Formstack Online Forms Security & Risk Analysis

The Formstack plugin v2.0.2 exhibits a mixed security posture. On the positive side, the static analysis reveals no overtly dangerous functions and all SQL queries utilize prepared statements, which is a strong indicator of secure database interaction. The output escaping is also robust at 85%, minimizing the risk of cross-site scripting vulnerabilities. However, there are notable areas of concern. The presence of one flow with an unsanitized path, although not classified as critical or high severity, warrants attention as it could indicate potential for path traversal or other file system related vulnerabilities. The complete lack of nonce checks and capability checks, especially given the plugin's potential interactions with external services (indicated by 7 external HTTP requests), is a significant weakness. This absence of authorization checks on potential entry points can expose the plugin to unauthorized actions if new vulnerabilities are introduced or if existing ones are exploited. The vulnerability history indicates a pattern of missing authorization issues, with a medium severity CVE recorded recently. While the plugin has a history of a single medium CVE, the recent date of the last vulnerability (2025-12-05) combined with the lack of authorization checks in the current version suggests a recurring theme and a potential blind spot in the plugin's security development lifecycle.