Who Is Online Now Security & Risk Analysis

The 'who-is-online-now' v1.0.2 plugin exhibits several concerning security practices that significantly elevate its risk profile. The static analysis reveals a substantial attack surface with two AJAX handlers, both lacking authentication checks. This is a critical vulnerability as it allows any unauthenticated user to interact with these handlers, potentially triggering unintended actions or exposing sensitive information. Furthermore, the presence of a dangerous function like `create_function` is a red flag, often associated with code injection vulnerabilities. The low percentage of properly escaped output (20%) suggests that user-supplied data might be rendered directly into the HTML, opening the door to Cross-Site Scripting (XSS) attacks.

The plugin's vulnerability history is notably clean, with no recorded CVEs. While this might seem positive, it does not negate the risks identified in the code. A clean history can sometimes be misleading, especially for plugins that are not widely targeted or have not undergone extensive security audits. The lack of taint analysis results is also a point of concern, as it implies either the analysis tool could not effectively analyze the code or no obvious taint flows were detected, which doesn't necessarily mean the code is secure.

In conclusion, the 'who-is-online-now' v1.0.2 plugin has a poor security posture due to its unprotected entry points, use of dangerous functions, and inadequate output escaping. The absence of known vulnerabilities should not be interpreted as a guarantee of security, given the identified code-level weaknesses. These issues collectively present a significant risk to any WordPress site using this plugin.