OneSignal Sender Security & Risk Analysis

The onesignal-sender v1.4 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by having no known CVEs, no critical or high severity taint flows, and all SQL queries are properly prepared. The attack surface is relatively small with only four AJAX handlers, and importantly, none of these are identified as unprotected, suggesting authentication checks are in place for these entry points. The absence of shortcodes, cron events, and REST API routes further limits potential attack vectors.

However, a significant concern arises from the complete lack of output escaping for all identified outputs (75 total). This represents a critical weakness, as it leaves the plugin highly susceptible to Cross-Site Scripting (XSS) vulnerabilities. Any user-supplied data that is displayed by the plugin without proper escaping could be manipulated by an attacker to inject malicious scripts, potentially leading to session hijacking, credential theft, or defacement. The presence of 6 external HTTP requests also warrants attention, as these could be a vector for other types of attacks if not handled securely, although the static analysis did not reveal specific issues here.

Given the vulnerability history shows no recorded issues, it suggests a potentially well-maintained plugin, or at least one that hasn't been extensively targeted or found to have flaws. Nevertheless, the lack of output escaping is a severe and fundamental security oversight that overshadows the otherwise positive aspects. The plugin needs immediate attention to address the output escaping deficiency to mitigate significant XSS risks.