WP Sticky Button – Click to Chat Security & Risk Analysis

The wa-sticky-button v1.4.1 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries, avoiding file operations and external HTTP requests, and performing nonce and capability checks. The taint analysis also shows no critical or high-severity unsanitized flows, indicating a generally safe internal code structure.

However, significant concerns arise from the plugin's attack surface and historical vulnerability data. The presence of one AJAX handler without authentication checks presents a direct entry point for potential exploitation, which is a critical oversight. Furthermore, the plugin has a history of two known CVEs, including a high and a medium severity vulnerability, with the last one occurring in August 2022. The common vulnerability types found in its history, namely Missing Authorization and Cross-site Scripting, align with the observed unprotected AJAX handler, suggesting a pattern of insecure handling of user-supplied input and access control.

In conclusion, while the plugin has made some strides in secure coding practices such as prepared statements and output escaping, the unprotected AJAX endpoint and its historical vulnerability record are significant weaknesses. The lack of authorization on an entry point is a critical flaw that could be exploited. Users should exercise caution and consider the plugin's past issues when deciding to use it.