bxSlider integration for WordPress Security & Risk Analysis

The bxslider-integration plugin v1.7.2 exhibits a mixed security posture. On the positive side, it demonstrates good practices by not utilizing dangerous functions, performing all SQL queries using prepared statements, and having no file operations or external HTTP requests. The absence of critical or high severity taint flows is also encouraging. However, several areas raise significant concerns. The plugin's output escaping is only 39% proper, indicating a substantial risk of cross-site scripting (XSS) vulnerabilities, which is further corroborated by its vulnerability history. The lack of nonce checks and capability checks across its entry points, especially with five shortcodes, presents an attack surface that could be exploited without proper authentication or authorization. The presence of one unpatched medium severity CVE, last reported in August 2025, specifically for XSS, directly aligns with the concerns raised by the poor output escaping, suggesting a persistent or recurring vulnerability that has not been addressed.

While the plugin avoids certain common pitfalls like raw SQL or dangerous functions, the insufficient output escaping and the unpatched CVE are critical weaknesses. The vulnerability history strongly suggests that XSS is a recurring issue for this plugin, and the static analysis indicates a potential underlying cause in how output is handled. The lack of nonce and capability checks on its entry points, coupled with a medium severity XSS vulnerability that remains unpatched, makes this plugin a moderate to high risk for sites that do not implement compensatory security controls or ensure it is updated immediately upon a patch release. The absence of critical taint flows is a positive sign, but it doesn't negate the explicit risks identified through output sanitization and historical CVEs.