WPB Category Slider for WooCommerce – Product Categories Carousel & Grid Security & Risk Analysis

The "wpb-woocommerce-category-slider" plugin v1.7.2 exhibits a mixed security posture. While the static analysis indicates a relatively small attack surface with no unprotected entry points and a high percentage of SQL queries using prepared statements, several concerning code signals and a significant vulnerability history raise red flags. The presence of the dangerous `create_function` is a known risk, and the 100% usage of prepared statements for SQL is positive, but the output escaping is not perfect at 81%, leaving room for potential cross-site scripting (XSS) vulnerabilities if sensitive data is not handled carefully. The taint analysis, however, shows no detected flows, which is a positive indicator for that specific analysis method.

The vulnerability history is a major concern. With one known high-severity CVE related to Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion), and it being currently unpatched, this presents a critical risk. The recurrence of this vulnerability type suggests a persistent coding flaw that attackers could exploit for remote code execution. The last vulnerability being in the future (2025) might be a data anomaly, but the fact that there is an unpatched high-severity CVE in the present is undeniable. While the plugin has strengths in its limited attack surface and prepared SQL statements, the unpatched RFI vulnerability severely compromises its overall security, making it a high-risk option for deployment without immediate patching or mitigation.