Last.wp Security & Risk Analysis

The "lastwp" plugin v0.2 exhibits a mixed security posture. On the positive side, there are no registered CVEs and no identified vulnerabilities in its history. Furthermore, the plugin demonstrates good practices by exclusively using prepared statements for SQL queries and not performing any file operations or external HTTP requests. The absence of a significant attack surface through AJAX handlers, REST API routes, shortcodes, or cron events is also a strength.

However, significant concerns arise from the static code analysis. The presence of the `create_function` is a dangerous function that can lead to remote code execution if not handled with extreme care. More critically, 100% of the plugin's outputs are not properly escaped. This is a major security flaw that can pave the way for Cross-Site Scripting (XSS) attacks, allowing malicious actors to inject arbitrary scripts into the user's browser. The complete lack of nonce and capability checks, while seemingly mitigated by a zero attack surface, leaves the plugin vulnerable if any entry points are accidentally exposed or if future versions introduce them without proper security measures.

While the lack of vulnerability history is a positive indicator, it should not overshadow the critical security weaknesses identified in the code. The unescaped output and the use of `create_function` represent immediate and serious risks that require prompt attention. The plugin's strengths lie in its limited scope and SQL handling, but these are overshadowed by its output sanitization and dangerous function usage.