Kolossum – cdnJS for WordPress Security & Risk Analysis

The wpcdnkoloss v0.5 plugin exhibits a mixed security posture. On the positive side, it has a relatively small attack surface with all identified entry points having nonce checks, and there are no known vulnerabilities or CVEs recorded. This suggests a potential awareness of security practices in terms of external threats and common exploits.

However, significant concerns arise from the static code analysis. The complete absence of capability checks for AJAX handlers is a major vulnerability, as it implies that any authenticated user, regardless of their role, could potentially trigger these handlers. Furthermore, the fact that 100% of SQL queries are not using prepared statements is a critical risk, opening the door to SQL injection attacks. The high percentage of improperly escaped output also suggests a risk of Cross-Site Scripting (XSS) vulnerabilities.

While the plugin's vulnerability history is clean, this can be misleading if the code analysis reveals inherent weaknesses. The lack of capability checks and unprepared SQL queries represent foundational security flaws that are more concerning than a lack of recorded past exploits. The absence of taint analysis issues with sanitization is a positive sign, but it does not negate the direct code vulnerabilities identified.