WATI Chat and Notification Security & Risk Analysis

The "wati-chat-and-notification" plugin version 1.1.7 presents a mixed security posture. On the positive side, the plugin demonstrates good practices with a high percentage of SQL queries using prepared statements (91%) and properly escaped output (96%). It also correctly implements nonce and capability checks on a good portion of its entry points (3 each).

However, significant concerns arise from the presence of unprotected entry points, specifically 3 REST API routes that lack permission callbacks. This creates a substantial attack surface that could be exploited by unauthenticated users. Additionally, the discovery of the `unserialize` function, a known dangerous function, without further context on its usage, raises a potential flag for deserialization vulnerabilities. While no critical or high severity taint flows were identified, the absence of taint analysis results (0 flows analyzed) means this aspect might be incompletely assessed.

The plugin's vulnerability history shows one medium severity CVE, a Cross-Site Request Forgery (CSRF), which was last patched on March 11, 2025. While the absence of currently unpatched vulnerabilities is positive, the past existence of CSRF indicates a need for vigilance in securing forms and actions. Overall, the plugin has strengths in its implementation of secure coding practices for database and output handling, but the lack of authorization on REST API routes is a critical weakness that requires immediate attention.