Eazy Plugin Manager – Powerful Plugin Management Solution for WordPress Security & Risk Analysis

The plugin "plugins-on-steroids" v4.4.1 exhibits a mixed security posture. While the static analysis shows a good number of protected entry points and a lack of critical or high-severity taint flows, there are significant concerns regarding its handling of database queries and output sanitization. All detected SQL queries are not using prepared statements, posing a substantial risk for SQL injection vulnerabilities, especially given the presence of 12 file operations which could potentially be manipulated. The limited number of capability checks (7) compared to the number of AJAX handlers (18) also suggests potential authorization weaknesses if not all AJAX handlers are adequately protected by other means not fully captured by these metrics.

The vulnerability history reveals a past pattern of "Missing Authorization" vulnerabilities and two medium-severity CVEs, one of which was recently disclosed in April 2025. Although currently unpatched CVEs are zero, the historical trend of authorization issues and the fact that SQL queries lack prepared statements are key areas of concern. The proper escaping of outputs is also a weakness, with 31% of outputs not being properly escaped, which can lead to cross-site scripting (XSS) vulnerabilities. Despite a relatively clean taint analysis and a protected attack surface in this version, these underlying code quality issues and historical trends warrant caution.