Social Share Buttons & Analytics Plugin – GetSocial.io Security & Risk Analysis

The "wp-share-buttons-analytics-by-getsocial" plugin v4.5 exhibits a mixed security posture. While it demonstrates good practices such as using prepared statements for all SQL queries and a single nonce check, significant concerns arise from its attack surface and vulnerability history. Three AJAX handlers lack authentication checks, creating a considerable risk for unauthorized actions. The low percentage of properly escaped output (4%) is also a major red flag, suggesting a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, which aligns with its past vulnerability types.

The plugin's history of two known CVEs, one of which remains unpatched, and both being of medium severity, further amplifies the risk. The prevalence of "Missing Authorization" and "Cross-site Scripting" in its vulnerability types directly correlates with the static analysis findings of unprotected AJAX handlers and poor output escaping. This suggests a recurring pattern of security weaknesses that have not been fully addressed.

In conclusion, while the plugin avoids certain common pitfalls like raw SQL queries and file operations, the unprotected AJAX endpoints and the high proportion of improperly escaped output, coupled with a history of medium-severity vulnerabilities including XSS, present a substantial security risk. The unpatched CVE is particularly concerning, leaving users exposed to known exploits.