Logo Carousel Slider Security & Risk Analysis

The plugin "logo-carousel-slider" v2.1.3 exhibits a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries, performing nonce checks, and capability checks, and avoiding external HTTP requests and file operations. The attack surface is also relatively small with only one shortcode identified as an entry point, and importantly, no unprotected entry points were found in the static analysis. However, concerns arise from the presence of a dangerous function (`create_function`) and a notable percentage of output not being properly escaped (57%). This suggests a potential for cross-site scripting vulnerabilities, especially considering the plugin's vulnerability history.

The plugin has a history of known vulnerabilities, with one medium severity Cross-site Scripting (XSS) vulnerability identified and currently unpatched. The fact that the last vulnerability was recorded in April 2025, and it's still unpatched, is a significant concern. This pattern indicates a potential for ongoing security weaknesses and a lack of timely security patching by the developers. While the static analysis did not reveal critical or high severity taint flows, the combination of potentially unsafe coding practices like `create_function` and unescaped output, coupled with an existing unpatched XSS vulnerability, elevates the overall risk.

In conclusion, while "logo-carousel-slider" v2.1.3 has some strong security foundations, the identified dangerous function, insufficient output escaping, and an unpatched medium severity XSS vulnerability significantly detract from its security. Users should exercise caution and prioritize applying any available patches or consider alternative plugins if immediate security is paramount.