WPSQR Site Cleaner – Optimize WordPress by Removing Duplicate Posts Security & Risk Analysis

The "wpsqr-site-cleaner" plugin version 1.0.2 exhibits a concerning security posture primarily due to a large number of unprotected AJAX endpoints. With 9 AJAX handlers and none of them featuring authentication or capability checks, any unauthenticated user could potentially trigger these actions, presenting a significant attack surface. While the code signals indicate a lack of dangerous functions, file operations, and external HTTP requests, the absence of proper authorization on these entry points is a critical weakness.

The plugin's SQL query practices are moderately secure, with 73% using prepared statements, but the remaining 27% could be susceptible to SQL injection if not handled carefully. Similarly, output escaping is not consistently applied, with only 67% of outputs properly escaped, which could lead to cross-site scripting (XSS) vulnerabilities. The single nonce check is a positive sign, but its effectiveness is diminished by the lack of broader authorization on the AJAX handlers it might protect.

The vulnerability history being entirely clear, with zero known CVEs, is a strong positive indicator. This suggests that the plugin has either not been a target for vulnerability discovery or has historically been well-maintained. However, the current code analysis reveals significant weaknesses that could be exploited regardless of past history. In conclusion, while the lack of historical vulnerabilities is encouraging, the current state of the plugin, particularly its unprotected AJAX endpoints and inconsistent output escaping, poses a high risk that needs immediate attention.