WP Author Report Free Security & Risk Analysis

The wp-author-report-free plugin version 1.0.7 exhibits a mixed security posture. On the positive side, there are no recorded vulnerabilities (CVEs) in its history, and the static analysis reveals no directly exploitable attack vectors like unprotected AJAX handlers, REST API routes, shortcodes, or cron events. Furthermore, the absence of dangerous functions, file operations, and external HTTP requests is commendable. However, significant concerns arise from the code analysis. A substantial percentage of SQL queries (73%) are not using prepared statements, posing a high risk of SQL injection. Equally worrying is the very low rate of proper output escaping (5%), indicating a strong likelihood of cross-site scripting (XSS) vulnerabilities. The taint analysis, while limited in scope, did identify two flows with unsanitized paths, suggesting potential for path traversal or other file system related vulnerabilities, though the severity was not classified as critical or high in the static analysis. The plugin also lacks any explicit nonce checks, and only one capability check is present, leaving much of its functionality potentially accessible without proper authorization, especially when combined with the output escaping issues.