Invelity MyGLS connect Security & Risk Analysis

The invelity-mygls-connect plugin v1.1.1 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices in its handling of SQL queries, utilizing prepared statements exclusively. It also has a low attack surface with no identifiable AJAX handlers, REST API routes, shortcodes, or cron events directly exposed without authentication. Furthermore, a nonce check is present, indicating an awareness of potential CSRF vulnerabilities.

However, several significant concerns emerge. The presence of two instances of the `unserialize` function is a major red flag, as it is a common vector for Remote Code Execution if not handled with extreme caution and strict input validation. The taint analysis revealing one flow with unsanitized paths, classified as high severity, directly correlates with this risk and suggests that external input might be used in a way that could lead to a vulnerability. The limited output escaping (64%) also leaves room for potential Cross-Site Scripting (XSS) vulnerabilities.

The vulnerability history indicates a past medium severity Cross-Site Request Forgery (CSRF) vulnerability, which, although not critical, points to an area where the plugin might have had weaknesses. The fact that a vulnerability was discovered as recently as 2025-09-05, and it remains unpatched, is a critical issue. This suggests a lack of ongoing maintenance or a failure to address known security flaws promptly, further amplifying the risks associated with the identified code signals.