PushAlert – Web Push Notifications for WordPress and WooCommerce Security & Risk Analysis

The "pushalert-web-push-notifications" plugin v2.9.0 exhibits a generally good security posture based on the static analysis. The absence of SQL injection vulnerabilities due to prepared statements, a limited attack surface with only one AJAX handler (which is reportedly protected), and the lack of known CVEs are positive indicators. The plugin also demonstrates good practice by performing nonce checks on its entry points.

However, there are areas for improvement. The output escaping is only properly handled in 45% of cases, indicating a potential risk of cross-site scripting (XSS) vulnerabilities. While no critical or high severity taint flows were identified, the presence of one flow with unsanitized paths warrants attention as it could lead to unexpected behavior or expose sensitive information if exploited. The limited capability checks also suggest that authorization might not be as robust as it could be for all actions.

Overall, the plugin appears to be relatively secure, especially given its clean vulnerability history. The primary concerns revolve around the potential for XSS due to insufficient output escaping and the single identified unsanitized path, which should be investigated and remediated to further strengthen its security.