WazirX – Free Cryptocurrency Widgets | Price Ticker & Coin List Security & Risk Analysis

The crypto-price-widgets plugin v1.0.2 exhibits a generally strong security posture based on the provided static analysis. The absence of dangerous functions, file operations, and the consistent use of prepared statements for SQL queries are excellent indicators. Furthermore, the high percentage of properly escaped output and the minimal number of external HTTP requests suggest good coding practices. The plugin also boasts a clean vulnerability history with no known CVEs, which is a positive sign regarding its past security diligence.

However, there are notable areas for concern. The presence of unsanitized paths in two taint flows, even without critical or high severity, indicates a potential avenue for malicious input manipulation. The complete lack of nonce checks and capability checks across all entry points (shortcodes in this case) is a significant weakness. While there are no AJAX handlers or REST API routes without authentication, shortcodes are inherently exposed and lack any authorization or CSRF protection, making them a potential target for privilege escalation or other attacks if their functionality could be manipulated.

In conclusion, while the plugin has a clean history and uses many secure coding practices, the identified taint flows and, more critically, the absence of authentication/authorization checks on its shortcode entry points present a tangible risk. Addressing these specific areas would significantly improve the plugin's overall security.