Bloglovin Follow Security & Risk Analysis

The bloglovin-follow plugin v1.0 exhibits a mixed security posture, with some encouraging signs but significant areas of concern. On the positive side, the plugin has no known historical vulnerabilities (CVEs) and demonstrates good practice by using prepared statements for all SQL queries. Furthermore, the attack surface is minimal, with only one entry point (a shortcode) and no AJAX handlers or REST API routes exposed without authentication, and no cron events or file operations.

However, the static analysis reveals critical security flaws. The presence of the `create_function` is a major red flag, as it can be exploited for code injection if user input is not strictly sanitized. More alarmingly, 100% of the plugin's outputs are not properly escaped. This is a severe vulnerability that makes the plugin susceptible to Cross-Site Scripting (XSS) attacks, allowing attackers to inject malicious scripts into web pages viewed by users. The complete absence of nonce and capability checks, while not directly exploitable given the limited attack surface, represents a lack of defense-in-depth and could become a problem if the attack surface expands or is modified in future versions.

Given the lack of vulnerability history, it might indicate that this plugin hasn't been heavily targeted or extensively analyzed. However, the identified code signals, particularly the unescaped output and the use of `create_function`, represent immediate and significant risks that could be leveraged by attackers. The plugin's strengths in SQL handling and minimal attack surface are overshadowed by these critical output and code execution vulnerabilities. Users should exercise extreme caution with this plugin.