qTranslate X Cleanup and WPML Import Security & Risk Analysis

The "qtranslate-to-wpml-export" plugin v3.0.2 presents a moderate security risk. While the static analysis indicates a lack of dangerous functions, SQL injection vulnerabilities through prepared statements, and no external HTTP requests, there are notable areas of concern. The presence of two AJAX handlers without authentication checks significantly increases the attack surface, as these can potentially be exploited by unauthenticated users. Furthermore, the low percentage of properly escaped output (11%) suggests a risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website.

The plugin's vulnerability history, including one medium-severity CVE, highlights a past tendency towards missing authorization issues. Although there are no currently unpatched vulnerabilities, this historical pattern, combined with the current finding of unprotected AJAX endpoints, suggests a recurring security weakness. The limited taint analysis (0 flows) is a positive sign, but it doesn't negate the risks identified in the attack surface and output escaping metrics.

In conclusion, "qtranslate-to-wpml-export" v3.0.2 has some positive security attributes, such as the absence of dangerous functions and a good rate of prepared SQL statements. However, the unprotected AJAX endpoints and inadequate output escaping are significant weaknesses that require immediate attention. The past vulnerability also warrants caution. Developers should prioritize implementing proper authentication and authorization checks for all AJAX endpoints and ensure all output is properly escaped to mitigate the identified risks.