QR code MeCard/vCard generator Security & Risk Analysis

The wp-qrcode-me-vcard plugin version 1.7.1 presents a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and performing some capability checks, significant concerns remain. The presence of an unprotected AJAX handler significantly expands the attack surface, as any unauthenticated user could potentially interact with this endpoint. The lack of proper output escaping on a substantial portion (84%) of outputs is also a serious concern, potentially leading to cross-site scripting (XSS) vulnerabilities if user-supplied data is displayed without adequate sanitization. The plugin's vulnerability history shows one past medium-severity vulnerability, specifically related to missing authorization, which aligns with the current finding of an unprotected AJAX handler. This pattern suggests a recurring weakness in ensuring proper access control for plugin functionalities.

Overall, the plugin has some security strengths, particularly in its database interactions. However, the identified unprotected entry point and the high percentage of unescaped output introduce considerable risk. The historical pattern of missing authorization further reinforces the need for diligent review and remediation of access control mechanisms. The absence of critical or high severity taint flows is a positive sign, but the existing issues are sufficient to warrant caution and prompt remediation.