Exit Intent Visitors Feedback – Trigger Feedback Popup on Exit Intent Security & Risk Analysis

The "visitors-feedback" v1.0.1 plugin exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices in output escaping, with 100% of identified outputs being properly escaped, and it has no recorded history of vulnerabilities (CVEs). Additionally, there are no file operations, external HTTP requests, or dangerous functions, which generally contribute to a more secure codebase.

However, significant concerns arise from the attack surface. The plugin exposes two AJAX handlers, and critically, both lack authentication checks. This means any unauthenticated user could potentially interact with these entry points, posing a direct security risk. Furthermore, all SQL queries are executed without the use of prepared statements, which is a strong indicator of potential SQL injection vulnerabilities, even though no specific flows were detected in the taint analysis. The presence of only one nonce check for two AJAX handlers further exacerbates the risk of Cross-Site Request Forgery (CSRF) or unauthorized actions.

In conclusion, while the absence of historical vulnerabilities and good output escaping are positive signs, the critical lack of authentication on AJAX endpoints and the widespread use of raw SQL queries present substantial security weaknesses. These areas require immediate attention to mitigate the risk of exploitation.