Lime Connect (formerly Userlike) – WordPress Live Chat plugin Security & Risk Analysis

The Userlike plugin v2.5 exhibits a generally good security posture due to the absence of known critical or high vulnerabilities and a lack of dangerous functions or raw SQL queries. The attack surface appears minimal, with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are exposed without authentication. This suggests a deliberate effort to limit potential entry points for attackers. However, a notable concern arises from the output escaping analysis, where only 33% of outputs are properly escaped. This indicates a potential for Cross-Site Scripting (XSS) vulnerabilities, especially considering the plugin's history of an XSS CVE in March 2023. While this specific CVE is reported as patched, the pattern of XSS vulnerabilities should be a focus for ongoing security efforts. The presence of one medium-severity vulnerability in its history, though currently patched, combined with the limited output escaping, warrants a cautious approach.