Kredeum NFTs, the easiest way to sell your NFTs directly on your WordPress site Security & Risk Analysis

The kredeum-nfts plugin v1.6.10 presents a mixed security posture. While it demonstrates good practices in output escaping, SQL query preparation, and the absence of critical taint analysis findings, significant concerns arise from its attack surface and lack of authorization checks. The presence of 3 AJAX handlers without authentication checks represents a notable risk, as these could potentially be exploited by unauthenticated users. Although there are no currently unpatched CVEs, the plugin has a history of a medium severity Cross-site Scripting vulnerability, which indicates past issues with input sanitization or output encoding, even though current static analysis shows 100% output escaping. The total lack of capability checks further amplifies the risk associated with unprotected entry points. The bundling of the dompdf library, while not explicitly flagged as an issue here, warrants attention for potential vulnerabilities in older versions. Overall, the plugin has strengths in preventing common code-level vulnerabilities but suffers from a critical weakness in access control for its AJAX endpoints, requiring immediate attention to mitigate potential exploitation. The past XSS vulnerability, even if patched, serves as a reminder of the need for robust input validation and authorization mechanisms.