Google Webfont Optimizer Security & Risk Analysis

The 'google-webfont-optimizer' v0.2.4 plugin exhibits some concerning security practices despite a seemingly clean vulnerability history. The static analysis reveals a significant weakness in its handling of SQL queries, with 100% of them not utilizing prepared statements. This, combined with 4 identified taint flows with unsanitized paths, suggests a high potential for SQL injection vulnerabilities. While there are no recorded CVEs, the absence of these doesn't guarantee security, especially given the specific code signals.

The plugin's attack surface appears minimal with no exposed AJAX handlers, REST API routes, shortcodes, or cron events. However, this is overshadowed by the lack of capability checks for any potential entry points, which, combined with the taint analysis findings, presents a substantial risk. The low percentage of properly escaped output is also a concern, increasing the likelihood of cross-site scripting (XSS) vulnerabilities.

Overall, while the plugin benefits from a lack of known vulnerabilities and a small attack surface, the identified code-level issues, particularly the unescaped taint flows and raw SQL queries, point to significant security risks that require immediate attention. The absence of vulnerability history might be due to the plugin's limited adoption or simply a lack of thorough auditing.