RIS Version Switcher – Downgrade or Upgrade WP Versions Easily Security & Risk Analysis

The "ris-version-switcher" v1.0 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals that all identified entry points, including the four AJAX handlers, have capability checks, and there are no unescaped outputs or raw SQL queries. The absence of dangerous functions and unsanitized taint flows further suggests good coding practices in these areas. However, a significant concern arises from the complete lack of nonce checks on its AJAX handlers. This is a critical oversight that exposes the plugin to Cross-Site Request Forgery (CSRF) attacks, especially since the vulnerability history indicates a past CSRF vulnerability. The existence of a known, currently unpatched medium-severity CVE is a major red flag and demands immediate attention. While the code itself appears to be built with some security awareness, the unpatched vulnerability and the missing nonce protection significantly elevate the risk profile.