Sticky Buttons – Floating Buttons Builder Security & Risk Analysis

The 'sticky-buttons' plugin version 4.3.5 exhibits a generally good security posture, with a low attack surface and strong adherence to secure coding practices. The plugin demonstrates high percentages of prepared SQL statements and properly escaped output, which are crucial for preventing common web vulnerabilities. Additionally, the presence of nonce and capability checks on its limited entry points is a positive indicator. The absence of external HTTP requests and bundled libraries further reduces potential attack vectors.

However, the static analysis did reveal three high-severity taint flows. While these did not result in critical severity, they still represent potential risks that warrant attention. The vulnerability history shows a past pattern of Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) vulnerabilities, with the most recent one being in January 2025. Although there are currently no unpatched vulnerabilities, this history suggests a recurring need for rigorous security auditing and testing for this plugin to address these types of issues proactively.

In conclusion, the 'sticky-buttons' plugin has several strengths, including a small attack surface and good output sanitization. The presence of high-severity taint flows and past vulnerability trends are the primary areas of concern. While the plugin is currently free of unpatched CVEs, the identified taint flows and historical vulnerability types suggest that ongoing vigilance and potentially a more thorough review of input sanitization for certain data paths are advisable to maintain a robust security profile.