PulseMaps Visitor World Map Security & Risk Analysis

The "pulsemaps" plugin version 1.7.2 exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding database interactions, with 100% of SQL queries using prepared statements, and it has no recorded vulnerability history, suggesting a relatively stable and secure past. The absence of bundled libraries also removes a potential vector for outdated and vulnerable third-party code.

However, significant concerns arise from the static analysis. The plugin possesses an unprotected AJAX handler, which represents a direct entry point for potential attackers without any authorization checks. Furthermore, the code signals a dangerous function usage with `create_function`, and a concerningly low rate of output escaping (only 3% properly escaped) indicates a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis, while showing no critical or high severity flows, did identify a flow with unsanitized paths, which could be a precursor to more severe issues if exploited in conjunction with other weaknesses.

Overall, while the lack of historical vulnerabilities is a positive indicator, the presence of an unprotected AJAX endpoint, the use of a dangerous function, and the poor output escaping are critical weaknesses that significantly elevate the risk profile of this plugin. These issues demand immediate attention and remediation.