More Subscribers Security & Risk Analysis

The "more-subscribers" plugin v2.0.0 exhibits a concerning security posture primarily due to a significant number of unprotected entry points. With 2 out of 2 total entry points lacking authentication checks, this plugin presents a substantial risk of unauthorized access and potential abuse. The absence of capability checks further exacerbates this issue, meaning any user, regardless of their role or permissions, could potentially trigger these vulnerable AJAX actions. While the plugin performs well in other areas, such as the absence of dangerous functions, SQL injection vulnerabilities, and external HTTP requests, the fundamental lack of security on its AJAX handlers is a critical flaw.

The vulnerability history of this plugin is clean, showing no recorded CVEs. This might suggest that past versions were either robust or have not been thoroughly analyzed. However, the current static analysis reveals critical weaknesses that, even without a historical record of exploitation, demand immediate attention. The plugin's reliance on prepared statements for SQL queries and the minimal number of outputs (though poorly escaped) are positive signs, but they are overshadowed by the severe lack of authorization on its entry points.

In conclusion, while the "more-subscribers" plugin v2.0.0 demonstrates strengths in its SQL handling and lack of external communication, its security is severely compromised by its unprotected AJAX endpoints. The absence of proper authentication and authorization mechanisms on these entry points is a critical vulnerability that could lead to significant security breaches. The lack of historical vulnerabilities should not be a reason to overlook these present, evident risks.