LWS Cleaner Security & Risk Analysis

The 'lws-cleaner' plugin v2.4.3 exhibits a mixed security posture. While the static analysis shows a high percentage of properly escaped output and a lack of critical taint flows, several concerning areas persist. The plugin exposes a significant attack surface with 16 AJAX handlers, and alarmingly, one of these lacks any authentication checks. This is a major security gap that could allow unauthorized users to trigger plugin functionality.

The vulnerability history of this plugin is a significant concern. It has a history of three known CVEs, with two classified as high severity, one medium, and a common pattern including Absolute Path Traversal, Cross-Site Request Forgery (CSRF), and Missing Authorization. Although there are currently no unpatched vulnerabilities, this history indicates a recurring tendency to introduce critical security flaws. The last reported vulnerability was in September 2025, suggesting potential for new issues to arise.

In conclusion, while the plugin demonstrates some good practices like extensive output escaping and no reported critical taint flows, the unprotected AJAX handler and the consistent history of high-severity vulnerabilities, particularly those related to authorization and path traversal, present a considerable risk. Users should exercise caution and ensure the plugin is kept up-to-date, and actively monitor for any new security advisories.