WP Gravity Forms Constant Contact Plugin Security & Risk Analysis

The "gf-constant-contact" plugin version 1.1.3 presents a mixed security posture. While the plugin demonstrates several good security practices, such as a high percentage of SQL queries using prepared statements and robust nonce and capability checks, there are significant concerns that elevate its risk profile.

The static analysis reveals a single AJAX handler that lacks authentication checks, creating a direct attack vector. The presence of the `unserialize` function, a known dangerous function, is a critical red flag, especially when coupled with potential input sources that could be controlled by an attacker. Although the taint analysis shows no identified flows with unsanitized paths in this specific version, the historical vulnerability data is highly concerning.

The plugin has a history of 3 known CVEs, with 2 classified as high severity, including deserialization, open redirect, and XSS vulnerabilities. The fact that the last reported vulnerability was in the very near future (2025-08-08) suggests either a recent discovery of past issues or a potential ongoing development/reporting problem. This historical pattern of critical vulnerabilities, particularly around deserialization, strongly indicates a recurring tendency for insecure handling of user-supplied data, even if current taint analysis doesn't reflect it. While the current version has no unpatched CVEs, the historical context and the identified unsecured entry point warrant caution.