Mergado Pack Security & Risk Analysis

The "mergado-marketing-pack" plugin v4.2.1 exhibits a concerning security posture, primarily due to a large number of unprotected AJAX handlers. While the plugin shows good practices in using prepared statements for SQL queries and has a relatively low number of file operations and external HTTP requests, the absence of authentication checks on all identified entry points is a significant weakness. This directly exposes a large attack surface, making the plugin susceptible to unauthorized actions if other security measures are bypassed or absent.

The static analysis highlights a critical lack of security controls, with all 14 detected AJAX handlers lacking authentication. The taint analysis, while not revealing critical or high severity unsanitized flows, still shows 10 flows with unsanitized paths, which could potentially lead to unexpected behavior or vulnerabilities if combined with other weaknesses. The complete absence of nonce checks on these handlers is a glaring omission, especially given the plugin's history of Cross-Site Request Forgery (CSRF) vulnerabilities.

The vulnerability history, with two currently unpatched medium severity CVEs, reinforces the ongoing security risks associated with this plugin. The fact that these are medium severity and unpatched indicates a persistent need for attention. The recurrence of CSRF as a common vulnerability type further emphasizes the lack of proper input validation and authorization checks. While the plugin demonstrates some positive coding practices, the high number of unprotected entry points and the history of unpatched vulnerabilities present a substantial risk.