Calendar Plus Security & Risk Analysis

The Calendar Plus plugin v1.2.4 presents a mixed security posture. On one hand, the absence of any identified AJAX handlers, REST API routes, shortcodes, or cron events with unprotected entry points suggests a well-contained attack surface from an entry point perspective. The prevalence of prepared statements in SQL queries is also a positive sign for database security. However, significant concerns arise from the code analysis, particularly the extremely low percentage of properly escaped output (1%). This indicates a high risk of Cross-Site Scripting (XSS) vulnerabilities, where unsanitized user input could be injected into the web page. The taint analysis further reinforces this, revealing 8 flows with unsanitized paths, four of which are classified as high severity. This directly correlates with the vulnerability history, which shows a medium severity XSS vulnerability in the past. The fact that this vulnerability remains unpatched is a critical red flag, indicating a lack of ongoing maintenance and a persistent security risk for users of this plugin version. While the plugin's attack surface appears limited, the weak output escaping and unpatched historical vulnerability create a notable risk.