GSheetConnector For Ninja Forms Security & Risk Analysis

The "gsheetconnector-ninja-forms" plugin version 2.0.2 exhibits a generally good security posture, with several positive indicators. The absence of any critical or high severity vulnerabilities in its history, and the lack of critical or high taint flows in the static analysis, are encouraging signs. Furthermore, the plugin implements nonce checks on all its AJAX handlers and has capability checks in place, which are crucial for preventing unauthorized access and actions. However, there are areas for improvement. A significant portion of its outputs are not properly escaped (38%), presenting a potential risk of Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not handled carefully. While the SQL query security is somewhat split (50% prepared), the presence of raw SQL queries could still be a vector for SQL injection if not meticulously managed.

The plugin's vulnerability history, while free of critical or high severity issues, does show one medium severity vulnerability related to 'Missing Authorization' in the past. The fact that this is currently unpatched is a concern, although the provided data indicates 'Currently unpatched: 0'. Assuming the data is consistent, this historical vulnerability is addressed in the current version. The bundled Freemius v1.0 library, while not explicitly flagged as outdated, could be a point of attention in future reviews. Overall, the plugin demonstrates strong security practices with its authentication and authorization checks, but the output escaping and SQL query practices warrant attention to further harden its security.