WP Custom Cursors | WordPress Cursor Plugin Security & Risk Analysis

The "wp-custom-cursors" plugin (v3.3) exhibits a mixed security posture. On the positive side, the static analysis reveals a well-defined attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are directly exposed without authentication. The code also demonstrates good practices regarding SQL query preparation, with 98% of queries utilizing prepared statements. Furthermore, the absence of dangerous functions, file operations, and external HTTP requests is commendable. However, several concerns emerge from the analysis. A significant portion of output (35%) is not properly escaped, which could lead to cross-site scripting vulnerabilities. The presence of only 8 nonce checks and a single capability check across the codebase, while the attack surface is technically zero in the static analysis, suggests a potential reliance on indirect security measures that might be insufficient. The plugin's vulnerability history is a major red flag. With 6 known CVEs, one of which is critical and currently unpatched, and a recent vulnerability in October 2023, the plugin has a history of significant security flaws. The common vulnerability types (SQL Injection, CSRF, XSS) align with the observed unescaped output, reinforcing the need for robust sanitization and validation. The critical unpatched CVE is a pressing issue that significantly elevates the risk associated with this plugin.