WP Hide Post — Hide Posts, Pages, Custom Post Types, and Control Products Visibility for WooCommerce Security & Risk Analysis

The "wp-post-hide" v2.0.2 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices in SQL query handling, with 100% of queries using prepared statements, and robust output escaping, with all outputs properly escaped. The absence of file operations and the presence of nonce checks on some entry points are also encouraging signs. However, a significant concern arises from the attack surface. With three total entry points, two of which lack authentication checks, this leaves potential avenues for unauthorized actions. While taint analysis shows no critical or high severity flows, the unprotected AJAX handlers represent a notable risk that could be exploited if not properly secured. The vulnerability history indicates a past medium-severity Cross-Site Request Forgery (CSRF) vulnerability, though it is currently unpatched. This suggests that while the developers have addressed past issues, the potential for similar vulnerabilities or other types of exploits remains a consideration. Overall, the plugin has strengths in secure coding practices for database and output handling, but the unprotected AJAX handlers and historical vulnerability warrant careful attention.