordPress environment that allow for client-side interaction or redirection. Furthermore, the taint analysis yielded zero flows, which is excellent, but it also indicates that the analysis might have been limited or that the plugin has very minimal interaction with user-supplied data in a way that would trigger taint detection. Given the overall good practices, this lack of nonce checks is the primary area of weakness.