AADMY – Add Auto Date Month Year Into Posts Security & Risk Analysis

The plugin "auto-date-year-month" v2.0.5 exhibits a mixed security posture. On the positive side, the static analysis reveals no dangerous functions, no SQL queries executed without prepared statements, and no file operations or external HTTP requests, which are excellent indicators of secure coding practices in these areas. The absence of taint analysis findings further suggests no immediately apparent critical vulnerabilities in data flow. However, a significant concern is the low percentage of properly escaped output (26%), indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities. Furthermore, the complete lack of nonce checks and capability checks on its 25 shortcodes presents a substantial attack surface for potential unauthorized actions or information disclosure if the shortcodes have any sensitive functionality. The vulnerability history, including one previously reported high-severity vulnerability of Code Injection, and the fact that a vulnerability was disclosed as recently as October 2024, suggests a pattern of security weaknesses that require careful attention. While the plugin has strengths in avoiding common pitfalls like raw SQL and dangerous functions, the output escaping and lack of authorization checks on shortcodes are critical areas of concern.

In conclusion, while the plugin demonstrates good practices in database interactions and avoidance of known dangerous functions, the significant weakness in output escaping and the lack of robust authorization mechanisms for its shortcodes pose considerable security risks. The historical vulnerability for code injection and the recent disclosure date are also red flags. Users should be cautious, and the developers should prioritize addressing the output escaping and authorization for shortcodes to improve the plugin's overall security posture.