Graphina – Charts and Graphs For Elementor Security & Risk Analysis

The plugin "graphina-elementor-charts-and-graphs" v3.1.9 exhibits a mixed security posture. While it demonstrates strong adherence to secure coding practices like using prepared statements for all SQL queries and a high percentage of properly escaped output, several critical concerns remain. The presence of two AJAX handlers without authentication checks presents a significant attack vector. This means that unauthorized users could potentially trigger functionalities within these handlers, leading to unintended consequences or data exposure.

The plugin's vulnerability history is a major red flag, with a total of seven known CVEs, including two high-severity vulnerabilities. While there are currently no unpatched vulnerabilities, the pattern of past issues, including Cross-site Scripting (XSS), PHP Remote File Inclusion (RFI), Cross-Site Request Forgery (CSRF), and Missing Authorization, indicates a recurring struggle with robust security implementation. The fact that RFI and Missing Authorization have been past issues, combined with the current missing authorization on AJAX handlers, suggests a persistent weakness in access control mechanisms.

In conclusion, despite good practices in data handling, the plugin's security is severely undermined by the presence of unprotected AJAX endpoints and a history of significant past vulnerabilities. The risk is elevated by the nature of previous vulnerabilities, suggesting that fundamental security flaws may still exist. Users should exercise caution and consider the potential for exploitation due to these identified weaknesses.