Social Sharing Plugin – Kiwi Security & Risk Analysis

The plugin 'kiwi-social-share' v2.1.8 presents a mixed security posture. While the static analysis indicates a minimal attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events directly exposed without authentication, and all SQL queries using prepared statements, several concerning signals emerge. The significant percentage of improperly escaped output (30%) is a considerable risk, as it can lead to Cross-Site Scripting (XSS) vulnerabilities. Additionally, the presence of external HTTP requests without explicit mention of sanitization or authentication raises a potential flag for information disclosure or further attack vectors.

The vulnerability history is a major concern, with a total of four known CVEs, one of which remains unpatched. The types of past vulnerabilities, including XSS, exposure of sensitive information, and missing authorization, are serious and suggest a pattern of recurring security weaknesses. The presence of critical vulnerabilities in the past, even if currently patched, indicates that the plugin's development practices may not consistently prioritize robust security.

In conclusion, while 'kiwi-social-share' v2.1.8 has strengths in its limited attack surface and use of prepared statements for SQL, the high rate of unescaped output and the concerning vulnerability history, particularly the unpatched critical CVE, significantly elevate the risk. Users should exercise extreme caution and prioritize updating to a version that addresses all known vulnerabilities.