Gutenify – Visual Site Builder Blocks & Site Templates. Security & Risk Analysis

The Gutenify plugin, version 1.6.1, presents a mixed security posture. On one hand, the static analysis reveals a clean attack surface with no exposed AJAX handlers, REST API routes, shortcodes, or cron events that are unprotected. Furthermore, all detected SQL queries are properly prepared, and a significant majority of output is correctly escaped, indicating good practices in these areas. The absence of critical taint flows and dangerous functions is also a positive sign. However, the plugin exhibits several concerning indicators. Notably, there are no nonce checks implemented, which is a significant omission for any plugin that handles user input or performs actions. The presence of 8 external HTTP requests without explicit mention of their security context is another area to monitor, as these could potentially be exploited. The plugin also lacks capability checks on some entry points, which, combined with the absence of nonce checks, could allow unauthorized users to perform actions. The vulnerability history is a major red flag. With a total of 5 known CVEs, including one that remains unpatched, and a significant number of high and medium severity vulnerabilities in the past, this plugin has a history of being a security risk. The common vulnerability types like Cross-site Scripting and PHP Remote File Inclusion, along with exposure of sensitive information, suggest recurring issues with input sanitization and access control. The last recorded vulnerability being recent also suggests ongoing security challenges. Therefore, while some code practices are sound, the historical vulnerability record and the lack of critical security checks like nonce verification warrant a high degree of caution.