Website Internal Link Optimiser Security & Risk Analysis

The 'internal-link-finder' plugin version 5.2.7 presents a mixed security posture. On the positive side, the plugin demonstrates good practices by exclusively using prepared statements for its SQL queries and generally incorporating nonce and capability checks. The absence of critical or high severity taint flows and dangerous functions is also a strong positive indicator. However, significant concerns arise from the analysis of its entry points and output escaping. A notable portion of its AJAX handlers and, more critically, all of its REST API routes lack permission callbacks, creating a substantial attack surface exposed to unauthenticated users. Furthermore, only 14% of output is properly escaped, leaving it susceptible to cross-site scripting (XSS) vulnerabilities, especially in conjunction with the unprotected entry points.

The vulnerability history, while showing no currently unpatched CVEs, reveals a pattern of past medium severity issues related to Cross-Site Request Forgery (CSRF) and Missing Authorization. The recurrence of 'Missing Authorization' in past vulnerabilities directly aligns with the current static analysis findings of unprotected REST API routes and AJAX handlers, suggesting a persistent vulnerability in access control. The last vulnerability being recent (2025-04-16) is also a point of concern, indicating ongoing security challenges. In conclusion, while the plugin shows strengths in SQL handling and general code hygiene, the significant number of unprotected entry points and poor output escaping, coupled with a history of authorization issues, indicate a moderate to high-risk profile that requires immediate attention.