Oracle Cards Lite – Interactive Card Deck Plugin for WordPress Security & Risk Analysis

The 'oracle-cards' plugin, version 1.2.7, exhibits a mixed security posture. On the positive side, it demonstrates good practices by using prepared statements for all SQL queries, has a high percentage of properly escaped output, and performs nonce and capability checks on a majority of its entry points. There are no reported dangerous functions, file operations, or external HTTP requests, which are excellent indicators of secure coding. However, a significant concern is the presence of four unprotected AJAX handlers, which represent a substantial attack surface that could be exploited by unauthenticated users.

The vulnerability history indicates a past medium-severity Cross-Site Scripting (XSS) vulnerability, which, while currently patched, suggests a recurring pattern of input sanitization issues. The single flow with an unsanitized path identified in the taint analysis, despite not being classified as critical or high severity, aligns with this XSS history and warrants attention as a potential vector for indirect data compromise or manipulation.

Overall, while the plugin has strong foundations in SQL and output handling, the unprotected AJAX endpoints and the historical XSS vulnerability present clear risks. Addressing these specific areas would significantly improve the plugin's security.