RollerAds – Web Push Notifications Security & Risk Analysis

The rollerads v1.1 plugin exhibits a concerning security posture despite its lack of recorded historical vulnerabilities. The static analysis reveals a critical weakness in its REST API implementation, with one route exposed without any permission callbacks. This means any unauthenticated user could potentially interact with this endpoint, leading to unintended actions or data exposure if the endpoint's functionality is sensitive. Furthermore, the complete lack of output escaping across all identified output points is a significant concern. This opens the door to Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website that could be executed in users' browsers. While the absence of dangerous functions, raw SQL queries, file operations, and external HTTP requests are positive indicators, the identified unprotected REST API endpoint and the pervasive unescaped output represent immediate and substantial security risks that require urgent attention.