Virusdie – One-click website security Security & Risk Analysis

The Virusdie plugin v1.1.8 exhibits a mixed security posture. On one hand, the static analysis shows a very small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are unprotected. Furthermore, all detected SQL queries use prepared statements, which is a strong defense against SQL injection. However, concerns arise from the output escaping, where only 43% of outputs are properly escaped, indicating a potential risk for Cross-Site Scripting (XSS) vulnerabilities. The presence of one flow with an unsanitized path, although not classified as critical or high, warrants attention as it could be a vector for path traversal or similar attacks.

The plugin's vulnerability history is a significant concern. With four known medium-severity CVEs, all of which are currently unpatched according to the provided data, this plugin carries a substantial risk. The common types of vulnerabilities found (Exposure of Sensitive Information, Missing Authorization, CSRF) are serious and suggest recurring issues with access control and data handling. The fact that the last vulnerability was reported in 2026 indicates that these are recent and unaddressed security flaws.

In conclusion, while the plugin has a minimal attack surface and good practices in database query handling, the unpatched historical vulnerabilities and the moderate percentage of unescaped output present significant risks. The presence of unsanitized paths also adds to the potential attack vectors. Users should exercise extreme caution and prioritize patching or finding an alternative if these vulnerabilities remain unaddressed.