Live Chat by Formilla – Real-time Chat & Chatbots Plugin Security & Risk Analysis

The `formilla-live-chat` plugin version 1.4 exhibits a generally good security posture with strong adherence to modern WordPress security practices. The static analysis reveals a very limited attack surface, with a single AJAX handler that benefits from both nonce and capability checks, effectively mitigating direct unauthorized access. The absence of dangerous functions, file operations, and external HTTP requests is also a positive sign. Furthermore, all SQL queries are secured with prepared statements, and there are no identified taint flows indicating potential code injection vulnerabilities. The vulnerability history shows a single medium-severity CVE in the past, which is now patched, suggesting the developers address security issues promptly. However, the static analysis did identify that 29% of output is not properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is rendered without adequate sanitization. While the existing CVEs are resolved, this unescaped output remains a potential area of concern that warrants attention.