Ryviu – Review Importer & Product Reviews Security & Risk Analysis

The "ryviu" v3.1.26 plugin exhibits significant security concerns, primarily stemming from a substantial lack of authorization checks and a concerning reliance on potentially unsafe coding practices. The static analysis reveals that half of its attack surface, specifically 5 out of 10 entry points, are completely unprotected by authentication or authorization mechanisms. This makes these entry points highly vulnerable to unauthorized access and potential manipulation. Furthermore, the analysis highlights that 100% of its SQL queries are not using prepared statements, increasing the risk of SQL injection vulnerabilities. The low percentage of properly escaped output (34%) also suggests a high likelihood of cross-site scripting (XSS) vulnerabilities.

The vulnerability history reinforces these concerns, indicating a recurring pattern of "Missing Authorization" vulnerabilities. The presence of one unpatched medium-severity CVE, last identified in 2026, points to persistent security weaknesses that have not been fully addressed. While the plugin doesn't show critical taint flows or dangerous functions, the combination of numerous unprotected entry points, raw SQL queries, and insufficient output escaping, coupled with a history of authorization flaws, paints a picture of a plugin with a fragile security posture. Addressing the unprotected entry points and implementing robust input validation and output escaping are critical steps for improving its security.