Append extensions on Pages Security & Risk Analysis

The "append-extensions-on-pages" plugin v1.1.2 exhibits a mixed security posture. While the static analysis indicates a minimal attack surface with no identified dangerous functions, SQL injection vulnerabilities, or unhandled file operations, there are significant concerns. Notably, 100% of outputs are not properly escaped, presenting a strong risk of Cross-Site Scripting (XSS) vulnerabilities. This is further compounded by a known medium severity CVE related to XSS that remains unpatched, indicating a historical tendency towards this type of vulnerability and a lack of timely security patching.

The vulnerability history reveals a pattern of XSS issues, with a recent medium severity vulnerability from September 2025. This suggests that developers may not be adequately addressing input sanitization and output encoding, even when vulnerabilities are identified. The absence of nonce and capability checks across all entry points (though the entry points themselves are zero) means that if any were introduced or inadvertently created, they would be unprotected.

In conclusion, despite a seemingly small attack surface in this specific version, the lack of output escaping and the presence of an unpatched XSS vulnerability are critical weaknesses. The plugin's history points to ongoing issues with secure coding practices regarding user-generated content. Users should exercise extreme caution, and developers should prioritize addressing the unescaped output and the existing CVE.