Pro Addons For Elementor | Premium Addons Security & Risk Analysis

The "pro-addons-for-elementor" plugin version 1.9.0 exhibits a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface. Specifically, the plugin exposes two entry points without authentication or proper permission checks: one AJAX handler and one REST API route. This is a critical oversight that could allow unauthenticated attackers to interact with potentially sensitive plugin functionality.

Taint analysis indicates no critical or high-severity vulnerabilities, which is a positive sign. However, the presence of four unsanitized paths in taint analysis, even without critical severity, suggests potential areas for subtle vulnerabilities if not handled with extreme care. The plugin's vulnerability history includes a medium-severity Cross-Site Scripting (XSS) vulnerability in the past, indicating that input sanitization and output escaping, despite being largely effective, are areas that have historically been problematic and require ongoing vigilance.

In conclusion, the plugin has strengths in its database query handling and output escaping. However, the unprotected entry points represent a significant and immediate risk. The history of XSS vulnerabilities, coupled with the identified unsanitized paths, suggests that while the core implementation is relatively secure, the handling of user-supplied input and accessible endpoints needs to be rigorously reviewed and secured. The lack of unpatched vulnerabilities is encouraging, but the exposed attack surface and past XSS issues warrant caution.