OneSignal – Web Push Notifications Security & Risk Analysis

The onesignal-free-web-push-notifications plugin version 3.8.0 presents a mixed security posture. On the positive side, the plugin demonstrates good practices in several areas, including 100% of SQL queries using prepared statements, a high percentage of properly escaped output (92%), and robust nonce and capability checks (8 and 6 respectively). It also has no known bundled libraries or critical/high severity taint flows, which are positive indicators of secure coding. However, significant concerns arise from the attack surface. There is one identified AJAX handler that lacks authentication checks, presenting a direct entry point for potential unauthorized actions or information disclosure. The plugin's history of medium severity vulnerabilities, particularly related to Missing Authorization and Cross-site Scripting, suggests a recurring pattern of security weaknesses that need careful attention.

The presence of an unprotected AJAX handler is a critical finding from the static analysis, as it bypasses WordPress's built-in security mechanisms. While taint analysis shows no critical or high severity issues currently, the past vulnerabilities highlight potential blind spots. The fact that there are no currently unpatched CVEs is a positive sign, but the historical trend of medium severity issues, especially those involving authorization and XSS, warrants a cautious approach. The plugin's strengths in prepared SQL statements and output escaping are commendable, but they are overshadowed by the direct unauthenticated entry point and the historical vulnerability patterns.