Tutexp Rest Api Menu Security & Risk Analysis

The plugin 'tutexp-rest-api-menu' v1.0.0 exhibits a concerning security posture primarily due to its unprotected REST API routes. While the static analysis reveals no dangerous functions, SQL injection vulnerabilities, or output escaping issues, and there's no known vulnerability history, the presence of two REST API routes without permission callbacks represents a significant attack vector. This means any unauthenticated user could potentially interact with these endpoints, leading to unintended actions or information disclosure depending on their functionality.

The absence of nonce checks and capability checks on these routes further exacerbates the risk. The lack of taint analysis data is noted, but the existing findings are sufficient to warrant caution. The plugin demonstrates good practices in its use of prepared statements for SQL queries, but this strength is overshadowed by the critical oversight in securing its entry points. Users should be aware that while the plugin has no past vulnerabilities, the current design leaves it open to exploitation.