Marker.io – Visual Website Feedback Security & Risk Analysis

The marker-io plugin version 1.2.2 presents a mixed security posture. On the positive side, the static analysis reveals a clean attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are directly exposed. The code also demonstrates good practices by utilizing prepared statements for all SQL queries and implementing nonce and capability checks. However, the presence of two known medium severity CVEs, both related to Cross-Site Request Forgery (CSRF), is a significant concern. While these vulnerabilities are currently unpatched, their historical nature suggests potential for remediation in later versions, but the fact they existed at all warrants caution. The high percentage of properly escaped output (85%) is a strength, but the remaining 15% could still be a vector for certain types of cross-site scripting (XSS) attacks, though no specific taint flows were identified in this analysis. The lack of identified taint flows or dangerous functions is positive, but it does not negate the historical vulnerability data. Overall, while the current code seems to have a good foundation for security, the past vulnerabilities cannot be ignored and suggest that thorough review and patching are crucial for this plugin.