Login-Logout Security & Risk Analysis

The login-logout plugin version 3.8 presents a mixed security posture. On the positive side, it demonstrates good practices by having no known dangerous functions, performing all SQL queries using prepared statements, and avoiding file operations and external HTTP requests. Furthermore, the attack surface appears to be minimal, with no identified AJAX handlers, REST API routes, shortcodes, or cron events, and importantly, no unprotected entry points. However, several areas raise significant concerns. The output escaping is notably poor, with only 27% of outputs being properly escaped, suggesting a high risk of Cross-Site Scripting (XSS) vulnerabilities. The taint analysis, though limited in scope, revealed two flows with unsanitized paths, which, while not currently categorized as critical or high, warrants attention. The plugin's vulnerability history is a significant red flag, with one unpatched medium severity CVE for XSS. The fact that this is the most recent vulnerability and it remains unpatched indicates a potential lack of ongoing security maintenance and a recurring pattern of XSS issues.