Stars Testimonials — Responsive Reviews & Star Ratings Security & Risk Analysis

The "stars-testimonials-with-slider-and-masonry-grid" plugin v3.3.5 presents a mixed security posture. While it demonstrates good practices in several areas, such as the consistent use of prepared statements for all SQL queries and a high percentage of properly escaped output, there are significant areas of concern. The presence of one AJAX handler without authentication checks represents a direct entry point for potential unauthorized actions or information disclosure. Furthermore, the static analysis reveals two flows with unsanitized paths, indicating a potential risk of vulnerabilities like Local File Inclusion if not handled carefully by the application logic.

The plugin's vulnerability history is particularly noteworthy, with three known CVEs, including one high and two medium severity vulnerabilities. These historical issues, specifically related to Improper Control of Filename for Include/Require Statement and Cross-site Scripting, suggest recurring weaknesses in how the plugin handles user-supplied input and file operations. The fact that the last vulnerability was relatively recent (2025-11-10) implies that past patching efforts may not have fully addressed underlying architectural flaws or that new vulnerabilities continue to be discovered. While there are currently no unpatched CVEs, the historical pattern warrants vigilance.

In conclusion, the plugin exhibits strengths in its SQL handling and output escaping. However, the unprotected AJAX handler, unsanitized input paths identified in taint analysis, and a history of serious vulnerabilities, particularly RFI and XSS, significantly elevate its risk profile. Users should be aware of these ongoing risks and ensure they are using the latest patched version, as well as implement additional security measures on their WordPress sites.