Error Log Viewer By WP Guru Security & Risk Analysis

The 'error-log-viewer-wp' plugin version 1.0.5 exhibits a mixed security posture. While it demonstrates some good practices like a high percentage of prepared SQL statements and properly escaped output, significant concerns are present. The presence of two unprotected AJAX handlers drastically expands the attack surface, creating potential entry points for malicious actors. Furthermore, the taint analysis reveals one flow with unsanitized paths, indicating a potential for path traversal vulnerabilities, even if not classified as critical in this analysis.

The vulnerability history is a major red flag. With two known CVEs, including a currently unpatched high-severity vulnerability related to SQL Injection and Path Traversal, the plugin has a documented history of exploitable flaws. The recentness of the last vulnerability (2025-04-09) suggests ongoing security issues. The use of the `unserialize` function, a known dangerous function, coupled with unsanitized path flows and a history of path traversal, raises concerns about potential remote code execution or sensitive file access.

In conclusion, while the plugin has some positive security implementations, the combination of an exposed attack surface via unprotected AJAX handlers, a critical taint flow indicating potential path traversal, the dangerous `unserialize` function, and a history of serious unpatched vulnerabilities makes this plugin a considerable security risk. Users should exercise extreme caution and prioritize patching or deactivating it.