Reviews Widgets for Google & 45+ platforms by Repuso Security & Risk Analysis

The 'social-testimonials-and-reviews-widget' plugin version 5.32 exhibits a mixed security posture. The static analysis reveals good practices in several areas, with all identified AJAX handlers and REST API routes having appropriate authorization checks. The absence of raw SQL queries, file operations, and a low number of external HTTP requests are positive indicators. However, the plugin has a history of significant vulnerabilities, with 5 known CVEs, including one high and four medium severity issues, primarily related to missing authorization, Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF). While there are currently no unpatched vulnerabilities, this history suggests a pattern of recurring security weaknesses that attackers may exploit if new flaws are introduced or old ones reappear.

The code analysis flags one flow with an unsanitized path, indicating a potential risk, although it's not classified as critical or high severity. The output escaping rate of 83% also leaves room for improvement, with 17% of outputs potentially being unescaped, which could lead to XSS vulnerabilities if user-supplied data is involved. The presence of 7 AJAX handlers, while all protected, still represents a notable attack surface. The external HTTP request, though only one, warrants attention as it could be a vector for further exploitation if not properly secured.

In conclusion, while the plugin implements some strong security measures, particularly around SQL and authorization on its primary entry points, its past vulnerability history and the presence of unsanitized paths and unescaped outputs are significant concerns. Users should remain vigilant, and ongoing security audits are recommended to ensure these historical patterns do not repeat.