Inspectlet – User Session Recording and Heatmaps Security & Risk Analysis

The Inspectlet Heatmaps and User Session Recording plugin, version 2.0, presents a mixed security profile. On the positive side, the static analysis shows no identified dangerous functions, no raw SQL queries, no file operations, no external HTTP requests, and no taint flows indicating potential vulnerabilities in these areas. The absence of shortcodes and cron events further reduces the attack surface. However, a significant concern is the complete lack of output escaping, meaning that all output generated by the plugin is susceptible to Cross-Site Scripting (XSS) attacks. Additionally, the plugin has a history of known vulnerabilities, including a medium severity XSS vulnerability that was last patched on August 14, 2025. The fact that this vulnerability is currently unpatched is a critical issue. While the plugin appears to have a small attack surface and avoids common coding pitfalls, the unpatched XSS vulnerability and the complete lack of output escaping represent significant security risks that must be addressed.