Rocket Maintenance Mode & Coming Soon Page Security & Risk Analysis

The rocket-maintenance-mode plugin v4.4 exhibits a mixed security posture. On the positive side, it has a very small attack surface with only one AJAX handler, and importantly, all identified entry points appear to have authorization checks. The absence of dangerous functions, file operations, and external HTTP requests is also encouraging. However, significant concerns arise from the handling of SQL queries and output escaping. The static analysis reveals that 100% of SQL queries are not using prepared statements, which is a critical vulnerability for potential SQL injection. Furthermore, only 38% of output is properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities across various outputs.

The vulnerability history shows one past medium-severity CVE related to Cross-Site Scripting, last patched in December 2023. While there are no currently unpatched vulnerabilities, the historical occurrence of XSS, coupled with the static analysis findings of poor output escaping, suggests a recurring pattern of insecure input/output handling. The plugin also bundles Freemius v1.0, which, if outdated, could introduce additional risks, though its specific version doesn't immediately indicate a severe issue without further context on Freemius's security history.

In conclusion, while the plugin has a limited attack surface and has addressed past vulnerabilities, the lack of prepared statements for SQL and the low percentage of properly escaped output present substantial risks. The historical XSS vulnerability reinforces these concerns. Further investigation into the specific SQL queries and output points is highly recommended to mitigate these identified weaknesses.