Check your Last Login Security & Risk Analysis

The "last-login-on-dashboard" plugin, version 1.1, presents a mixed security posture. On the positive side, there are no known CVEs, no dangerous functions are used, and all SQL queries are properly prepared. Furthermore, there are no external HTTP requests or file operations, which limits potential attack vectors. The absence of shortcodes, cron events, and REST API routes also contributes to a smaller attack surface. However, significant concerns arise from the static analysis. The most critical finding is the presence of a taint flow with an unsanitized path, indicating a potential vulnerability where user-supplied data could be misused. Compounding this, 100% of the output is unescaped, meaning that any dynamic data displayed by the plugin could be susceptible to Cross-Site Scripting (XSS) attacks. The lack of nonce and capability checks on any entry points, though the entry points are currently zero, is a proactive risk that could become exploitable if the plugin evolves to include them without proper security measures. The plugin's history shows no prior vulnerabilities, which is a positive sign, but it does not negate the present code-level risks. Overall, while the plugin demonstrates some good practices, the unescaped output and the unsanitized path taint flow represent immediate and actionable security risks that require attention.