EDD Recent downloads Security & Risk Analysis

The "edd-recent-downloads" v1.0 plugin presents a mixed security posture. On the positive side, it exhibits excellent practices regarding SQL injection prevention, with 100% of queries using prepared statements. Furthermore, the plugin has no known vulnerabilities, no recorded CVEs, and a clean vulnerability history, suggesting a generally stable and well-maintained codebase.

However, significant concerns arise from the static analysis. The presence of the `create_function` is a notable risk, as it can lead to code injection vulnerabilities if user-supplied data is ever used within its definition, though the absence of taint analysis flows in this release makes it hard to quantify the immediate risk. More importantly, only 24% of outputs are properly escaped, indicating a high potential for Cross-Site Scripting (XSS) vulnerabilities. The complete lack of nonce checks and capability checks on any entry points, combined with zero protected entry points, leaves the plugin highly susceptible to unauthorized actions and privilege escalation if any interaction points were to be introduced or discovered.

While the current attack surface appears minimal (0 entry points), this plugin has several fundamental security weaknesses that would become critical if the attack surface expands or if the `create_function` were ever to process untrusted input. The low output escaping coverage is the most immediate and probable risk.