WP Spam Comments from BlashO Security & Risk Analysis

The wp-spam-comments plugin version 1.4 presents a mixed security posture. On the positive side, it has no recorded vulnerabilities (CVEs), no critical or high severity taint flows, and doesn't utilize dangerous functions or make external HTTP requests. The absence of file operations and bundled libraries is also a good sign. However, there are significant areas of concern stemming from the static analysis. The presence of one unprotected AJAX handler is a critical security flaw, as it represents a direct entry point for potential attackers without any authentication or authorization checks. Furthermore, the low percentage of SQL queries using prepared statements (14%) and the very low percentage of properly escaped output (13%) indicate a high risk of SQL injection and cross-site scripting (XSS) vulnerabilities, respectively. The sole nonce check is insufficient given the attack surface. The vulnerability history being clear is a strength, suggesting the developers may be responsive to security issues, but this is overshadowed by the clear and present risks identified in the code analysis.