Pushe Web Push Notification Security & Risk Analysis

The plugin 'pushe-webpush' v0.5.0 exhibits a mixed security posture. While the static analysis reveals no detected attack surface and a complete absence of dangerous functions and raw SQL queries, indicating good practices in these areas, significant concerns arise from other metrics. The low percentage of properly escaped output (17%) is a major red flag, suggesting a high likelihood of cross-site scripting vulnerabilities. Furthermore, the complete lack of nonce and capability checks, combined with no authorization checks on any identified entry points (although the attack surface is currently reported as zero), raises questions about its robustness against unauthorized access or manipulation if entry points were to be discovered or added.

The vulnerability history is particularly worrying, with one unpatched medium severity CVE related to Cross-site Scripting. This, coupled with the fact that the last vulnerability was very recent (2025-09-05), strongly indicates a pattern of insecure coding practices that have led to exploitable flaws. The presence of this unpatched vulnerability, despite the absence of identified critical or high severity issues in the static analysis, means a known risk is present and actively exploitable. In conclusion, while the plugin appears to have some secure foundational elements like prepared SQL statements, the pervasive risk of XSS due to poor output escaping and the existence of an unpatched medium severity vulnerability present a significant security concern for users.