Share computy Security & Risk Analysis

The 'share-computy' plugin version 1.2.6 exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for its SQL queries and avoids dangerous functions and file operations. The absence of known CVEs and a clean vulnerability history suggest a generally well-maintained codebase. However, significant security concerns arise from the static analysis. The plugin exposes two AJAX handlers without any authentication or capability checks. This is a critical weakness, as it allows any user, including unauthenticated ones, to trigger potentially sensitive functionality. Furthermore, only 22% of output is properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. The complete lack of nonce checks on AJAX handlers exacerbates the risk of CSRF attacks in conjunction with the unprotected AJAX endpoints. While the plugin is free from critical taint analysis findings and has no recorded historical vulnerabilities, the identified static analysis issues present a substantial attack surface that requires immediate attention.