rss-per-page Security & Risk Analysis

The 'rss-per-page' plugin v1.6 presents a mixed security posture. On the positive side, it demonstrates good practices in handling SQL queries with prepared statements and includes a nonce check and capability check, suggesting some awareness of security principles. Its vulnerability history is clear, with no known CVEs, which is encouraging. However, the static analysis reveals critical concerns. The presence of `create_function` is a significant risk, as it can lead to code injection vulnerabilities if not handled with extreme care, and this function is considered deprecated and unsafe. Furthermore, a low rate of output escaping (17%) is a major red flag, indicating a high likelihood of cross-site scripting (XSS) vulnerabilities where user-supplied data is displayed without proper sanitization.

While the plugin has a small attack surface and no recorded vulnerabilities, the identified code signals and the lack of comprehensive output escaping create a notable risk. The use of `create_function` is a specific and severe weakness that could be exploited. The low output escaping rate means that many points of user interaction within the plugin could potentially lead to XSS. In conclusion, despite a clean vulnerability history and some good security implementations, the presence of `create_function` and widespread unescaped output significantly lower its overall security rating, making it a moderate to high-risk plugin.