Campaign Monitor for WordPress Security & Risk Analysis

The "forms-for-campaign-monitor" plugin v2.9.0 exhibits a concerning security posture, primarily due to its significant number of unprotected entry points and a history of vulnerabilities. The static analysis reveals a substantial attack surface with 3 out of 4 entry points lacking authentication checks, specifically 3 AJAX handlers. This is a critical weakness, as it allows any unauthenticated user to potentially trigger these functions. Furthermore, the code signals indicate a worrying lack of secure coding practices, with 0% of SQL queries utilizing prepared statements and only 11% of output being properly escaped. This suggests a high risk of SQL injection and cross-site scripting (XSS) vulnerabilities. The presence of 14 file operations and 4 external HTTP requests without explicit mention of sanitization further compounds these concerns.

The plugin's vulnerability history is a major red flag. With 3 known CVEs, one of which remains unpatched, and a common pattern of missing authorization, sensitive information exposure, and XSS, it's clear that this plugin has a recurring security debt. The most recent vulnerability being in 2026 indicates that historical issues are still relevant and potentially present in this version. While the taint analysis did not reveal critical or high severity issues in this specific scan, the overall code quality and historical context strongly suggest that unaddressed vulnerabilities are likely. In conclusion, while the plugin doesn't appear to bundle critically outdated libraries like jQuery in this specific analysis, the high number of unprotected entry points, widespread use of raw SQL, poor output escaping, and significant vulnerability history paint a picture of a plugin that requires immediate attention and patching to mitigate substantial security risks.