DD Last Viewed Security & Risk Analysis

The "dd-lastviewed" v6.2.1 plugin exhibits a mixed security posture. On the positive side, the plugin does not contain any known vulnerabilities (CVEs) and avoids the use of dangerous functions, raw SQL queries, file operations, and external HTTP requests. The static analysis also shows no evidence of critical or high severity taint flows, which is a strong indicator of generally safe code.

However, significant concerns arise from the identified attack surface and the absence of proper security checks. With a total of 6 entry points, 4 of which are AJAX handlers lacking any authentication or authorization checks, this presents a substantial risk. The complete absence of nonce checks and capability checks on these AJAX handlers means that any user, regardless of their logged-in status or role, can trigger these functionalities. Furthermore, the reported 8% rate of properly escaped output is alarmingly low, suggesting a high probability of cross-site scripting (XSS) vulnerabilities, as unsanitized output can be leveraged by attackers to inject malicious scripts.

While the plugin's history of zero vulnerabilities is reassuring, it doesn't negate the current risks identified in the static analysis. The lack of built-in security measures on a significant portion of its entry points, coupled with poor output escaping practices, creates exploitable weaknesses. The presence of Select2 as a bundled library also warrants attention, as outdated versions of bundled libraries can introduce vulnerabilities, though no specific information on its version is provided here. In conclusion, the plugin has good foundational practices regarding SQL and avoiding dangerous functions, but it suffers from critical oversight in securing its AJAX endpoints and sanitizing output, which requires immediate attention.