WP Currencies Security & Risk Analysis

The "wp-currencies" v1.4.6 plugin exhibits a concerning security posture due to a significant number of unprotected entry points. Specifically, all four identified AJAX handlers lack authentication checks, which presents a substantial risk. Any user, authenticated or not, could potentially trigger these handlers, leading to unintended actions or information disclosure if they are not properly secured within the application logic. The complete absence of capability checks further exacerbates this issue, as even non-privileged users could exploit these unprotected AJAX endpoints. Furthermore, the plugin performs SQL queries without utilizing prepared statements, increasing the risk of SQL injection vulnerabilities. While there is no recorded vulnerability history, this lack of historical issues does not negate the significant risks identified in the static analysis. The presence of numerous unprotected entry points and insecure SQL practices are critical red flags that require immediate attention. The plugin's static analysis also reveals a moderate percentage of improperly escaped output, which could lead to cross-site scripting (XSS) vulnerabilities if user-supplied data is not handled carefully.