Coming Soon, Under Construction & Maintenance Mode By Dazzler Security & Risk Analysis

The plugin "coming-soon-wp" v2.1.3 presents a mixed security posture. On the positive side, it demonstrates good practices in several areas, including the exclusive use of prepared statements for SQL queries and a high percentage of properly escaped outputs. It also performs a significant number of nonce checks, indicating an awareness of common WordPress security measures. However, several concerning indicators are present.

The static analysis reveals a single unprotected AJAX handler, which represents a direct entry point for potential attacks without proper authorization. The presence of 12 dangerous function calls, specifically "unserialize," is a notable concern as it can be exploited for Remote Code Execution if the serialized data originates from an untrusted source. While taint analysis shows no identified issues, the presence of "unserialize" without further context raises a red flag.

The vulnerability history shows two past medium severity CVEs, with common types including Missing Authorization and Cross-site Scripting. The most recent vulnerability was identified in March 2024. The absence of currently unpatched vulnerabilities is a positive sign, but the recurring types suggest potential architectural weaknesses that could manifest in new vulnerabilities. Overall, while the plugin has strengths in areas like SQL handling and output escaping, the unprotected AJAX endpoint and the use of "unserialize" warrant careful consideration and mitigation.