iMega Teleport Security & Risk Analysis

The "imega-teleport" v1.6.14 plugin presents a concerning security posture due to significant gaps in input sanitization and authorization, despite the absence of known vulnerabilities. The static analysis reveals a critical flaw: one AJAX handler operates without any authentication checks, making it a direct entry point for potential attackers. Furthermore, all output (100%) lacks proper escaping, which is a major risk for cross-site scripting (XSS) vulnerabilities, especially when combined with unsanitized input. The taint analysis highlights one high-severity flow with unsanitized paths, indicating a real possibility of malicious data being processed without adequate validation, potentially leading to unintended consequences or data breaches. While the plugin demonstrates good practices by using prepared statements for all SQL queries and has no known CVEs, these strengths are overshadowed by the lack of basic security controls. The complete absence of nonce checks and capability checks on the unprotected AJAX endpoint is alarming and leaves the site vulnerable to various attacks. This plugin requires immediate attention to address these critical security weaknesses before it can be considered safe for deployment.