Support AI – AI Chatbot for WordPress Security & Risk Analysis

The 'supportai' v1.2 plugin exhibits a mixed security posture. On the positive side, it has no known vulnerabilities (CVEs) and its code analysis shows no critical or high severity taint flows. All SQL queries utilize prepared statements, and there are no dangerous functions or file operations detected, which are strong indicators of good security practices.

However, there are notable areas of concern. The plugin exposes 12 AJAX handlers, with 2 of them lacking authentication checks. This represents a significant attack surface that could potentially be exploited by unauthenticated users. Additionally, while nonce checks are present, the capability checks are entirely missing, meaning that even authenticated users might be able to perform actions they shouldn't have access to. The output escaping is also inconsistent, with 59% of outputs properly escaped, leaving the remaining 41% potentially vulnerable to cross-site scripting (XSS) attacks if they handle user-supplied data.

In conclusion, 'supportai' v1.2 has a relatively clean vulnerability history, which is encouraging. The absence of SQL injection vulnerabilities and taint flow issues is a significant strength. Nevertheless, the unprotected AJAX endpoints and incomplete capability checks, combined with potentially unescaped output, present real security risks that require attention.