WPS Visitor Counter Security & Risk Analysis

The wps-visitor-counter plugin v1.4.9 exhibits a mixed security posture. On the positive side, the plugin demonstrates strong adherence to secure coding practices by exclusively using prepared statements for all SQL queries and implementing capability checks for its entry points. There are no detected dangerous functions, file operations, or external HTTP requests, which significantly reduces the potential for common web vulnerabilities. The output escaping is also generally good, with 83% of outputs properly escaped.

However, the static analysis reveals a critical taint flow with an unsanitized path, indicating a potential for high-severity vulnerabilities like cross-site scripting (XSS) or arbitrary file read/write, despite the absence of documented critical or high vulnerabilities in its history. The presence of one unpatched medium severity vulnerability from November 21, 2025, specifically an XSS, is a significant concern. While the vulnerability history shows only one medium CVE, the fact that it remains unpatched and the taint analysis identifying a critical issue warrants caution. This suggests that although the developers have implemented several security best practices, there might be overlooked vulnerabilities or inadequate sanitization in specific code paths.

In conclusion, while wps-visitor-counter has strengths in its use of prepared statements and capability checks, the identified critical taint flow and the unpatched medium XSS vulnerability represent notable weaknesses. These issues, coupled with the fact that there is only one documented CVE but a concerning taint analysis result, suggest that the plugin's security is not entirely robust and requires immediate attention to address the identified risks.