Skimlinks Affiliate Marketing Tool Security & Risk Analysis

The Skimlinks plugin v1.3.1 presents a mixed security posture. On the positive side, the static analysis reveals a very small attack surface with no identifiable entry points like AJAX handlers, REST API routes, or shortcodes that lack authentication or permission checks. Additionally, all SQL queries are properly prepared, and there are no file operations, mitigating common vulnerability vectors. However, several concerning signals warrant attention. The presence of the `create_function` dangerous function is a significant red flag, as it can be exploited for code injection if not handled with extreme care, although no specific taint flows were detected in this analysis. Furthermore, the output escaping is only at 32%, suggesting a substantial risk of Cross-Site Scripting (XSS) vulnerabilities across various output contexts. The plugin also makes external HTTP requests, which could be a vector for Server-Side Request Forgery (SSRF) if not properly validated and sanitized.

The plugin's vulnerability history is particularly troubling, with two known CVEs, one of which remains unpatched. Both historical vulnerabilities are classified as medium severity and are related to Server-Side Request Forgery (SSRF) and Missing Authorization. This pattern indicates a recurring weakness in the plugin's handling of external interactions and access control. The fact that a vulnerability is still unpatched as of a future date (2025-09-22) is a critical concern, as it leaves users exposed to known exploits. While the current static analysis doesn't reveal exploitable taint flows or direct vulnerabilities, the combination of poor output escaping, the use of a dangerous function, and a history of SSRF and authorization issues, coupled with an unpatched CVE, paints a picture of a plugin that requires immediate attention and patching to mitigate significant risks.