WP Support by SproutedWeb Security & Risk Analysis

The "sproutedweb-wp-support" v2.3 plugin exhibits a mixed security posture. While it has no recorded vulnerability history, suggesting a history of stable code, the static analysis reveals several areas for improvement. A significant concern is the presence of 6 AJAX handlers without authentication checks, presenting a considerable attack surface. Furthermore, the plugin's SQL query practices are suboptimal, with only 14% of queries using prepared statements, increasing the risk of SQL injection vulnerabilities. Output escaping is also inconsistent, with 56% properly escaped, leaving potential for cross-site scripting (XSS) flaws. The taint analysis shows 5 flows with unsanitized paths, though thankfully none are classified as critical or high severity. The lack of capability checks on AJAX handlers is a notable weakness that should be addressed to strengthen the plugin's overall security. The plugin has a moderate number of entry points, and a significant portion of these are not protected by proper authorization. This, combined with the less than ideal SQL and output escaping practices, points to potential security weaknesses despite the absence of known CVEs.