WP Delete User Accounts Security & Risk Analysis

The "wp-delete-user-accounts" plugin version 1.2.4 exhibits a mixed security posture. On the positive side, static analysis indicates good development practices with all SQL queries using prepared statements, all output being properly escaped, and the presence of nonce and capability checks on its entry points. There are no detected dangerous functions, file operations, or external HTTP requests, and the attack surface through AJAX and shortcodes appears to be protected by authentication checks.

However, the plugin's vulnerability history is a significant concern. With a total of two known CVEs, one of which remains unpatched, and both being of medium severity related to Cross-Site Scripting (XSS), this indicates a recurring pattern of input sanitization or output escaping issues. The fact that a vulnerability was recently discovered (2025-09-22) and is still unpatched suggests a potential for exploitation.

In conclusion, while the current code analysis reveals a solid adherence to secure coding principles for the analyzed version, the historical context of unpatched vulnerabilities, particularly XSS, poses a considerable risk. Users of this plugin should be aware of the past security incidents and the implications of an unpatched vulnerability, even if the immediate code analysis appears clean.