Tidio – Live Chat & AI Chatbots Security & Risk Analysis

The Tidio Live Chat plugin version 7.0.0 exhibits a mixed security posture. On the positive side, the static analysis reveals a lack of identified critical vulnerabilities within the code itself, with no dangerous functions, raw SQL queries, or unsanitized taint flows detected. The presence of nonce and capability checks, along with the use of prepared statements for SQL, are good security practices. However, the plugin's history of two known CVEs, one of which was high severity and the other medium, raises significant concern. The fact that these vulnerabilities were Exposure of Sensitive Information and Cross-Site Request Forgery suggests recurring or complex security flaws.

The primary weaknesses lie not in the current code's apparent lack of immediate threats, but in its past. The historical vulnerabilities, particularly the CSRF and sensitive information exposure, indicate that the plugin has previously been susceptible to attacks that could compromise user data or site integrity. While there are currently no unpatched vulnerabilities, the existence of these past issues warrants vigilance. The relatively low percentage of properly escaped output (44%) is also a minor concern, as it could lead to cross-site scripting (XSS) vulnerabilities if not handled carefully in all contexts.