WC Subscription Report Lite Security & Risk Analysis

The "wc-subscription-report-lite" v1.9 plugin exhibits a mixed security posture. On one hand, the plugin demonstrates good practices by exclusively using prepared statements for all SQL queries and has no recorded vulnerability history, suggesting a generally well-maintained codebase. The attack surface is also minimal, with no exposed AJAX handlers, REST API routes, shortcodes, or cron events that lack authentication or permission checks.

However, significant concerns arise from the static code analysis. The presence of `create_function` is a critical security risk, as it can lead to arbitrary code execution if user-supplied input is used within it without proper sanitization. Furthermore, the output escaping is severely lacking, with only 1% of outputs properly escaped. This indicates a high likelihood of cross-site scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the user interface.

While the plugin has no known CVEs, the internal code quality issues, particularly the use of `create_function` and widespread unescaped output, present a substantial inherent risk. The absence of a vulnerability history might be due to the plugin not being widely targeted or extensively audited, rather than a true absence of vulnerabilities. Users should be aware of these internal weaknesses despite the clean CVE record.