Simple Banner – Easily add multiple Banners/Bars/Notifications/Announcements to the top or bottom of your website Security & Risk Analysis

The 'simple-banner' plugin version 3.2.1 presents a mixed security posture. On the positive side, the static analysis indicates a clean attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that lack authentication or permission checks. Furthermore, all SQL queries are correctly prepared, and there are no file operations or bundled libraries to worry about. However, a significant concern arises from the output escaping, with only 30% of outputs being properly escaped, suggesting a potential for Cross-Site Scripting (XSS) vulnerabilities. While taint analysis shows no critical or high severity flows, this could be a limitation of the analysis method rather than a true absence of risk, especially given the poor output escaping.

The plugin's vulnerability history is a major red flag. With a total of 6 known CVEs, all of which are currently patched, and a history dominated by medium severity XSS vulnerabilities, this indicates a recurring pattern of insecure coding practices. The fact that the last vulnerability was as recent as October 2025 (assuming the year is a typo and should be in the past, e.g., 2023 or 2024) further emphasizes that the developers have a track record of introducing security flaws. While no current unpatched vulnerabilities exist, the historical data strongly suggests a high likelihood of future issues if the underlying coding habits do not improve.

In conclusion, while the 'simple-banner' plugin has a well-defined and seemingly controlled attack surface and uses prepared statements for its SQL queries, the extremely poor output escaping and the extensive history of XSS vulnerabilities are significant weaknesses. The lack of proper output escaping provides a clear pathway for attackers to inject malicious scripts, and the past vulnerabilities suggest a persistent insecurity in how the plugin handles user-supplied data. Users should exercise caution and consider alternative plugins with a stronger security track record.