Cyberus Key Security & Risk Analysis

The "cyberus-key" plugin v1.1 presents a mixed security posture. While it demonstrates good practices in its use of prepared statements for SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface and lack of robust security checks. The presence of one unprotected REST API route is a critical vulnerability, providing an easily exploitable entry point for attackers. Furthermore, the complete absence of nonce and capability checks across all entry points is alarming, suggesting a broad susceptibility to various attack vectors such as Cross-Site Request Forgery (CSRF) and unauthorized privilege escalation. The plugin's history of two medium-severity Cross-Site Scripting (XSS) vulnerabilities, with the last one occurring in March 2023, indicates a recurring pattern of input sanitization issues. Although there are no currently unpatched CVEs, this history, coupled with the identified code weaknesses, points to a plugin that requires immediate attention to secure its exposed functionalities.