Supreme Addons for Beaver Builder – Security & Risk Analysis

The plugin exhibits a mixed security posture, with some positive indicators but significant areas of concern. While the static analysis shows no dangerous functions, raw SQL, or external HTTP requests, and all SQL queries use prepared statements, the complete lack of output escaping is a critical weakness. This means that any data processed by the plugin and displayed on the frontend or backend is susceptible to rendering as executable code, potentially leading to cross-site scripting (XSS) attacks. The absence of nonce and capability checks on its single shortcode entry point also raises concerns about authorization and potential abuse.

The vulnerability history reveals a pattern of medium-severity cross-site scripting vulnerabilities, with one currently unpatched. The fact that the last vulnerability was in the near future suggests a potential issue with the provided data's timestamp, but the persistent presence of XSS vulnerabilities is a strong indicator that input sanitization and output encoding are not consistently implemented. This, combined with the static analysis findings, strongly points towards ongoing risks related to XSS.

In conclusion, while the plugin has strengths in its handling of SQL queries and avoiding certain dangerous practices, the pervasive lack of output escaping and the history of XSS vulnerabilities, coupled with insufficient authorization checks, present a significant security risk. The unpatched vulnerability is a clear and present danger that requires immediate attention.