Level system Security & Risk Analysis

The "level-system" plugin v1.0.2 exhibits a concerning security posture despite the absence of known vulnerabilities and a seemingly small attack surface. The static analysis reveals critical weaknesses, particularly the presence of the `create_function` construct, which is widely deprecated due to its potential for arbitrary code execution. Furthermore, all SQL queries are executed without prepared statements, leaving them vulnerable to SQL injection attacks. The low percentage of properly escaped output (31%) indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities across various output points. The taint analysis showing flows with unsanitized paths, even without critical or high severity, is a strong indicator that user-supplied data is not being adequately validated or sanitized before use, which can lead to exploitable conditions if combined with other weaknesses. While the plugin has no recorded CVEs, this is likely due to the fundamental flaws in its code rather than its inherent security. The lack of capability checks and nonce checks further exacerbates these risks, allowing unauthenticated or unauthorized users to potentially interact with sensitive functionalities if an attack vector is discovered. In conclusion, the plugin has significant security flaws that outweigh its perceived small attack surface and lack of vulnerability history. Immediate attention is required to address the insecure coding practices identified.