Duplicate Post Page Menu & Custom Post Type Security & Risk Analysis

The "duplicate-post-page-menu-custom-post-type" plugin v3.0.1 exhibits a mixed security posture. While it has a relatively small attack surface and no identified critical or high-severity vulnerabilities in its history, concerns arise from its static analysis. Specifically, two out of three AJAX handlers lack authentication checks, creating a significant entry point for unauthorized actions. The plugin also shows some weaknesses in output escaping, with only 60% being properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities if untrusted data is involved. The presence of two medium-severity CVEs in its history, both related to missing authorization, reinforces the concern around unauthenticated access points. While the current version has no unpatched CVEs and a good rate of prepared SQL statements, the identified lack of authorization on AJAX endpoints is a notable weakness that needs to be addressed. The absence of dangerous functions, file operations, and external HTTP requests are positive security indicators. Overall, the plugin has strengths in its code hygiene but requires immediate attention to its authentication mechanisms for AJAX handlers.