Notifications for Forms & WordPress Actions Security & Risk Analysis

The 'notifier' plugin version 2.7.13 exhibits a mixed security posture. While it demonstrates good practices with a high percentage of prepared SQL statements and properly escaped output, there are concerning signals. The presence of unsanitized paths in the taint analysis, particularly a high-severity flow, is a significant risk. This indicates a potential for attackers to manipulate file paths or other inputs that are not adequately validated, which could lead to various security issues like unauthorized file access or manipulation.

The vulnerability history for 'notifier' is a major concern, with three known CVEs, two of which remain unpatched. The common vulnerability types, Missing Authorization and Cross-site Scripting (XSS), directly correlate with the potential risks identified in the static analysis, especially the unsanitized path flow. The fact that the last vulnerability was dated in the future (2026-01-20) is likely a data anomaly but the historical trend of past vulnerabilities is concerning. The plugin's attack surface, while protected by authorization checks for its AJAX handlers, still presents entry points that, when combined with past vulnerabilities and current taint analysis findings, warrant careful consideration.

In conclusion, 'notifier' v2.7.13 has strengths in its SQL and output handling but suffers from critical weaknesses. The unpatched vulnerabilities and the identified unsanitized path flow represent immediate threats. Users of this plugin should be aware of the historical and current risks and prioritize updating to a version that addresses these issues, if available, or consider alternatives. The plugin's historical pattern of authorization and XSS vulnerabilities, coupled with the current taint analysis, suggests a recurring need for diligent security auditing and patching.