AdRotate Switch Security & Risk Analysis

The static analysis of AdRotate Switch v1.12 reveals a generally good security posture with no recorded vulnerabilities and a limited attack surface. The plugin reports zero AJAX handlers, REST API routes, shortcodes, or cron events, significantly reducing potential entry points for attackers. Furthermore, the absence of external HTTP requests and file operations minimizes risks associated with these common attack vectors.

However, there are notable areas for concern. The presence of two instances of the `unserialize` function is a significant risk, as it can lead to Remote Code Execution vulnerabilities if untrusted data is unserialized. Additionally, the plugin performs 15 SQL queries, none of which utilize prepared statements. This practice, coupled with the potential for `unserialize` to inject malicious data, creates a high risk of SQL Injection attacks, especially if any user-controlled data can influence these queries.

The lack of capability checks on any entry points, although the reported entry points are zero, suggests a potential oversight. While the vulnerability history is clean, indicating good past development, the current code analysis highlights critical areas that require immediate attention. The plugin's strengths lie in its minimal attack surface and lack of external dependencies, but the insecure use of `unserialize` and raw SQL queries represent serious weaknesses.