Imagus image optimizer Security & Risk Analysis

The plugin "imagus" v0.8.0 exhibits a mixed security posture. On the positive side, it has a clean vulnerability history with no known CVEs, indicating a generally well-maintained codebase. The plugin also exclusively uses prepared statements for SQL queries and has no external HTTP requests, which are strong security practices. However, the static analysis reveals significant concerns regarding its attack surface. With three identified AJAX handlers, all of which lack authentication checks, there's a substantial risk of unauthorized actions being performed. Furthermore, nearly half of the output escaping is not properly handled, potentially leading to cross-site scripting (XSS) vulnerabilities. While taint analysis did not reveal critical or high severity issues, the presence of two flows with unsanitized paths warrants attention, as these could be exploited if user input is not handled meticulously. The lack of capability checks on AJAX handlers and the low number of nonce checks further exacerbate the risk of unauthorized access and manipulation. Overall, while the plugin has a history of security diligence, the current version presents immediate risks due to unprotected entry points and potential output escaping flaws that require urgent remediation.