Sertifier Certificate & Badge Maker for WordPress – Tutor LMS Security & Risk Analysis

The "sertifier-certificates-open-badges" v1.21 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals strong adherence to secure coding practices. The attack surface is relatively small with all identified entry points (AJAX handlers) being protected by authentication checks. The plugin also demonstrates good data handling, with a high percentage of SQL queries using prepared statements and outputs being properly escaped. File operations and dangerous functions are absent, which are excellent indicators of security awareness.

However, the plugin's vulnerability history is a significant concern. It has a history of two known CVEs, with one currently unpatched. These past vulnerabilities were identified as Cross-Site Request Forgery (CSRF) and Missing Authorization, indicating potential weaknesses in how user actions and permissions are handled. The fact that a vulnerability was patched as recently as August 2025 suggests ongoing security challenges or a recent discovery. While taint analysis showed no critical or high-severity issues, the historical pattern of authorization and CSRF vulnerabilities, coupled with the unpatched CVE, elevates the overall risk.

In conclusion, while the current version's code analysis shows good security practices in isolation, the persistent history of medium-severity authorization and CSRF vulnerabilities, particularly the unpatched one, presents a notable risk. Administrators should prioritize addressing the unpatched CVE and remain vigilant about potential future security issues stemming from these recurring vulnerability types.