Support SVG – Upload svg files in wordpress without hassle Security & Risk Analysis

The "support-svg" plugin v1.1.3 demonstrates a generally strong security posture in its static analysis. It adheres to best practices by utilizing prepared statements for all SQL queries, ensuring proper output escaping, and having no identified critical or high severity taint flows. The absence of a significant attack surface with unprotected entry points is also a positive indicator. However, the plugin's vulnerability history is a significant concern. With two known medium severity CVEs, both related to Cross-Site Scripting (XSS), the plugin has shown a pattern of introducing vulnerabilities that could allow for malicious code injection. The fact that the last vulnerability was relatively recent (November 2024) and is currently unpatched, despite the version number being higher, suggests a potential ongoing issue with code quality or a lack of timely security updates.

While the current static analysis is clean, the historical vulnerability data strongly suggests that this plugin should be treated with caution. The two medium severity XSS vulnerabilities indicate a recurring weakness in input sanitization or output encoding, which could be present in subtle ways not caught by the current static analysis or that have been fixed in this specific version but indicate a higher likelihood of future issues. The absence of capability checks and nonce checks on potential AJAX or REST API endpoints (though none are currently identified) leaves a theoretical gap for future vulnerabilities if these features are added without proper security controls. Therefore, despite the promising static analysis, the plugin's past security record necessitates a degree of skepticism and careful monitoring.