Exchange Rates Security & Risk Analysis

The 'exchange-rates' plugin version 1.3.0 exhibits a mixed security posture. On the positive side, the code demonstrates good practices by exclusively using prepared statements for SQL queries and achieving a high percentage of properly escaped output. The presence of nonce and capability checks, along with the absence of dangerous functions and file operations, are also encouraging signs. However, a significant concern lies in the attack surface, specifically the presence of one AJAX handler that lacks proper authentication checks. This unprotected entry point is a critical vulnerability that could be exploited by unauthenticated users. The vulnerability history reveals two previously disclosed medium-severity vulnerabilities, one of which was Cross-Site Scripting and the other Missing Authorization. While these are currently unpatched in the analyzed version, their historical recurrence suggests potential recurring weaknesses in the plugin's code. The taint analysis showing zero flows is positive, but does not fully mitigate the risk from the identified unprotected AJAX handler. Overall, while the plugin has some strengths in secure coding practices, the unprotected AJAX endpoint presents a clear and immediate risk that requires attention.