Trade Runner Security & Risk Analysis

The "traderunner" v3.14 plugin exhibits a mixed security posture. On one hand, the static analysis reveals excellent adherence to secure coding practices within its current version. The absence of any dangerous functions, properly escaped output, secure handling of SQL queries with prepared statements, and a lack of file operations or external HTTP requests are all positive indicators. Furthermore, the attack surface appears minimal, with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are exposed without authentication or proper checks.

However, the plugin's vulnerability history presents significant concerns. With a total of 3 known CVEs, and notably one that remains unpatched, there is a clear track record of security flaws. The common vulnerability types identified, Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS), are serious issues that can lead to unauthorized actions and data compromise. The fact that the last vulnerability was identified in November 2025 (though this is in the future and likely a data entry error, it still indicates recent past issues) suggests that the plugin has historically struggled with security.

While the current version of the code demonstrates good development practices, the past vulnerability record, especially the unpatched CVE, poses a substantial risk. Users should be aware that despite apparent good coding in v3.14, the plugin has a history of significant vulnerabilities. The lack of nonces and capabilities checks on some entry points (though the analysis shows 0 unprotected entry points, the presence of capability checks at all suggests there might be areas that could benefit from stricter access control, though the static analysis does not highlight this as a direct risk in v3.14) is less of a concern given the lack of exposed entry points, but the unpatched CVE is a critical outstanding issue.