Brilliant Web-to-Lead for Salesforce Security & Risk Analysis

The Salesforce WordPress to Lead plugin, version 2.7.3.9, exhibits a mixed security posture. While the static analysis highlights some good practices, such as 100% of SQL queries using prepared statements and a high percentage of properly escaped output, significant concerns remain. The lack of any nonce checks or capability checks for its single shortcode is a notable weakness, as this represents a potential entry point without proper authorization or validation. Furthermore, the plugin has a history of vulnerabilities, with one unpatched medium severity CVE and a past incident involving Cross-Site Request Forgery (CSRF). The presence of two external HTTP requests also warrants scrutiny, as these could be exploited if not handled securely.

The taint analysis reveals two flows with unsanitized paths, which, while not classified as critical or high severity in this analysis, indicate potential areas where user-supplied data could be processed insecurely. The vulnerability history, particularly the ongoing unpatched medium CVE and the past CSRF issue, suggests a recurring pattern of security oversights. Although there are strengths in its query and output handling, the identified lack of checks on its shortcode and the unaddressed historical vulnerabilities present tangible risks that users should be aware of.