Simple Download Counter Security & Risk Analysis

The "simple-download-counter" v2.3 plugin exhibits a mixed security posture. On the positive side, the static analysis reveals a complete absence of unprotected AJAX handlers and REST API routes, and all SQL queries utilize prepared statements, which are strong indicators of good security development practices. The presence of nonce and capability checks, along with proper output escaping for a majority of outputs, further reinforces this. However, a significant concern arises from the taint analysis, which identified one flow with an unsanitized path. While this did not result in a critical or high-severity finding in the static analysis, unsanitized path handling is a common precursor to path traversal vulnerabilities.

The plugin's vulnerability history is a more substantial area of concern. With four known CVEs, all categorized as medium severity, and a recent vulnerability disclosure in late 2025, this suggests a pattern of security weaknesses. The types of past vulnerabilities, including Path Traversal, External Control of File Name or Path, and Cross-site Scripting, are all critical types of web application vulnerabilities that can lead to significant compromises. The fact that there are no currently unpatched vulnerabilities is a positive sign, but the historical prevalence of these specific vulnerability types warrants caution and suggests that the codebase may still harbor similar latent issues.

In conclusion, while the current version of "simple-download-counter" shows improvements in some areas like input sanitization for SQL and API endpoints, the identified taint flow involving unsanitized paths and the plugin's history of medium-severity vulnerabilities, particularly those related to path manipulation and XSS, represent notable risks. Users should remain vigilant and ensure the plugin is kept up-to-date, as past vulnerability patterns indicate a potential for recurring issues.