Add infos to The Events Calendar Security & Risk Analysis

The 'add-infos-to-the-events-calendar' plugin version 1.5.2 exhibits a generally good security posture with several strengths. The absence of dangerous functions, SQL queries without prepared statements, file operations, and external HTTP requests is commendable. Furthermore, the plugin has no known unpatched vulnerabilities, and the single past medium severity vulnerability was addressed. The limited attack surface, consisting of one shortcode with no direct indication of being unprotected, also contributes positively to its security.

However, there are areas for improvement. A significant concern is the output escaping, where only 65% of outputs are properly escaped. This leaves a considerable portion of user-generated or dynamically generated content potentially vulnerable to Cross-Site Scripting (XSS) attacks. While taint analysis shows no current critical or high severity flows, the incomplete output escaping means that even minor XSS vulnerabilities could be present and exploitable. The complete lack of nonce checks, especially for any AJAX handlers that might exist or be introduced in future updates, is another potential weakness.

In conclusion, while the plugin has taken proactive steps in secure coding practices and managing its vulnerability history, the unaddressed output escaping is a notable risk. Future development should prioritize ensuring all outputs are properly sanitized to mitigate XSS risks. The absence of nonce checks also warrants attention for robust security, particularly if the plugin interacts with the front-end through JavaScript.