Softech Form Builder Security & Risk Analysis

The "softech-form-builder" plugin version 1.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for all SQL queries and achieving a high percentage (92%) of properly escaped outputs. There are no known CVEs associated with this plugin, and it does not bundle any libraries, further reducing potential risks from outdated components. However, the static analysis reveals significant concerns. The plugin has a total of 5 entry points, with 2 of these (AJAX handlers) lacking authentication checks. Furthermore, the taint analysis indicates 4 high-severity flows with unsanitized paths, suggesting potential for attackers to exploit these uncontrolled data flows. While the absence of known historical vulnerabilities is a strength, the presence of critical security signals within the static analysis warrants caution. The high-severity taint flows and unprotected AJAX handlers are the most pressing issues. These weaknesses, despite the plugin's otherwise solid coding practices regarding SQL and output escaping, create exploitable pathways that could compromise the security of a WordPress site. Therefore, while the plugin shows promise with its handling of database queries and output, the identified unprotected entry points and high-severity taint flows represent clear security risks.