WPoperation Elementor Addons Security & Risk Analysis

The static analysis for wpop-elementor-addons v1.1.9 reveals a generally good security posture, with no identified dangerous functions, SQL queries using prepared statements, or file operations. The absence of AJAX handlers, REST API routes, shortcodes, and cron events with unprotected entry points suggests a limited attack surface. However, concerns arise from the complete lack of nonce checks and capability checks, which are critical for securing sensitive actions within WordPress. Furthermore, 21% of output is not properly escaped, posing a potential Cross-Site Scripting (XSS) risk, though the absence of taint analysis data makes it difficult to quantify the severity of this.

The vulnerability history is a significant concern. The presence of one unpatched medium severity CVE, last discovered on 2025-04-01, indicates a lingering security flaw. The common vulnerability type being XSS further reinforces the risk associated with the unescaped output identified in the static analysis. While the plugin demonstrates strengths in its limited attack surface and secure handling of SQL, the lack of robust authorization checks and the unpatched vulnerability significantly weaken its overall security. Users should be cautious until the unpatched CVE is addressed and the output escaping is fully implemented.