Genealogical Tree – Family Tree & Ancestry for WordPress Security & Risk Analysis

The genealogical-tree plugin v2.2.6 exhibits a mixed security posture. On the positive side, it demonstrates strong practices regarding SQL queries, exclusively using prepared statements, and a high percentage (96%) of properly escaped output, indicating a good understanding of preventing common web vulnerabilities. The presence of numerous capability checks and nonces further suggests an effort to secure the application.

However, significant concerns arise from the large attack surface exposed by unprotected AJAX handlers. With 9 out of 9 AJAX handlers lacking authentication checks, this presents a substantial risk for unauthorized actions or data manipulation. The plugin also has a known, unpatched medium severity vulnerability (CVE) related to Cross-Site Scripting, which is a serious concern that needs immediate attention.

The vulnerability history, specifically the single unpatched medium CVE, coupled with the unprotected AJAX handlers, suggests that while some security measures are in place, there are critical oversights that could be exploited. The plugin has demonstrated a past weakness in input sanitization for XSS, and the lack of authentication on AJAX endpoints creates new avenues for similar attacks.