Website Pop-up Builder by BDOW! (formerly Sumo): Pop-ups + forms for email opt-ins and lead generation Security & Risk Analysis

The Sumome plugin v1.44 exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding SQL queries, exclusively using prepared statements, and has no reported unpatched vulnerabilities, indicating active maintenance or a lack of recent critical flaws. The absence of dangerous functions and external HTTP requests further strengthens its security profile. However, significant concerns arise from its attack surface. With a total of 9 AJAX handlers, 7 of which lack authentication checks, there is a substantial opportunity for unauthorized actions if these handlers are exploitable. The taint analysis, while limited in scope, revealed one flow with an unsanitized path, which could potentially lead to vulnerabilities if further investigation uncovers exploitable paths. The plugin's vulnerability history, though showing only medium-severity issues in the past, is a reminder that even well-maintained plugins can have weaknesses. The presence of past CSRF vulnerabilities, though currently patched, warrants continued vigilance, especially concerning any new AJAX handlers without proper CSRF protection.