Popup builder by AZEXO Security & Risk Analysis

The static analysis of the 'popup-builder-by-azexo' plugin v1.27.1 indicates a generally good security posture based on the provided metrics. There are no identified AJAX handlers, REST API routes, shortcodes, or cron events, resulting in zero identified entry points and zero unprotected entry points. Furthermore, the code shows no signs of dangerous functions, raw SQL queries, or file operations. The absence of external HTTP requests and a lack of bundled libraries further contribute to a reduced attack surface. Taint analysis also found no unsanitized paths, indicating a lack of critical or high-severity taint flows.

However, there are a couple of areas for concern that prevent a perfect score. The output escaping is only 50% properly implemented, with two total outputs analyzed and only one escaped. This could potentially lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is outputted without proper sanitization. Additionally, the absence of any nonce checks or capability checks across the entire codebase, while seemingly benign given the lack of entry points, represents a missed opportunity for robust security implementation. If new entry points were to be introduced in future versions or if hidden functionalities exist, this lack of checks could become a significant weakness.

The vulnerability history is currently clean, with zero known CVEs and no recorded vulnerabilities. This is a positive indicator, suggesting that the plugin has historically been maintained with security in mind or has not yet been the subject of significant security research. While this is reassuring, it doesn't negate the potential risks identified in the static analysis, particularly regarding output escaping and the general absence of authorization checks.