Optinly – Exit Intent, Newsletter Popups, Gamification & Opt-in Forms Security & Risk Analysis

The Optinly plugin v1.0.20 exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and having a very high percentage of properly escaped outputs. The absence of dangerous functions, file operations, and any critical or high severity taint analysis flows are also positive indicators. However, significant concerns arise from the attack surface analysis. With 6 total entry points, 3 of which lack permission callbacks, this exposes potential vulnerabilities. Furthermore, the plugin has a concerning history of 3 known CVEs, with 2 classified as high severity and 1 as medium. The common vulnerability types being Missing Authorization and Cross-Site Request Forgery (CSRF) directly correlate with the identified unprotected entry points and the potential for missing capability checks.

While the latest vulnerability was in June 2024 and there are currently no unpatched CVEs, the historical pattern suggests recurring issues with access control and authorization. The presence of unprotected REST API routes strongly indicates a weakness in securing sensitive functionalities. The static analysis, while highlighting good data handling practices, doesn't mitigate the risks posed by the unauthenticated entry points. The overall conclusion is that while the plugin is technically sound in its data handling, it suffers from critical authorization weaknesses that, combined with its vulnerability history, present a notable risk to WordPress sites.