Affiliate Link Plugin from BlashO Security & Risk Analysis

The Affilinker v2.2 plugin exhibits a mixed security posture. While the absence of known CVEs and a seemingly small attack surface with no direct AJAX handlers, REST API routes, shortcodes, or cron events are positive indicators, significant concerns arise from the static analysis. The presence of the `create_function` dangerous function is a red flag, as it can be exploited for arbitrary code execution if not handled with extreme care. Furthermore, a low percentage of SQL queries using prepared statements (7%) and a similarly low rate of proper output escaping (15%) suggest a high likelihood of SQL injection and cross-site scripting (XSS) vulnerabilities. The taint analysis revealing two high-severity flows with unsanitized paths corroborates these concerns, indicating potential injection risks.

The plugin's vulnerability history being clear of any recorded CVEs is a strength, suggesting that past issues (if any) have been addressed or that the plugin hasn't attracted significant adversarial attention. However, this absence of history should not overshadow the direct risks identified in the code analysis. The limited number of nonce and capability checks also contribute to a weaker security posture, as these are fundamental WordPress security mechanisms.

In conclusion, while the lack of public vulnerabilities is encouraging, the static analysis highlights critical areas for improvement. The use of dangerous functions, prevalent lack of prepared statements and output escaping, and identified high-severity taint flows present substantial risks that need immediate attention. A robust security audit focusing on these areas is recommended to ensure the plugin's safety.