Icons Font Loader – Load Web Fonts and Icon Libraries Security & Risk Analysis

The "icons-font-loader" plugin version 1.1.7 presents a mixed security posture. While the static analysis indicates a relatively small attack surface with no direct vulnerabilities found in the analyzed code, the historical vulnerability data raises significant concerns. The presence of 3 past CVEs, including 2 high and 1 medium severity, with common patterns of SQL injection and unrestricted file uploads, suggests recurring weaknesses in the plugin's development. The fact that the latest vulnerability was as recent as January 2024 and is currently unpatched is a major red flag, indicating that these past issues may not have been fully remediated or that new ones have emerged.

Although the current static analysis shows no critical or high taint flows, and a good percentage of SQL queries are prepared and outputs are escaped, the historical context cannot be ignored. The absence of capability checks on its single AJAX handler is a weakness, as it means any authenticated user could potentially trigger this functionality. The plugin's history of critical vulnerability types points to a need for rigorous security auditing and a more robust development lifecycle to prevent these types of issues from recurring.

In conclusion, while the immediate static analysis doesn't reveal active exploitable vulnerabilities in this specific version, the plugin's past and the unpatched nature of its latest known vulnerability make it a moderate to high-risk component. The potential for SQL injection and file upload vulnerabilities to re-emerge, coupled with the lack of capability checks on its entry points, necessitates caution. Users should strongly consider updating to a version that has addressed all known vulnerabilities, and developers should focus on more secure coding practices and thorough security testing.