Mavis HTTPS to HTTP Redirection Security & Risk Analysis

The "mavis-https-to-http-redirect" plugin, version 1.4.3, presents a mixed security posture. On the positive side, the static analysis reveals a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, all SQL queries are properly prepared, and there are no file operations or external HTTP requests, which are positive indicators. However, the analysis also flags a critical concern: 100% of output is not properly escaped, indicating a significant risk of Cross-Site Scripting (XSS) vulnerabilities if any dynamic content is displayed to users. The taint analysis also shows flows with unsanitized paths, although these did not reach a critical or high severity in this assessment, they warrant further investigation.

The plugin has a history of known vulnerabilities, with one medium severity CVE currently unpatched. This historical pattern, especially with a recent vulnerability dating to late 2025, suggests a recurring issue with security flaws. While the absence of obvious entry points for direct attacks is a strength, the unescaped output and historical vulnerability pattern are significant weaknesses. The overall risk is elevated due to the potential for XSS and the unaddressed past CVE, despite the absence of a large, exposed attack surface.