WP Users Login History Security & Risk Analysis

The wp-users-login-history plugin version 1.2 presents a moderate security risk primarily due to its unprotected AJAX endpoints. While the plugin exhibits good practices like using prepared statements for SQL queries and avoiding dangerous functions, the lack of authentication checks on all four of its AJAX handlers creates a significant attack surface. This means that any user, potentially even unauthenticated ones, could trigger these handlers, leading to unintended actions or information disclosure if vulnerabilities exist within them. The taint analysis did identify one flow with an unsanitized path, which, while not classified as critical or high severity in this analysis, warrants further investigation in conjunction with the unprotected AJAX endpoints. The absence of any recorded vulnerability history suggests a generally stable past, but this should not overshadow the immediate concerns raised by the static analysis. Overall, while the plugin has some positive security attributes, the unprotected AJAX endpoints represent a critical weakness that needs to be addressed.