Image lazyloading by Fastseen Security & Risk Analysis

The "fastseen-lazyloading" plugin v1.0.2 presents a mixed security posture. On the positive side, it demonstrates good practices regarding SQL queries, utilizing prepared statements exclusively, and has no recorded vulnerability history or dangerous functions. The absence of file operations and external HTTP requests is also a positive indicator. However, significant concerns arise from the static analysis. The plugin exposes a notable attack surface with 2 REST API routes, both of which lack permission callbacks, meaning they are unprotected and can be accessed by any user. Furthermore, the plugin exhibits a critical weakness in output escaping, with 0% of its 7 outputs being properly escaped. This could lead to Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not sanitized before being displayed.

The taint analysis shows no identified flows, which is a positive sign, but this is in the context of the limited flows analyzed. The lack of nonce checks and capability checks on the identified entry points further exacerbates the risks associated with the unprotected REST API routes. The plugin's current state indicates a need for immediate attention to address the unprotected API endpoints and the prevalent output escaping issues. While the absence of historical vulnerabilities is encouraging, it does not negate the immediate risks identified in the current version's code.