Header Footer Script Adder – Insert Code in Header, Body & Footer Security & Risk Analysis

The "header-and-footer-script-adder" plugin v2.0.6 exhibits a mixed security posture. On the positive side, the static analysis reveals a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are unprotected. This indicates a good practice in limiting direct entry points into the plugin's functionality.

However, there are notable areas of concern. The plugin performs SQL queries without using prepared statements, which is a significant risk for SQL injection vulnerabilities. Furthermore, a substantial portion of output escaping is missing, suggesting a potential for Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not handled securely before being displayed.

The plugin's vulnerability history shows one past medium-severity CVE related to XSS. While this vulnerability is currently patched, the pattern of a past XSS issue, combined with the unescaped output found in the static analysis, warrants caution. The absence of critical or high severity vulnerabilities in its history is a positive sign, but the presence of any vulnerability, especially one related to XSS, coupled with insecure coding practices in the current version, points to a need for vigilance.