Filr – Secure document library Security & Risk Analysis

The 'filr-protection' plugin v1.2.14 presents a mixed security posture. On the positive side, the static analysis indicates good practices with a high percentage of properly escaped output and 100% of SQL queries using prepared statements. Furthermore, all identified entry points (AJAX handlers, REST API routes, shortcodes, cron events) appear to have authorization checks, and there are a reasonable number of nonce and capability checks. However, the presence of 2 flows with unsanitized paths in the taint analysis is a significant concern, even though they are not currently classified as critical or high severity. This suggests a potential for path traversal vulnerabilities if these flows are exploited by malicious input.

The plugin's vulnerability history is deeply concerning. With a total of 6 known CVEs and 1 currently unpatched, this indicates a recurring pattern of security weaknesses. The types of past vulnerabilities, including unrestricted file uploads, path traversal, XSS, code injection, and missing authorization, are all severe. The fact that a vulnerability was recorded as recently as February 2026 suggests a history of active security issues that may not have been fully addressed or a potential for future undisclosed vulnerabilities. While the current version shows improvements in some areas, the historical context elevates the overall risk significantly.

In conclusion, while the current version of 'filr-protection' v1.2.14 has made strides in implementing secure coding practices like prepared statements and output escaping, the persistent history of significant vulnerabilities and the presence of unsanitized path flows in the taint analysis are substantial red flags. The unpatched CVE, in particular, poses an immediate and serious risk. Users should exercise extreme caution and consider the plugin's past performance when evaluating its security.