Coming Soon – Under Construction Security & Risk Analysis

The "coming-soons" v1.2.0 plugin exhibits a generally strong security posture based on the provided static analysis. The plugin extensively utilizes prepared statements for SQL queries, has a high percentage of properly escaped output, and performs a good number of nonce and capability checks. The absence of dangerous functions, file operations, and critical/high severity taint flows suggests a diligent approach to secure coding. The limited attack surface, with only two AJAX entry points and no shortcodes or cron events, further contributes to its safety.

However, the presence of one unpatched medium severity vulnerability from 2022, specifically related to Cross-Site Scripting (XSS), is a significant concern. This indicates a past issue that has not been remediated, potentially leaving active installations vulnerable. While the static analysis doesn't reveal any current XSS flaws or other critical issues, the historical pattern of an XSS vulnerability requires careful attention. The plugin's reliance on a bundled version of TinyMCE also introduces a potential risk if this library itself has known vulnerabilities that are not addressed by the plugin's vendor.

In conclusion, the "coming-soons" plugin demonstrates good development practices with its secure handling of data and entry points. The main weakness lies in its past vulnerability history, specifically the unpatched XSS issue. While the current version appears to have addressed past flaws or the static analysis didn't pick them up, the historical context necessitates vigilance. Users should verify if the unpatched vulnerability has been addressed by the developer or consider alternatives if it remains a concern.