Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript Security & Risk Analysis

The 'add-custom-codes' plugin v4.80 presents a mixed security profile. While it demonstrates good practices like using prepared statements for all SQL queries and a significant percentage of proper output escaping, several concerning elements stand out. The presence of an unprotected AJAX handler is a critical oversight, creating a direct entry point for potential attackers. Furthermore, the plugin has a history of 4 known CVEs, with all of them remaining unpatched, including one high-severity vulnerability. This history, coupled with common vulnerability types like Missing Authorization, Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and Code Injection, suggests recurring security weaknesses that have not been adequately addressed.

The static analysis also reveals a flow with unsanitized paths, which, while not classified as critical or high severity in this analysis, is a red flag, especially given the plugin's past issues. The total number of entry points is relatively low, but the existence of an unprotected one significantly elevates the risk. In conclusion, despite some positive security implementations, the plugin's unpatched vulnerabilities, historical pattern of common exploit types, and an unprotected AJAX handler make it a considerable security risk. Immediate patching of all known vulnerabilities and remediation of the unprotected AJAX endpoint are crucial.