WP-Whoami Security & Risk Analysis

The wp-whoami v0.4 plugin presents a mixed security picture. On one hand, the static analysis indicates a very small attack surface, with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are directly exposed or lack authentication checks. Furthermore, all SQL queries are correctly implemented using prepared statements, and there are no file operations or external HTTP requests, which significantly reduces common attack vectors. The absence of known vulnerabilities in its history is also a positive sign.

However, significant concerns arise from the code analysis. The presence of the `create_function` is a critical security anti-pattern in PHP, as it can lead to arbitrary code execution if its arguments are not rigorously sanitized. Additionally, the extremely low percentage (13%) of properly escaped outputs indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the site's output.

Given the absence of known CVEs, the plugin appears to have been relatively stable. However, the identified code signals, particularly `create_function` and the poor output escaping, represent substantial security weaknesses that could be exploited by attackers. The plugin's strengths lie in its limited attack surface and secure database interactions, but these are overshadowed by the potential for code execution and XSS due to insecure coding practices.