Gutenberg Blocks – ACF Blocks Suite Security & Risk Analysis

The 'acf-blocks' plugin v2.6.11 exhibits a mixed security posture. On the positive side, the static analysis reveals a notably small attack surface with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are exposed without authentication. Furthermore, all SQL queries are properly prepared, indicating good database interaction practices. However, a significant concern arises from the low percentage of properly escaped output (13%), suggesting a high potential for Cross-Site Scripting (XSS) vulnerabilities, especially given the plugin's historical vulnerability types. The absence of nonce and capability checks on entry points, while currently not directly exploitable due to the limited attack surface, represents a missed security control that could become problematic if new entry points are introduced without proper validation. The plugin's vulnerability history includes a medium severity CVE related to XSS, which is currently unpatched. This pattern, combined with the output escaping issues, points to a recurring weakness in sanitizing user-provided data before it's displayed, posing a tangible risk to users. While the plugin has strengths in its limited attack surface and secure SQL handling, the prevalent output escaping deficiency and the presence of an unpatched XSS vulnerability demand immediate attention.