MountDev AI MCP Connector Security & Risk Analysis

The mountdev-ai-mcp-connector plugin version 1.1.1 exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to secure coding practices by using prepared statements for all SQL queries and properly escaping all output. The presence of numerous nonce and capability checks further indicates an awareness of WordPress security best practices. The plugin also has no recorded vulnerability history, suggesting a relatively clean past.

However, a significant concern arises from the static analysis of its attack surface. The plugin exposes 6 out of 19 total entry points (AJAX handlers and REST API routes) without proper authorization checks. While taint analysis did not reveal any critical or high-severity vulnerabilities, the presence of 4 flows with unsanitized paths, even if not currently exploitable as critical, warrants attention as they represent potential vectors for future issues if not handled carefully. The external HTTP requests also introduce a minor risk if the target endpoints are compromised or misconfigured.

Overall, while the plugin's core database and output handling are secure, the unprotected entry points represent a tangible risk. The lack of past vulnerabilities is encouraging, but the identified unsanitized paths and unprotected entry points suggest that while the plugin might be in a decent state now, there are areas that require immediate attention to maintain a strong security posture and prevent potential future exploits.