SOGO Author's Recent Posts Security & Risk Analysis

The static analysis of the "oh-authors-recent-posts-widget" plugin v1.8 reveals a generally good security posture in some areas, with a complete absence of external HTTP requests, file operations, and SQL queries not using prepared statements. The attack surface is notably zero, with no AJAX handlers, REST API routes, shortcodes, or cron events, which significantly reduces the potential entry points for attackers. However, the plugin exhibits critical weaknesses that warrant caution.

The presence of the `create_function` dangerous function is a significant concern, as it can be a vector for code injection if used with unsanitized input. Furthermore, the extremely low percentage (9%) of properly escaped output is a major red flag. This indicates that a large portion of the plugin's output is vulnerable to Cross-Site Scripting (XSS) attacks, allowing attackers to inject malicious scripts into web pages viewed by users.

The vulnerability history of zero recorded CVEs is positive, suggesting a lack of publicly known, exploitable vulnerabilities. This, combined with the secure handling of SQL queries and the absence of an attack surface, paints a picture of a plugin that might be well-intentioned but suffers from fundamental insecure coding practices. The lack of nonce and capability checks is also concerning, as it leaves functionalities that might exist (though not evident in the zero attack surface) open to unauthorized access or manipulation.