Move Addons for Elementor Security & Risk Analysis

The plugin "move-addons" v1.3.8 exhibits a mixed security posture. On the positive side, the static analysis reveals robust security practices in several key areas. All identified AJAX handlers and REST API routes have proper authorization checks in place, and there are no shortcodes or cron events that could present an attack surface. Furthermore, the plugin exclusively uses prepared statements for its SQL queries and demonstrates a commitment to input sanitization with a significant portion of its outputs being properly escaped. However, there are notable areas of concern. A substantial 40% of outputs are not properly escaped, indicating a potential for Cross-Site Scripting (XSS) vulnerabilities. The presence of two external HTTP requests, while not inherently dangerous, warrants closer inspection to ensure they are handled securely. The plugin's vulnerability history is a significant red flag, with a total of 8 known CVEs, all classified as medium severity. Although none are currently unpatched, this pattern of multiple medium-severity vulnerabilities, including Exposure of Sensitive Information, Cross-site Scripting, and Missing Authorization, suggests a recurring tendency for security flaws to emerge in the plugin. The most recent vulnerability being in late 2024 is particularly concerning given the current date.