Quote Master Security & Risk Analysis

The quote-master plugin version 7.1.1 presents a mixed security posture. While it boasts a relatively small attack surface with no unprotected entry points, several code signals raise significant concerns. The presence of the dangerous `create_function` function, coupled with 100% of SQL queries not utilizing prepared statements, indicates a high susceptibility to code injection and SQL injection vulnerabilities. Furthermore, the low percentage of properly escaped output (37%) suggests a substantial risk of Cross-Site Scripting (XSS) attacks. The taint analysis revealing flows with unsanitized paths, although not classified as critical or high severity, further exacerbates these concerns, indicating potential for data leakage or manipulation.

The plugin's vulnerability history, specifically a medium severity Cross-Site Scripting (XSS) vulnerability that remains unpatched (dated 2026-01-16), is a critical red flag. This indicates a pattern of security issues and a lack of timely patching, leaving existing vulnerabilities exposed. The lack of nonce checks and the presence of capability checks only on two entry points mean that even though the entry points themselves are not directly unprotected, the processing of data within them might lack sufficient integrity and authorization checks. In conclusion, while the plugin's attack surface is contained, the significant code quality issues, particularly around SQL sanitization and output escaping, combined with a history of unpatched vulnerabilities, make this version a considerable security risk that requires immediate attention and remediation.