Comments Extra Fields For Post,Pages and CPT Security & Risk Analysis

The "wp-comment-fields" plugin v5.1 presents a mixed security posture. On the positive side, the plugin demonstrates good practices regarding SQL query handling, with 100% of queries utilizing prepared statements. The majority of output is also properly escaped (90%), and there are no reported critical or high-severity vulnerabilities, nor are there any currently unpatched CVEs. However, significant concerns arise from the attack surface. With 6 total entry points, 4 of which lack authentication checks, there is a substantial risk of unauthorized actions or information disclosure. This is further highlighted by the presence of 4 AJAX handlers without proper authorization checks, which are often prime targets for attackers. The vulnerability history, though currently free of unpatched issues, shows a pattern of medium-severity vulnerabilities including Cross-Site Request Forgery (CSRF), Missing Authorization, and Cross-site Scripting (XSS). The last reported vulnerability in February 2024 suggests ongoing security attention is needed. While the code signals generally look good, the high number of unprotected entry points and the past vulnerability types are the primary areas of concern, indicating a need for more robust authorization controls.