Yoo Slider – Image Slider & Video Slider Security & Risk Analysis

The yoo-slider plugin version 2.2.0 presents a mixed security posture. While it demonstrates good practices in using prepared statements for all SQL queries and includes a substantial number of nonce and capability checks, significant concerns arise from its large, unprotected attack surface. A notable 11 out of 12 entry points, specifically AJAX handlers, lack authentication checks, creating a broad avenue for potential exploitation by unauthenticated users. The presence of one flow with unsanitized paths in taint analysis, although not classified as critical or high severity, warrants attention as it indicates a potential for input manipulation.

The plugin's vulnerability history is a significant red flag. With 5 known CVEs, one of which remains unpatched, and a history of Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerabilities, it suggests a pattern of insecure coding practices and an ongoing struggle with security patching. The most recent vulnerability being only from March 2024 further emphasizes the active nature of security issues with this plugin. Despite the strengths in SQL handling and output escaping (though not perfect at 67%), the numerous unprotected AJAX endpoints and the history of unpatched vulnerabilities considerably elevate the risk associated with this plugin.