X Addons for Elementor Security & Risk Analysis

The static analysis of x-addons-elementor v1.0.23 reveals a strong adherence to secure coding practices in its immediate implementation. The absence of identified dangerous functions, file operations, external HTTP requests, and the exclusive use of prepared statements for SQL queries are positive indicators. Furthermore, the high percentage of properly escaped output suggests a good effort to mitigate cross-site scripting vulnerabilities within the directly analyzed code. However, the complete lack of entry points like AJAX handlers, REST API routes, shortcodes, and cron events in the static analysis is unusual and might indicate these features are handled elsewhere or that the analysis scope was limited.

The primary concern stems from the plugin's vulnerability history. With a total of 4 known CVEs, and 2 of them currently unpatched, this plugin presents a significant risk. The common vulnerability types being Missing Authorization and Cross-site Scripting, coupled with the medium severity of these historical issues, directly contradict the positive findings in the static analysis, suggesting past code may have been vulnerable or that current analysis missed critical aspects. The recency of the last vulnerability (2026-01-14) is also concerning and likely a typo or futuristic projection, indicating ongoing issues.

In conclusion, while the current version's static code exhibits good security hygiene in specific areas, the persistent history of unpatched vulnerabilities, particularly those related to authorization and XSS, overshadows these strengths. The presence of unpatched CVEs means active exploitation is possible. The plugin's reliance on potentially vulnerable historical code or areas not covered by static analysis warrants extreme caution. Users should prioritize updating to a version that has addressed all past CVEs.