Store Locator Plus® | Extenders Security & Risk Analysis

The plugin "slp-extenders" v6.1.1 exhibits a generally strong security posture with a clean vulnerability history and a high percentage of properly escaped outputs and prepared SQL statements. The absence of known CVEs and a lack of recorded past vulnerabilities are positive indicators. However, the static analysis reveals a few areas for concern. The presence of the deprecated `create_function` is a notable risk, as it can lead to security vulnerabilities if used with user-supplied input, although the taint analysis did not identify any critical or high severity flows related to this. Additionally, the complete lack of nonce checks is a significant weakness. While there are no directly exploitable entry points detected (like AJAX handlers or REST API routes without authentication), the absence of nonce verification means that even if such entry points were added in the future without proper authentication checks, they would be vulnerable to Cross-Site Request Forgery (CSRF) attacks. The bundled Freemius library at v1.0 may also be outdated, which could present its own set of risks if it contains known vulnerabilities.

Overall, the plugin's current state appears relatively secure due to its limited attack surface and good output sanitization practices. The main identified risks stem from the use of a deprecated function and the complete absence of nonce checks, which indicates a lack of defense-in-depth against potential CSRF attacks. The vulnerability history is a significant strength, suggesting a commitment to security or simply a lack of exposure. However, relying solely on the absence of past vulnerabilities can be misleading, and proactive security measures like proper nonce implementation should be prioritized to strengthen its resilience against future threats.