Corona Stats Live – Corona Virus COVID-19 Live Stats for WordPress Lite Security & Risk Analysis

The "corona-stats-live" plugin v1.2.0 exhibits a generally positive security posture based on the static analysis. It shows no known vulnerabilities (CVEs), which is a significant strength. The absence of dangerous functions, raw SQL queries, file operations, and external HTTP requests (though it makes two, their nature isn't specified but assumed benign given no taint analysis findings) are also good indicators. The plugin also utilizes prepared statements for its SQL queries, which is a best practice for preventing SQL injection. However, there are areas of concern. A significant portion (31%) of output escaping is missing, which could lead to Cross-Site Scripting (XSS) vulnerabilities if the plugin handles user-supplied data that is then displayed without proper sanitization. The lack of nonce checks and capability checks across all entry points (AJAX, REST API, shortcodes) is a notable weakness, potentially allowing unauthorized actions if the plugin's functionalities are exploitable. The bundled DataTables library, while common, should be kept updated to prevent known vulnerabilities within the library itself.