Live Chat Plugin for Elementor – LiveChat Security & Risk Analysis

The "livechat-elementor" plugin v5.0.11 exhibits a mixed security posture. On the positive side, all identified outputs are properly escaped, and there are no identified dangerous functions or file operations. The plugin also correctly handles external HTTP requests and has a history of no currently unpatched vulnerabilities, with the last known vulnerability being a medium severity CSRF issue from early 2024, which is now patched. This indicates good remediation practices for past issues.

However, significant concerns arise from the attack surface analysis. The plugin exposes three unprotected AJAX handlers, presenting a substantial risk of unauthorized actions if exploited. While the plugin has nonce checks and capability checks in some areas, the absence of these on a majority of its AJAX entry points is a critical weakness. The static analysis also reveals that its single SQL query does not utilize prepared statements, which, although a single instance, increases the risk of SQL injection vulnerabilities.

In conclusion, while the plugin has strengths in output sanitization and prompt patching of historical vulnerabilities, the presence of multiple unprotected AJAX endpoints and the use of raw SQL queries are significant security weaknesses that warrant immediate attention. The potential for unauthorized actions through the unprotected AJAX handlers is the most pressing concern.