Click to Edit Security & Risk Analysis

The wpcontenteditable plugin v1.3 presents a significant security risk due to its unprotected AJAX endpoints. The static analysis reveals three AJAX handlers, all of which lack authentication checks, creating a direct attack vector. Furthermore, the analysis indicates a concerning lack of output escaping, with zero percent of outputs properly escaped. This, combined with two flows with unsanitized paths, suggests a high likelihood of cross-site scripting (XSS) vulnerabilities being exploitable through these unauthenticated AJAX calls.

The plugin's vulnerability history is clean, with no recorded CVEs. While this is a positive sign, it does not negate the immediate threats identified in the code analysis. The absence of past vulnerabilities could be attributed to low adoption, lack of scrutiny, or simply good fortune. The presence of a dangerous function like `preg_replace(/e)` also warrants attention, though its specific usage and potential impact are not detailed in the provided data. The plugin's strengths lie in its exclusive use of prepared statements for SQL queries and the absence of file operations or external HTTP requests. However, these strengths are overshadowed by the critical flaws in its handling of AJAX requests and output sanitization, making it a high-risk plugin in its current state.