Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress Security & Risk Analysis

The 'subscribe-to-unlock-lite' v1.3.1 plugin exhibits a mixed security posture. While it shows some positive signs like a low number of file operations and no external HTTP requests, significant concerns exist regarding its attack surface and vulnerability history. A notable weakness is the presence of 8 unprotected AJAX handlers, representing a large entry point for potential attacks. The taint analysis also flagged a high severity flow with unsanitized paths, which is a critical concern, even if it's not currently a listed CVE. The plugin's history of 2 high severity vulnerabilities, specifically 'PHP Remote File Inclusion,' even though they are currently patched, suggests a recurring pattern of insecure coding practices that could resurface. The presence of unsanitized paths in the taint analysis, combined with the historical RFI vulnerabilities, points to a potential for attackers to manipulate file operations.

Despite the positive aspects like a good percentage of prepared SQL statements and proper output escaping, the unprotected AJAX handlers and the historical RFI vulnerabilities are significant risks. The untainted paths identified in the taint analysis, coupled with the history of RFI, strongly suggest a susceptibility to file inclusion vulnerabilities. Therefore, while not entirely lacking in good practices, the plugin carries a notable risk due to its exposed entry points and past security flaws.