Most Popular Posts Widget Security & Risk Analysis

The "most-popular-posts-widget-lite" plugin, version 1.2.0, presents a significant security risk due to several critical weaknesses identified in the static analysis. While the attack surface appears limited with no unprotected AJAX handlers or REST API routes, the code analysis reveals concerning practices. The presence of a dangerous function ('create_function') and a complete lack of proper output escaping (0% properly escaped) indicate a high susceptibility to cross-site scripting (XSS) vulnerabilities. Furthermore, all SQL queries (15 total) are executed without prepared statements, opening the door for SQL injection attacks. The plugin also lacks essential security checks like nonce and capability verifications, making it easier for attackers to exploit potential vulnerabilities. The vulnerability history shows a past high-severity SQL injection issue, reinforcing the concerns about its SQL query handling. While there are no currently unpatched vulnerabilities, the historical pattern and the code analysis findings suggest a plugin that has historically had and currently exhibits poor security hygiene.