NPS computy Security & Risk Analysis

The "nps-computy" v2.8.4 plugin exhibits a mixed security posture. While it demonstrates some good practices, such as a low number of external HTTP requests and file operations, significant concerns remain. The presence of two AJAX handlers without authentication checks presents a direct attack vector, potentially allowing unauthorized users to trigger plugin functionality. Furthermore, the static analysis reveals that a substantial portion of SQL queries are not using prepared statements, increasing the risk of SQL injection vulnerabilities. The output escaping is also a concern, with a notable percentage of outputs not being properly escaped, which could lead to cross-site scripting vulnerabilities.

The plugin's vulnerability history is particularly alarming, with four known CVEs, including one high-severity and three medium-severity issues. The historical prevalence of Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities suggests a recurring pattern of insecure coding practices related to input handling and state management. Although there are currently no unpatched vulnerabilities, the sheer number and types of past issues indicate a systemic weakness that needs addressing. The presence of an outdated bundled library (DataTables v1.10.21) also adds to the risk profile.

In conclusion, while the plugin avoids certain high-risk areas like critical taint flows or raw file operations, the combination of unprotected entry points, insecure SQL practices, insufficient output escaping, and a history of common and severe vulnerabilities points to a moderate to high overall security risk. Addressing the unprotected AJAX handlers, improving SQL sanitation, and ensuring proper output escaping are critical next steps to improve its security.