WP Video Enhanced Security & Risk Analysis

The wp-video-enhanced plugin v1.3.0 exhibits several concerning security practices despite having no recorded historical vulnerabilities. The primary areas of risk stem from its "attack surface" analysis, which reveals two AJAX handlers with no authentication checks. This means any unauthenticated user could potentially interact with these handlers, leading to an open door for malicious activity if the functionality they trigger is sensitive.

The "code signals" section further amplifies these concerns. The presence of dangerous functions like `create_function` and `unserialize` are significant red flags. `create_function` is deprecated and can lead to code injection if not handled with extreme care, while `unserialize` is notoriously prone to object injection vulnerabilities when processing untrusted input. The low percentage of properly escaped output (55%) indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site.

While the plugin demonstrates good practices in using prepared statements for SQL queries and has no external HTTP requests, these strengths are overshadowed by the critical weaknesses in authentication, input sanitization, and output escaping. The lack of any recorded CVEs in its history might suggest either infrequent targeting or a fortunate lack of exploitation. However, given the identified code flaws, this plugin should be treated with caution and ideally updated or replaced with a more secure alternative.