Subresource Integrity (SRI) Manager Security & Risk Analysis

The wp-sri plugin version 0.4.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and performing proper output escaping on the majority of its outputs. It also incorporates nonce and capability checks, which are fundamental security measures. However, a significant concern is the presence of an unprotected AJAX handler, which represents a direct entry point into the plugin's functionality that can be accessed without authentication. While the taint analysis shows no identified vulnerabilities, the single external HTTP request warrants careful consideration, as it could potentially be exploited if not handled securely.

The plugin's vulnerability history is a major red flag. With one known CVE, which is currently unpatched and categorized as medium severity, this indicates a recurring issue of missing authorization. The fact that the last vulnerability was dated in the near future (2025-09-22) and is related to missing authorization suggests a potential for ongoing security weaknesses in how the plugin handles user access to its features. This, combined with the unprotected AJAX handler, points to a pattern where authorization checks are being overlooked.

In conclusion, while wp-sri version 0.4.0 has some strengths in its secure coding practices regarding SQL and output handling, the presence of an unprotected AJAX endpoint and a documented history of missing authorization vulnerabilities, including a currently unpatched medium severity issue, present significant risks. The unprotected AJAX handler and the unpatched CVE are the most critical areas requiring immediate attention.