Textmetrics Security & Risk Analysis

The webtexttool plugin v3.6.5 presents a mixed security posture. While the use of prepared statements for all SQL queries and the absence of dangerous functions are positive signs, significant concerns arise from its attack surface and historical vulnerabilities. The plugin exposes 11 AJAX handlers, all of which lack authentication checks, creating a substantial entry point for unauthenticated attackers. This is further exacerbated by the fact that there are 14 nonce checks but only 8 capability checks, indicating a potential imbalance in how different types of access are being validated.

The vulnerability history reveals a pattern of medium severity issues including Code Injection, Cross-site Scripting, and Missing Authorization. The presence of three known CVEs, with one currently unpatched, is a significant concern. The most recent vulnerability was in 2026, which is an unusual date for a historical vulnerability; assuming this is a typo and it refers to a past event, it still highlights a recurring security debt. The absence of critical or high severity taint flows suggests that currently, there are no obvious severe vulnerabilities in the analyzed code paths, but this does not mitigate the risks posed by the exposed AJAX endpoints and past unpatched issues.

In conclusion, while the plugin demonstrates good practices in database interaction and avoids certain dangerous functions, the unauthenticated AJAX endpoints and a history of medium-severity vulnerabilities, including an unpatched one, make it a notable security risk. The focus on capability checks is positive but insufficient if authorization is not robustly implemented on all entry points, especially the 11 unprotected AJAX handlers.