Sales Page Addon – Elementor & Beaver Builder Security & Risk Analysis

The sales-page-addon plugin exhibits a concerning security posture, primarily due to a significant number of unprotected AJAX handlers. While the plugin demonstrates good practices in its handling of SQL queries, utilizing prepared statements exclusively, and a relatively high percentage of properly escaped output, these strengths are overshadowed by critical weaknesses in access control. The presence of 8 AJAX handlers that lack authentication checks exposes a large attack surface to unauthorized users, potentially allowing them to trigger plugin functionalities without proper validation. Furthermore, the taint analysis reveals 3 flows with unsanitized paths, indicating potential vulnerabilities, although they are not currently classified as critical or high severity. The plugin's vulnerability history, including a medium severity Cross-Site Scripting (XSS) vulnerability discovered recently and remaining unpatched, further amplifies the risk. This suggests a pattern of introducing vulnerabilities and a lack of timely patching, which is a significant red flag for ongoing security. The combination of a broad, unprotected entry point and a history of unpatched vulnerabilities indicates a need for immediate attention to address these security gaps.