RS Elements Elementor Addon Security & Risk Analysis

The rselements-lite plugin version 1.1.5 exhibits a mixed security posture. On the positive side, the static analysis reveals no dangerous functions, all SQL queries are prepared, and the vast majority of output is properly escaped. File operations and external HTTP requests are also absent, reducing potential attack vectors. However, the complete absence of AJAX handlers, REST API routes, shortcodes, and cron events as entry points is unusual and could indicate a lack of functionality that typically interfaces with user input. While taint analysis shows no identified unsanitized paths, the zero flows analyzed is a concern, suggesting either no flows were detectable or the analysis was incomplete.

The plugin's vulnerability history is a significant concern. It has a known, currently unpatched medium-severity CVE related to Cross-Site Scripting (XSS). The fact that the last vulnerability was recorded in April 2025 suggests a recent exposure, and the presence of an unpatched issue poses a direct and immediate risk. The consistent pattern of XSS vulnerabilities in the past, even if this is the only one listed, points to a potential weakness in how the plugin handles user-provided data when rendering output.

In conclusion, while rselements-lite v1.1.5 demonstrates good practices in secure coding concerning SQL and output escaping, the unpatched XSS vulnerability is a critical risk that overshadows these strengths. The lack of identified entry points in the static analysis warrants further investigation to understand the plugin's full functionality and potential hidden attack surfaces. The current unpatched CVE makes this plugin a medium-risk component, and immediate patching is highly recommended.