myLoyal – reward, point, gamification and loyalty plugin with easy but smart yet rules Security & Risk Analysis

The 'myloyal' plugin v1.0.1 presents a mixed security posture. While it demonstrates good practices by avoiding dangerous functions, direct SQL queries, file operations, and external HTTP requests, and exclusively uses prepared statements for its SQL queries, significant security concerns remain. The presence of two unprotected AJAX handlers represents a considerable attack surface, as these entry points could be exploited by unauthenticated users. Furthermore, the low rate of output escaping (17%) indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, as user-supplied data may not be properly sanitized before being displayed on the frontend. The plugin's clean vulnerability history is a positive indicator, suggesting a history of responsible development or a lack of past exploitation. However, this should not overshadow the immediate risks identified in the static analysis. In conclusion, while the plugin avoids common pitfalls like raw SQL and dangerous functions, the unprotected AJAX handlers and pervasive XSS risks are significant weaknesses that require immediate attention. The lack of taint flow analysis and nonce checks also contribute to an incomplete security picture, though the primary concerns are the exposed AJAX endpoints and insufficient output sanitization.