Manager for Icomoon Security & Risk Analysis

The 'manager-for-icomoon' plugin v2.4 presents a mixed security posture. While it demonstrates good practices such as exclusively using prepared statements for SQL queries and having no bundled libraries, significant concerns arise from its attack surface and output escaping. The presence of two unprotected AJAX handlers is a major security flaw, as it allows unauthenticated users to potentially execute arbitrary code or manipulate plugin functionality. The low percentage of properly escaped output (33%) indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the WordPress admin area or user-facing pages.

The vulnerability history is particularly concerning. Two known CVEs, including a past critical vulnerability related to unrestricted file uploads and XSS, suggest a pattern of exploitable flaws. Although there are currently no unpatched vulnerabilities, the historical severity of past issues indicates that future updates may not sufficiently address all potential risks. The lack of taint analysis data makes it difficult to assess the plugin's internal handling of potentially malicious data, but the static analysis findings strongly suggest an elevated risk profile.

In conclusion, the 'manager-for-icomoon' plugin v2.4 has notable strengths in its database interaction and lack of bundled libraries. However, the unprotected AJAX endpoints, poor output sanitization, and a history of critical vulnerabilities significantly outweigh these positives, marking it as a high-risk plugin requiring immediate attention and scrutiny. Users should exercise extreme caution.