Fast Page & Post Duplicator Security & Risk Analysis

The plugin "page-or-post-clone" v9.3 exhibits a generally strong security posture based on the static analysis, with no identified vulnerabilities in the attack surface (AJAX, REST API, shortcodes, cron) or critical taint flows. The code demonstrates good practices such as a high percentage of properly escaped output and a reasonable use of prepared statements for SQL queries. The presence of nonce and capability checks, although limited, also indicates an awareness of security principles.

However, the vulnerability history presents a significant concern. Two known medium-severity CVEs, specifically SQL Injection and Authorization Bypass, have been recorded. The fact that these are currently unpatched, despite the "last vulnerability" date being in the future (2026-03-04), suggests potential issues with the reporting or the plugin's maintenance cycle. While the current analysis shows no direct evidence of these vulnerabilities being present in v9.3, the historical pattern warrants caution. The plugin's strengths lie in its controlled attack surface and internal code hygiene; its weakness is the demonstrated susceptibility to certain vulnerability types in its past, which could resurface if not carefully managed.

In conclusion, while v9.3 appears to be clean from a static analysis perspective, the historical vulnerability data cannot be ignored. Users should be aware of the plugin's past issues and ensure they are kept updated with any future patches, even if current scans are clean. The lack of unpatched CVEs for the current version is a positive sign, but the past record necessitates continued vigilance.