SendPulse Free Web Push Security & Risk Analysis

The sendpulse-web-push plugin version 1.3.9 presents a mixed security posture. On the positive side, static analysis reveals no direct entry points like AJAX handlers, REST API routes, or shortcodes that lack authentication. The plugin also demonstrates good practices by exclusively using prepared statements for SQL queries and not making external HTTP requests. This suggests a generally well-defined and controlled interaction with the WordPress core and external services.

However, concerns arise from the output escaping. With 41% of 34 outputs properly escaped, there's a significant portion (59%) that may be vulnerable to cross-site scripting (XSS) attacks if user-supplied data is not adequately sanitized before being displayed. The vulnerability history also reveals two past CVEs, including a high-severity XSS and a medium-severity CSRF, indicating a recurring pattern of input sanitization and authorization issues. While currently unpatched CVEs are zero, the existence of past vulnerabilities, especially XSS, suggests a need for vigilance in code quality and input validation.

In conclusion, while the plugin avoids common pitfalls like raw SQL or a large, unprotected attack surface, the insufficient output escaping and past XSS vulnerabilities are significant weaknesses. The lack of capability checks on the identified entry points is also a concern, despite there being no unprotected entry points. Users should be aware of the potential for XSS and CSRF and ensure they are using the latest patched versions of the plugin.