Simple Sticky Footer Security & Risk Analysis

The 'simple-sticky-footer' plugin, version 1.3.5, exhibits a mixed security posture. On the positive side, it demonstrates good practices by not utilizing dangerous functions, all SQL queries are prepared, and there are no observed file operations or external HTTP requests. The presence of nonce checks and a single shortcode as the sole entry point with no explicit authentication bypasses is also encouraging. However, a significant concern arises from the moderate output escaping, with 61% of outputs not being properly escaped. This leaves the plugin susceptible to Cross-Site Scripting (XSS) vulnerabilities, especially given its history.

The plugin's vulnerability history is a major red flag. With two known CVEs, one of which is still unpatched and classified as high severity, the plugin has a demonstrable track record of security flaws. The common types of past vulnerabilities, XSS and CSRF, align with potential risks stemming from improperly escaped output. The existence of an unpatched high-severity vulnerability indicates a lack of timely security maintenance, posing an immediate risk to users. While the static analysis does not reveal critical taint flows or direct SQL injection vectors, the historical context strongly suggests that potential vulnerabilities are likely related to input handling and output rendering.

In conclusion, 'simple-sticky-footer' v1.3.5 has strengths in its control over dangerous functions and SQL queries. However, the incomplete output escaping and, more critically, the presence of an unpatched high-severity vulnerability and a history of XSS/CSRF issues, present a substantial risk. Users should exercise extreme caution and prioritize updating to a version that addresses the known vulnerability, if available, or consider alternative plugins.