Custom Contact Details With WP List Security & Risk Analysis

The "custom-contact-details-with-wp-list" v1.0.0 plugin exhibits a mixed security posture. On the positive side, there are no known CVEs, a good sign regarding its historical security. The plugin also demonstrates awareness of security by including a nonce check, and no external HTTP requests or file operations are present, which reduces potential attack vectors.

However, significant concerns arise from the static analysis. The taint analysis reveals two high-severity flows with unsanitized data, indicating a potential for vulnerabilities if these flows are reachable by attackers. Furthermore, the output escaping is worryingly low at 38%, suggesting a high likelihood of cross-site scripting (XSS) vulnerabilities. While the plugin avoids dangerous functions and uses prepared statements for the majority of its SQL queries, the lack of capability checks and the presence of unsanitized paths in the taint analysis are critical weaknesses that could be exploited.

In conclusion, while the plugin has a clean vulnerability history, the current code analysis flags serious potential risks. The low output escaping percentage and the high-severity taint flows are the most immediate threats. The absence of capability checks on any potential entry points (though none were found to be unprotected) is also a concern for future development or if the plugin's functionality evolves. Users should exercise caution until these issues are addressed.