Smartarget – Chat Buttons & Engagement Apps Security & Risk Analysis

The 'smartarget-contact-us' v1.5.3 plugin exhibits a concerning security posture despite some positive indicators. While the static analysis shows a clean slate regarding dangerous functions, SQL injection, file operations, and external HTTP requests, the lack of any identified attack surface entry points (AJAX, REST API, shortcodes, cron events) is unusual and potentially hides vulnerabilities. Furthermore, the significantly low percentage of properly escaped output (46%) is a major red flag, indicating a high likelihood of Cross-Site Scripting (XSS) vulnerabilities. The absence of nonce and capability checks on any discovered entry points, though the number is zero, further contributes to potential insecurities if any were to be introduced or overlooked in the analysis.

The vulnerability history is a critical concern. The plugin has a known medium severity CVE that remains unpatched. The historical pattern of Cross-Site Scripting (XSS) vulnerabilities suggests a recurring issue with how user-provided data is handled. This, combined with the poor output escaping observed in the static analysis, strongly suggests that the plugin has a systemic weakness in sanitizing and escaping user input, making it susceptible to XSS attacks. While the plugin avoids some common pitfalls, the unpatched XSS vulnerability and the low output escaping percentage are significant weaknesses that outweigh the strengths.