Hide admin notices – Admin Notification Center Security & Risk Analysis

The "wp-admin-notification-center" plugin version 3.4.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices regarding SQL queries, utilizing prepared statements exclusively, and has no critical or high severity vulnerabilities recorded in its history. The absence of file operations and external HTTP requests also reduces the attack surface in those areas. However, significant concerns arise from the static analysis. The plugin has a notable attack surface with one AJAX handler that lacks authentication checks, creating a direct entry point for potential exploitation. Furthermore, a concerning 71% of its output is not properly escaped, increasing the risk of Cross-Site Scripting (XSS) vulnerabilities. While there's a nonce check present for one entry point, the lack of capability checks on any entry points is a major security oversight.

The vulnerability history shows a single medium severity CVE related to Cross-Site Request Forgery (CSRF). The fact that this vulnerability is currently unpatched is a serious concern, even if it's not critical or high. The presence of unsanitized paths in taint analysis, although not reaching critical or high severity, alongside the high percentage of unescaped output, suggests potential avenues for malicious input manipulation that could lead to unintended consequences. In conclusion, while the plugin avoids some common pitfalls like raw SQL and critical vulnerabilities, the unprotected AJAX handler, extensive unescaped output, and lack of capability checks represent substantial weaknesses that require immediate attention.