MojoAuth Passwordless Authentication Security & Risk Analysis

The "mojoauth" plugin v2.7 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and shows no known historical vulnerabilities. This suggests a developer with some awareness of common security pitfalls. However, a significant concern arises from the static analysis, where a substantial portion of the attack surface, specifically 6 out of 7 entry points, are unprotected AJAX handlers. This lack of authentication checks on these handlers presents a significant risk of unauthorized actions if they can be triggered by unauthenticated users.

The code analysis also reveals that only 44% of output is properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities. While no critical or high severity taint flows were detected, the potential for XSS due to unescaped output on multiple entry points remains a notable weakness. The plugin also makes external HTTP requests, which, without further analysis, could be a vector for other types of attacks if not handled securely. The absence of nonce checks on AJAX handlers further exacerbates the risk associated with the unprotected entry points.

In conclusion, while the absence of historical CVEs and the use of prepared statements are strengths, the plugin's security is significantly undermined by the numerous unprotected AJAX handlers and the insufficient output escaping. These issues create a considerable risk of unauthorized actions and potential XSS vulnerabilities. Further investigation into the specific functionality of the unprotected AJAX handlers and the unescaped output is highly recommended to fully assess the impact.