PDF Builder for WPForms Security & Risk Analysis

The "pdf-builder-for-wpforms" plugin v1.2.141 exhibits a mixed security posture. On the positive side, it demonstrates good practices in its handling of SQL queries, with a high percentage utilizing prepared statements. The plugin also includes a reasonable number of capability checks and a single nonce check, indicating some awareness of security principles.

However, significant concerns arise from the static analysis. The plugin exposes a substantial attack surface through four AJAX handlers, all of which lack authentication checks. This is further compounded by five high-severity taint flows with unsanitized paths, suggesting potential vulnerabilities that could be exploited by an attacker. The output escaping is also a weakness, with 57% of outputs not being properly escaped, which increases the risk of cross-site scripting (XSS) vulnerabilities. The presence of bundled libraries, particularly TCPDF v1.0.004, which is an older version, could also introduce known or unknown security flaws.

The vulnerability history, though showing no currently unpatched CVEs, reveals a past with two medium-severity vulnerabilities, including Exposure of Sensitive Information and Cross-site Scripting. The recent nature of the last vulnerability (August 2024) indicates ongoing security challenges for this plugin. While the absence of unpatched critical or high vulnerabilities is a strength, the pattern of past medium-severity issues combined with the current code-level risks points to a need for significant security improvements.