Image Hover Effects – Elementor Addon Security & Risk Analysis

The plugin "image-hover-effects-addon-for-elementor" v1.4.4 exhibits a mixed security posture. While the code analysis shows no dangerous functions, no raw SQL queries, and no file operations, it also reveals significant weaknesses. A primary concern is the presence of one AJAX handler without any authentication checks, creating a direct entry point for potential unauthorized actions. Furthermore, a concerningly low rate of proper output escaping (46%) suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into user browsers.

The vulnerability history further amplifies these concerns. With five known CVEs, including one that remains unpatched, and a history of medium-severity vulnerabilities related to missing authorization and XSS, the plugin has a track record of security flaws. The fact that the last vulnerability was very recent (September 2025) indicates ongoing issues. While the plugin demonstrates some good practices like using prepared statements for SQL, the identified unprotected AJAX handler, the high percentage of unescaped output, and the recurring vulnerability types paint a picture of a plugin that requires immediate attention and mitigation to address its security weaknesses.