releva.nz | Dynamisches Retargeting Security & Risk Analysis

The plugin 'releva-nz' v2.1.9 exhibits a mixed security posture. While it avoids dangerous functions, uses prepared statements for SQL, and has no recorded vulnerabilities, several concerning practices were identified in the static analysis. The presence of an unprotected AJAX handler represents a significant attack vector, as it lacks essential authentication and authorization checks, potentially allowing unauthenticated users to trigger malicious actions. Furthermore, a low rate of proper output escaping (24%) suggests a risk of cross-site scripting (XSS) vulnerabilities, where user-supplied data could be injected into the output without proper sanitization.

The plugin's vulnerability history is a positive indicator, showing no past CVEs. This suggests a generally mature development process and a history of responsible security practices. However, the lack of observed taint flows and the absence of nonce checks, while not directly indicating an issue in this version, could also suggest that these areas might not have been thoroughly analyzed or that simpler vulnerabilities are being addressed. The overall risk is moderate, primarily driven by the unprotected AJAX endpoint and the insufficient output escaping.