This plugin is small (<2k slocs) and well structured. Although it uses classes it is mostly not written in an object-oriented style, although the main file is overly long (>2k locs).

SQL statements are prepared and data is both sanitised and escaped. Sorting parameters are validated against an allow-list.

Capabilities are checked before admin actions are performed, but in the “bulk delete” operation the code does not validate a nonce. Potentially an attacker could trick a logged in administrator into deleting heatmap data, but given the nature of the data and the fact that it is stored in its own database tables, the risk of this seems low.

The plugin has been given this recommendation at the tester's discretion:

Use with caution due to lack of nonce validation on some admin actions.