WPZOOM Addons for Beaver Builder Security & Risk Analysis

The plugin "wpzoom-addons-for-beaver-builder" version 1.3.8 exhibits a mixed security posture. On one hand, the static analysis shows a very small attack surface with no apparent unprotected entry points, excellent use of prepared statements for SQL queries, and a reasonable number of file operations and external HTTP requests. The presence of nonce checks and a single capability check, while limited, are positive signs. However, a significant concern arises from the very low percentage of properly escaped output (12%). This suggests a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into user views.

The vulnerability history is a major red flag, with a total of 6 known CVEs, including 1 high and 5 medium severity vulnerabilities. The common types of vulnerabilities, specifically Remote File Inclusion and Cross-Site Scripting, align with the output escaping concerns identified in the static analysis. While there are currently no unpatched CVEs, the historical pattern of these specific vulnerability types is worrying and indicates a recurring weakness in how user-supplied data is handled. The most recent vulnerability was identified on July 1st, 2024, suggesting that despite past fixes, the underlying issues may not be fully eradicated.

In conclusion, while the plugin demonstrates some good security practices like prepared statements and a limited attack surface, the critically low output escaping percentage and the history of XSS and RFI vulnerabilities present substantial risks. The plugin requires immediate attention to address the widespread output escaping deficiencies and a thorough review to ensure past vulnerability patterns are truly resolved.