Multi-step Forms FREE (for Elementor) Security & Risk Analysis

The plugin "multi-step-forms-free-for-elementor" v1.2.4 exhibits a mixed security posture. On the positive side, it demonstrates good practices by avoiding dangerous functions, performing all SQL queries using prepared statements, and having no recorded vulnerabilities or CVEs. However, significant concerns arise from the static analysis. The plugin exposes a single REST API route without any permission checks, creating a substantial attack vector. Furthermore, a critical 96% of its output is not properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The absence of nonce checks and capability checks on its single entry point exacerbates these issues, making it vulnerable to various attacks if an attacker can trigger the REST API endpoint.

While the lack of known vulnerabilities is a positive indicator, it may be attributed to its relatively small attack surface and the potential for undiscovered issues due to the high percentage of unescaped output. The absence of taint analysis flows is also noted, which could mean that either no flows were analyzed or that no critical/high severity flows were detected. Overall, the plugin has a strong foundation with regards to data handling (SQL), but the lack of input validation and output escaping on its exposed REST API endpoint presents a significant, actionable security risk.