WhyDonate – FREE Donate button – Crowdfunding – Fundraising Security & Risk Analysis

The "wp-whydonate" plugin v4.0.17 exhibits a mixed security posture. On the positive side, the static analysis reveals a strong adherence to WordPress security best practices. All identified AJAX handlers, REST API routes, and the single shortcode are protected by authentication and capability checks, indicating a well-secured attack surface. The plugin also utilizes prepared statements for a significant majority of its SQL queries and has a reasonable rate of output escaping, mitigating common injection vulnerabilities. Furthermore, there are no critical or high-severity taint flows identified, and no dangerous functions are present, which are excellent indicators of secure coding practices.

However, the plugin's vulnerability history presents a significant concern. The presence of three previously disclosed medium-severity vulnerabilities, specifically related to Missing Authorization and Cross-Site Request Forgery (CSRF), suggests a recurring pattern of insecure implementation. The fact that the last vulnerability was recorded in October 2025, and there are currently no unpatched vulnerabilities, is a positive sign, but the historical pattern cannot be ignored. This history, coupled with the fact that 39% of SQL queries are not using prepared statements and only 61% of outputs are properly escaped, indicates areas where developer attention to detail might be inconsistent. While the current version might be clean, the historical context warrants vigilance.

In conclusion, "wp-whydonate" v4.0.17 has a solid technical foundation in terms of its current attack surface and code signals. The robust use of nonces and capability checks is commendable. Nevertheless, the persistent history of medium-severity vulnerabilities, particularly those related to authorization and CSRF, remains a notable weakness. Users should be aware of this historical pattern and ensure the plugin is always updated to the latest version as soon as it becomes available to mitigate risks stemming from past vulnerabilities. The slight increase in non-prepared SQL queries and less-than-perfect output escaping also represent minor but persistent areas for improvement.