Image Editor by Pixo Security & Risk Analysis

The "image-editor-by-pixo" plugin v2.3.8 presents a mixed security posture with some positive attributes but notable concerns. On the positive side, the plugin demonstrates good practices in SQL query handling, with 100% of queries using prepared statements. It also has a reasonable number of nonce and capability checks relative to its entry points, and no dangerous functions were identified. However, the presence of an unprotected AJAX handler significantly expands the attack surface, creating a direct pathway for unauthenticated malicious input. The taint analysis reveals a concerning number of flows with unsanitized paths, even though they are not classified as critical or high severity in this specific scan.

The vulnerability history is a significant red flag. With two known CVEs, one of which remains unpatched, and both being medium severity with a common theme of Cross-site Scripting (XSS), this plugin has a demonstrated history of security flaws. The recent date of the last vulnerability (2025-09-22) suggests ongoing issues. While the current code scan didn't reveal exploitable vulnerabilities in the same vein, the historical pattern of XSS and the unsanitized paths in the taint analysis strongly suggest a propensity for input validation and output escaping weaknesses.

In conclusion, while the plugin has some strengths in its database interaction and basic security checks, the unprotected AJAX endpoint, concerning taint analysis results, and a history of unpatched XSS vulnerabilities collectively indicate a moderate to high-risk profile. Users should exercise caution, and developers should prioritize patching the known vulnerability and addressing the identified unsanitized input paths.