Bulk Datetime Change Security & Risk Analysis

The "bulk-datetime-change" plugin v1.18 exhibits a mixed security posture. On the positive side, static analysis reveals no dangerous functions, file operations, or external HTTP requests. Output escaping is fully implemented, and there are no identified taint flows, suggesting that data processed by the plugin is likely handled safely once it enters the application. The absence of shortcodes, cron events, and a significant attack surface from AJAX and REST API endpoints is also a positive indicator, reducing the overall exposure to potential attacks.

However, the plugin's vulnerability history is a notable concern. It has a recorded medium-severity CVE related to missing authorization, which was last patched in October 2021. While there are no currently unpatched vulnerabilities, the presence of past authorization issues highlights a potential weakness in how the plugin handles user permissions. The static analysis also shows a concerning lack of capability checks and nonce checks, alongside the single SQL query not using prepared statements. These oversights, particularly the absence of capability checks, directly correlate with the type of historical vulnerability found and represent a significant security gap.