Bg Church Memos Security & Risk Analysis

The "bg-church-memos" plugin v1.1 exhibits a mixed security posture. On the positive side, it demonstrates good practices by having no detected dangerous functions, all SQL queries utilizing prepared statements, and no file operations or external HTTP requests. Furthermore, the attack surface is minimal, with only one shortcode and no AJAX handlers or REST API routes to consider. However, significant concerns arise from the lack of output escaping and the absence of nonce and capability checks. The fact that 0% of outputs are properly escaped is a critical vulnerability, as it leaves the plugin highly susceptible to Cross-Site Scripting (XSS) attacks.

The vulnerability history for this plugin is a major red flag. With one known CVE, and critically, one currently unpatched medium severity vulnerability related to XSS, the plugin's maintainers have demonstrated a failure to address known security flaws promptly. The last vulnerability being so recent (2025-09-22) suggests ongoing issues or a lack of proactive security maintenance. While the static analysis shows no *new* critical taint flows or unsanitized paths, the existing unpatched vulnerability, combined with the lack of output escaping, creates a high-risk environment.

In conclusion, while the plugin avoids certain common pitfalls like raw SQL and dangerous functions, the critical flaw of unescaped output and the existence of an unpatched XSS vulnerability severely undermine its security. The lack of comprehensive capability and nonce checks on its single entry point (shortcode) further exacerbates the risk. Users should consider this plugin a high risk due to the unpatched vulnerability and inherent XSS potential, until these issues are addressed.