XLTab – Accordions and Tabs for Elementor Page Builder Security & Risk Analysis

The "xl-tab" plugin v1.5 exhibits a mixed security posture. On the positive side, static analysis reveals no dangerous functions, no raw SQL queries, and no file operations or external HTTP requests, suggesting some good coding practices. However, a significant concern is the extremely low percentage (13%) of properly escaped output, indicating a high likelihood of Cross-Site Scripting (XSS) vulnerabilities being present. The absence of nonce and capability checks on the single identified entry point (a shortcode) is also a considerable risk, as it implies that this entry point is likely unprotected and could be exploited by unauthenticated users.

The plugin's vulnerability history shows two past medium-severity vulnerabilities, specifically Authorization Bypass Through User-Controlled Key and Improper Neutralization of Input During Web Page Generation (XSS). The recurrence of XSS in the past, coupled with the current static analysis showing poor output escaping, strongly suggests that XSS remains a persistent and significant threat for this plugin. While there are currently no unpatched CVEs, the historical pattern of vulnerabilities, particularly XSS, combined with the identified lack of output escaping and authorization checks on the entry point, warrants caution.

In conclusion, while the plugin avoids certain common pitfalls like raw SQL or dangerous functions, the high risk of XSS due to poor output escaping and the unprotected shortcode entry point are major weaknesses. The historical prevalence of XSS further amplifies these concerns. Users should exercise caution and consider the risks associated with these identified issues.