WPB Popup for Contact Form 7 – Showing The Contact Form 7 Popup on Button Click – CF7 Popup Security & Risk Analysis

The "wpb-popup-for-contact-form-7" plugin v2.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices by exclusively using prepared statements for SQL queries and a high percentage of properly escaped output. There are also a reasonable number of nonce checks implemented, which is a positive sign for securing certain actions. The absence of file operations and external HTTP requests further reduces potential attack vectors.

However, there are significant concerns. The presence of two AJAX handlers without authentication checks creates a direct and unprotected entry point for attackers. This, combined with a high number of unprotected total entry points, presents a notable risk. While taint analysis found no issues in this version, the plugin has a history of a high severity "Code Injection" vulnerability, with the last one being quite recent. This historical pattern, even if currently patched, suggests a recurring weakness that requires vigilant monitoring and prompt patching.

In conclusion, while the plugin has implemented some strong security measures, the unprotected AJAX handlers and the past vulnerability in code injection represent critical areas for concern. The historical trend of a high-severity vulnerability demands caution, despite the absence of current unpatched CVEs and the clean taint analysis in this specific version.