Advanced Custom Fields – Widget Relationship Field add-on Security & Risk Analysis

The advanced-custom-fields-widget-relationship-field-add-on plugin v1.3.4 exhibits a generally strong security posture based on the static analysis. The absence of dangerous functions, SQL injection vulnerabilities (all queries use prepared statements), and file operations is commendable. Furthermore, the plugin correctly implements nonce checks and avoids external HTTP requests, minimizing common attack vectors. The attack surface, while present with two AJAX handlers, is reported as having no unprotected entry points, which is a significant positive signal.

However, a primary concern arises from the output escaping analysis. With 33% of outputs properly escaped out of 12 total, this indicates that a significant portion (67%) of the plugin's output might be vulnerable to cross-site scripting (XSS) attacks. While taint analysis shows no unsanitized paths, the lack of robust output sanitization on nearly all observed outputs is a notable weakness. The vulnerability history being clear of any known CVEs is a positive indicator, suggesting a history of responsible development, but it doesn't mitigate the potential for undiscovered vulnerabilities, especially in the identified output escaping gaps.

In conclusion, the plugin demonstrates good development practices in areas like SQL handling and authentication. The absence of historical vulnerabilities is a strong point. Nevertheless, the widespread issue with output escaping presents a clear and present risk of XSS vulnerabilities that needs to be addressed to consider the plugin truly secure.