Customer Support Software, Live Chat, & Marketing Automation Security & Risk Analysis

The formilla-chat-and-marketing plugin version 1.3 exhibits a mixed security posture. While it demonstrates good practices by not utilizing raw SQL queries and appears to have addressed its past vulnerabilities, there are significant concerns regarding its attack surface. The presence of three AJAX handlers, with two lacking authentication checks, creates an immediate risk. This means that unauthorized users could potentially interact with these endpoints, leading to unintended actions or information disclosure.

The static analysis reveals a moderate level of output escaping, with 50% of outputs not being properly escaped. This indicates a potential for Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's history of this vulnerability type. Fortunately, the taint analysis did not reveal any critical or high-severity unsanitized flows, which is a positive sign. The plugin's vulnerability history shows one past medium-severity issue related to XSS, which has since been patched. The absence of currently unpatched vulnerabilities is encouraging, but the pattern of past XSS issues, coupled with incomplete output escaping, warrants vigilance.

In conclusion, the plugin has strengths in its SQL handling and its responsiveness to past vulnerabilities. However, the significant number of unprotected AJAX endpoints and the incomplete output escaping are notable weaknesses. These areas represent the most immediate risks and should be prioritized for remediation. Users should be aware of these potential weaknesses and ensure they are running the latest version of the plugin, as well as any other security measures they have in place.