Category Featured Images Security & Risk Analysis

The "category-featured-images" plugin version 1.1.8 presents a mixed security posture. On the positive side, the static analysis shows no dangerous functions, no file operations, no external HTTP requests, and all SQL queries utilize prepared statements, which are excellent security practices. The total attack surface is minimal, consisting of a single shortcode, and importantly, it appears to have no unprotected entry points. Taint analysis also revealed no vulnerabilities.

However, significant concerns arise from the vulnerability history. The plugin has one known medium-severity CVE, which is currently unpatched. This indicates a past issue related to Cross-Site Scripting (XSS), a common and impactful vulnerability type. The fact that this CVE is recent (September 2025) and unpatched is a major red flag, suggesting a lack of active maintenance or a delayed response to security advisories. Furthermore, the static analysis shows that not all output is properly escaped (63% proper escaping), which, combined with the XSS history, increases the risk of latent XSS vulnerabilities even if not immediately apparent in the taint analysis.

In conclusion, while the code itself demonstrates some good security fundamentals like prepared statements and a limited attack surface, the presence of an unpatched medium-severity CVE and incomplete output escaping significantly detract from its overall security. Users should be cautious, and developers should prioritize patching the known vulnerability and improving output escaping.