VS Contact Form Security & Risk Analysis

The "very-simple-contact-form" plugin v18.9 presents a mixed security posture. On the positive side, the static analysis indicates a relatively small attack surface with no directly unprotected AJAX handlers or REST API routes. The vast majority of output is properly escaped, and there are no reported file operations, external HTTP requests, or dangerous function usages. Furthermore, the presence of nonce and capability checks, albeit limited in scope, is a good practice.

However, significant concerns arise from the vulnerability history. The plugin has a history of 4 known CVEs, including one high-severity vulnerability and three medium-severity ones, with the most recent occurring in March 2024. The common vulnerability types (Missing Authorization, Cross-site Scripting, Guessable CAPTCHA) suggest recurring issues in how user input is handled and access is controlled. The fact that a high-severity vulnerability was present as recently as March 2024, even if currently patched, indicates a potential for ongoing security weaknesses that require careful monitoring and prompt patching.

While the current static analysis shows no unpatched vulnerabilities, the plugin's past suggests a higher than average risk of future discoveries. The absence of taint analysis results could mean either no problematic flows were found or the analysis was not comprehensive enough to detect them. The static analysis also reveals that 100% of SQL queries are not using prepared statements, which is a significant risk for potential SQL injection vulnerabilities, despite the low number of queries. Coupled with the lack of capability checks on any entry points, this plugin, despite its small attack surface, carries notable risks due to its past vulnerability profile and insecure SQL handling.