Last Viewed Posts by WPBeginner Security & Risk Analysis

The "last-viewed-posts" plugin v1.0.2 exhibits a mixed security posture. On the positive side, the static analysis shows no identified entry points such as AJAX handlers, REST API routes, or shortcodes that are directly exposed without authentication. The code also demonstrates good practices with 100% of SQL queries using prepared statements and no identified dangerous functions or file operations. However, a significant concern is the moderate output escaping, with only 42% of outputs properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities if data is not handled carefully before being displayed.

The plugin's vulnerability history is a major red flag. With two known CVEs, including one critical and one medium, and a recent vulnerability discovered in December 2024, it indicates a pattern of past security weaknesses. The common vulnerability types of Improper Access Control and Deserialization of Untrusted Data suggest that the plugin has historically struggled with securely handling user input and managing permissions. While there are currently no unpatched vulnerabilities, the existence of past critical issues and the lack of any capability checks or nonce checks in the static analysis are concerning, especially given the historical context.

In conclusion, while the current static analysis does not reveal immediate, exploitable attack vectors, the plugin's past vulnerability history, particularly critical ones, combined with the moderate output escaping and absence of capability checks, presents a significant risk. Users should exercise caution and consider whether the benefits of the plugin outweigh the potential risks and the ongoing need for vigilant monitoring and potential future patching.