Live Landing Page Composer – visual landing page builder for digital marketers Security & Risk Analysis

The plugin "live-composer-lite" v1.0.2 presents a generally strong security posture based on the provided static analysis and vulnerability history. The absence of any known CVEs and a complete lack of critical or high-severity taint flows are significant positive indicators. Furthermore, the plugin demonstrates good practices by exclusively using prepared statements for SQL queries and implementing a substantial number of capability checks across its entry points. The attack surface, while containing multiple AJAX handlers and shortcodes, is reported as having no unprotected entry points, which is a key security strength.

However, there are areas for concern that temper this otherwise positive assessment. The presence of three instances of the `create_function` function, a deprecated and often insecure PHP function, is a notable risk signal. More critically, only 4% of output escaps are properly handled, indicating a high potential for Cross-Site Scripting (XSS) vulnerabilities. While taint analysis didn't reveal immediate exploit paths, the sheer volume of unsafely escaped output represents a significant attack surface that could be leveraged if an attacker can inject data into these outputs.

In conclusion, the plugin benefits from a clean vulnerability history and diligent use of prepared statements and capability checks. The lack of known exploits suggests a relatively mature codebase. Nevertheless, the reliance on `create_function` and, more importantly, the extensive unescaped output present tangible security risks. Addressing these specific code quality issues, particularly the output escaping, would significantly improve the plugin's overall security.