WP eCards – Branded Digital Greeting Cards Security & Risk Analysis

The wp-ecards-invites plugin, version 1.4.12, exhibits a generally positive security posture based on the static analysis. The absence of direct AJAX handlers and REST API routes without authentication, coupled with 100% prepared SQL statements and presence of nonce and capability checks, indicates good development practices in these areas. Furthermore, the lack of critical or high severity taint flows and dangerous function usage suggests a low risk of code injection or execution vulnerabilities originating from the analyzed code paths.

However, a significant concern arises from the output escaping, where 27% of outputs are not properly escaped. This leaves the plugin susceptible to Cross-Site Scripting (XSS) vulnerabilities, especially given that the plugin has a history of XSS vulnerabilities. The presence of one known CVE, although currently unpatched, and specifically a medium severity XSS vulnerability in the past, reinforces this concern. While the current static analysis doesn't reveal an active XSS flaw, the historical pattern and the unescaped output percentage warrant caution.

In conclusion, the plugin has strengths in its secure handling of database queries and user authentication for entry points. The primary weakness lies in insufficient output sanitization, which, combined with past XSS vulnerabilities, presents a notable risk. Addressing the unescaped output is crucial for improving the plugin's overall security and preventing potential XSS attacks.