WP Recently Viewed Security & Risk Analysis

The `wp-recently-viewed` plugin version 1.0 presents a generally positive security posture based on the provided static analysis and vulnerability history. The absence of AJAX handlers, REST API routes, shortcodes, cron events, and file operations significantly limits the plugin's attack surface. Furthermore, the fact that all SQL queries utilize prepared statements and there are no recorded CVEs is a strong indicator of secure development practices for this version.

However, a notable concern arises from the low percentage (13%) of properly escaped output. This suggests a potential for Cross-Site Scripting (XSS) vulnerabilities, as unsanitized output can be injected into the user's browser. The lack of nonce and capability checks, while not directly leading to specific vulnerabilities in this static analysis, indicates a missed opportunity to enforce proper authorization and integrity on potential (even if currently non-existent) entry points.

In conclusion, while `wp-recently-viewed` v1.0 benefits from a minimal attack surface and robust SQL handling, the insufficient output escaping is a significant weakness that requires attention. The absence of historical vulnerabilities is a good sign, but the current code analysis highlights a specific area that could be exploited. Developers should prioritize addressing the unescaped output to improve the plugin's overall security.