Upload.am – File Hosting & VPN Security & Risk Analysis

The "upload-am-file-hosting-vpn" plugin v1.0.1 presents a mixed security posture. While it demonstrates strong adherence to secure coding practices with 100% of SQL queries using prepared statements and all output properly escaped, several significant concerns remain. The plugin exposes a considerable attack surface through five AJAX handlers that lack authentication checks, making them vulnerable to unauthorized access and execution.

Taint analysis did not reveal any unsanitized path flows, which is a positive indicator. However, the plugin has a history of one known medium-severity vulnerability, specifically related to missing authorization, which was remediated. The fact that its last vulnerability was in September 2025 and is currently unpatched is a critical concern, suggesting a lack of ongoing maintenance or a potential delay in applying security updates.

In conclusion, the plugin's foundation in secure coding is commendable. Nevertheless, the numerous unprotected AJAX endpoints represent a substantial risk. The unpatched past vulnerability, even if older, highlights a recurring pattern of authorization issues and the potential for new vulnerabilities if not actively maintained and updated. Users should exercise caution and prioritize updating to a version that addresses these unprotected entry points and any outstanding security advisories.