Importer From MaxSite Security & Risk Analysis

The importer-from-maxsite plugin v1.5 exhibits a mixed security posture. On the positive side, it has no known historical vulnerabilities (CVEs) and its code analysis reveals no dangerous functions, no raw SQL queries, and a limited number of file operations and external HTTP requests. However, significant concerns arise from its attack surface. With one AJAX handler that lacks any authentication checks, this presents a direct and exploitable entry point for attackers.

The absence of nonce checks and capability checks on this AJAX handler is particularly alarming. This means any authenticated or even unauthenticated user could potentially trigger this handler, leading to unintended actions within the WordPress site. While taint analysis shows no critical or high severity flows, the presence of an unprotected AJAX endpoint is a substantial risk that overshadows other positive code signals. The plugin also has a moderate concern regarding output escaping, with 50% of its outputs not properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is involved in those unescaped outputs.

Overall, the plugin's lack of historical vulnerabilities is a good sign, suggesting responsible development or perhaps limited usage. However, the current static analysis points to a critical security flaw in its handling of AJAX requests. The absence of authentication and nonce checks on a direct entry point is a serious oversight that requires immediate attention to prevent potential security breaches, such as unauthorized data manipulation or site defacement.