Pronto – Mobile Site Convertor Security & Risk Analysis

The "obox-mobile" v1.1.1 plugin presents a significant security risk primarily due to its extensive unprotected AJAX endpoints. While the plugin shows no known historical vulnerabilities (CVEs), this absence does not guarantee future safety and should not be interpreted as a sign of robust security. The static analysis reveals a concerning lack of authentication and authorization checks on all nine identified AJAX handlers. This means any unauthenticated user could potentially trigger these handlers, leading to unintended actions or information disclosure.

The code analysis also flags one SQL query that does not use prepared statements, which is a potential avenue for SQL injection if user input is involved in constructing that query. Furthermore, a very low percentage (7%) of output escaping indicates a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the user interface.

Despite the absence of dangerous functions, file operations, external HTTP requests, and bundled libraries, the unprotected attack surface and poor output escaping are critical weaknesses. The taint analysis showing unsanitized paths, even without a critical severity rating, warrants attention as it indicates potential data flow issues that could be exploited in conjunction with other vulnerabilities.