REVE Chat – AI Chatbot, Live Chat, Helpdesk, Campaigns & More Security & Risk Analysis

The "revechat" plugin v6.4.4 presents a concerning security posture primarily due to significant vulnerabilities in its access control mechanisms and a history of known security issues. The static analysis reveals two direct entry points into the plugin: one AJAX handler and one REST API route, both of which lack proper authentication or permission checks. This oversight represents a critical weakness, as it allows any unauthenticated user to potentially interact with these functions, leading to unintended consequences or information disclosure. While the plugin demonstrates good practices in its SQL query handling, using prepared statements, and has no reported critical or high severity taint flows, the lack of output escaping on a substantial portion of its outputs (64%) raises concerns about potential Cross-Site Scripting (XSS) vulnerabilities. The plugin's vulnerability history, including a currently unpatched medium severity CVE, further exacerbates these concerns. The recurring theme of Cross-Site Request Forgery (CSRF) in past vulnerabilities, coupled with the absence of nonce checks, suggests a persistent pattern of inadequate security implementation regarding user actions.