NewPath WildApricotPress Add-on – Member Directory Security & Risk Analysis

The "newpath-wildapricotpress-add-on-member-directory" plugin v1.0.0 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by using prepared statements for all SQL queries and properly escaping all output, which significantly mitigates common injection and cross-site scripting vulnerabilities. There are no recorded vulnerabilities (CVEs) or dangerous function usage, indicating a history of diligent security practices.

However, there are significant concerns regarding the plugin's attack surface. A substantial portion of its entry points, specifically 4 out of 5, lack authentication checks. This includes all 4 REST API routes and the single AJAX handler. This oversight presents a high risk of unauthorized access and potential manipulation of plugin functionality by unauthenticated users. The absence of nonce checks on AJAX handlers further exacerbates this risk, making it easier for attackers to craft malicious requests. The lack of capability checks on REST API routes is also a serious concern, allowing any user, even those with minimal privileges, to interact with these endpoints.

While the plugin has a clean vulnerability history, the extensive unprotected entry points are a critical weakness that overshadows its strengths. The lack of taint analysis results might be due to the limited complexity or scope of the analyzed code, but the clear presence of unprotected endpoints is a direct and actionable security concern. It is strongly recommended to implement robust authentication and authorization checks on all exposed entry points before deployment.