Advanced Custom Routes – Custom Endpoints for WP REST API Security & Risk Analysis

The plugin "advanced-custom-routes-custom-endpoints-for-wp-rest-api" version 0.8.0 exhibits a mixed security posture. On the positive side, the static analysis reveals no identified AJAX handlers, REST API routes, shortcodes, or cron events, resulting in a zero attack surface. Furthermore, no dangerous functions, file operations, or external HTTP requests were detected, and there are no known CVEs associated with this plugin. However, significant concerns arise from the code analysis. The single SQL query is not using prepared statements, which presents a risk of SQL injection. A substantial portion of output (83%) is not properly escaped, opening the door to Cross-Site Scripting (XSS) vulnerabilities. The taint analysis indicates two flows with unsanitized paths, though they are not classified as critical or high severity in this report. The complete absence of nonce and capability checks across all identified entry points, coupled with the lack of output escaping, are critical omissions that significantly elevate the risk profile despite the limited reported attack surface and absence of known vulnerabilities.