Cool fade popup Security & Risk Analysis

The "cool-fade-popup" plugin v10.1 exhibits a mixed security posture. On the positive side, the static analysis reveals a limited attack surface with no identified AJAX handlers or REST API routes exposed without proper authentication checks. The plugin also demonstrates good practices with a high percentage of SQL queries using prepared statements and a reasonable number of nonce and capability checks. File operations and external HTTP requests are absent, further reducing potential vulnerabilities.

However, several areas raise concerns. A significant weakness is the low percentage of properly escaped outputs (42%), indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. This is exacerbated by the fact that there are no identified critical or high severity taint flows, suggesting potential vulnerabilities might be overlooked or not detected by the specific analysis performed, and that the low output escaping percentage is the primary concern for client-side code injection.

The vulnerability history highlights a recurring issue with SQL Injection, with one medium severity CVE currently unpatched from July 2025. The fact that the last vulnerability was a medium severity SQL injection and that there is an unpatched CVE points to a potential pattern of insecure coding practices related to database interactions, despite the high usage of prepared statements. This suggests that even with prepared statements, the implementation might be flawed, or other SQL-related vulnerabilities exist.