Accessibility by UserWay Security & Risk Analysis

The userway-accessibility-widget plugin version 2.6.6 exhibits a mixed security posture. On the positive side, the static analysis reveals a remarkably small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are accessible without authentication. Furthermore, there are no known vulnerabilities (CVEs) associated with this plugin, and it does not appear to bundle outdated libraries. This indicates a generally good approach to minimizing entry points and a lack of publicly disclosed security flaws.

However, several concerning code signals warrant attention. A significant portion of SQL queries (86%) are not using prepared statements, posing a risk of SQL injection if these queries are constructed with user-supplied data. Crucially, none of the identified output points are properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities if dynamic content is displayed without sanitization. The taint analysis also detected two flows with unsanitized paths, indicating a potential for directory traversal or similar file-related attacks, although these were not classified as critical or high severity. The absence of nonce checks on AJAX handlers (though there are none) and limited capability checks also represent potential areas for further hardening.

In conclusion, while the plugin benefits from a minimal attack surface and a clean vulnerability history, the prevalent lack of proper output escaping and the high rate of un-prepared SQL queries represent significant, actionable security risks. The taint analysis, while not critical, further highlights areas where input validation and sanitization need to be more robust. Developers should prioritize addressing the unescaped output and raw SQL queries to improve the overall security of the plugin.