Personizely — A/B Testing, Personalization, Popups & CRO Security & Risk Analysis

The Personizely plugin v0.12 exhibits a mixed security posture. On the positive side, it demonstrates strong adherence to secure coding practices by avoiding dangerous functions, using prepared statements for all SQL queries, and implementing nonce and capability checks. The absence of file operations and external HTTP requests further reduces its attack surface. However, a significant concern arises from the low percentage of properly escaped output (27%), indicating a potential for Cross-Site Scripting (XSS) vulnerabilities, especially given its past vulnerability history.

The static analysis identified no critical or high severity taint flows, which is encouraging. The plugin's vulnerability history, while showing only one past medium severity CVE related to XSS, suggests that proper input sanitization and output escaping remain areas requiring vigilance. The fact that the last vulnerability was recorded on 2025-05-02 suggests recent awareness but also highlights that vulnerabilities can still emerge.

In conclusion, while Personizely v0.12 has made strides in securing its codebase, the prevalent issue of insufficient output escaping presents a tangible risk. This, coupled with a historical XSS vulnerability, necessitates careful attention to ensure all user-provided data displayed on the frontend is robustly sanitized. The plugin is generally well-protected regarding direct entry points, but the lack of comprehensive output escaping is its most significant weakness.