Tab – Accordion, FAQ Security & Risk Analysis

The "tabbed" v1.3.9 plugin exhibits a mixed security posture. While it demonstrates good practices in its use of prepared statements for SQL queries (99%) and output escaping (95%), several significant security concerns remain. The plugin exposes a considerable attack surface with 3 out of 4 entry points lacking authentication checks, making them vulnerable to unauthorized access. This is further exacerbated by the presence of 3 AJAX handlers without proper nonce checks, creating opportunities for Cross-Site Request Forgery (CSRF) attacks if they perform sensitive actions.

The vulnerability history shows a past high-severity vulnerability attributed to "Missing Authorization" in late 2021, which is currently patched. However, this pattern of missing authorization on entry points is a recurring theme that raises concern. The taint analysis reveals no critical or high-severity flows, which is a positive sign, indicating that data handled by the plugin is generally processed safely. Despite the past vulnerability being addressed, the static analysis findings suggest that the plugin's developers need to prioritize securing all entry points to prevent future exploits.

In conclusion, "tabbed" v1.3.9 has strengths in its data handling but weaknesses in its access control. The high number of unprotected AJAX handlers and shortcodes is a significant risk. While no current critical vulnerabilities are detected in the static analysis, the historical pattern and current findings warrant careful attention to implement proper authorization and nonce checks across all entry points.