CC BMI Calculator Security & Risk Analysis

The cc-bmi-calculator plugin v2.1.1 exhibits a mixed security posture. On the positive side, the code analysis reveals no dangerous functions, all SQL queries utilize prepared statements, and there are no file operations or external HTTP requests. The absence of critical or high-severity taint flows is also a good indicator. However, there are significant areas of concern. A substantial 72% of output is not properly escaped, representing a high risk of Cross-Site Scripting (XSS) vulnerabilities. Additionally, the plugin has a history of two medium-severity CVEs, both related to XSS, with the most recent vulnerability recorded in May 2025, indicating a recurring pattern of input sanitization weaknesses. While no unpatched vulnerabilities are currently listed, the past issues combined with the output escaping shortcomings suggest a propensity for XSS flaws that may not have been fully addressed in the current version's sanitization practices. The presence of only one shortcode with no apparent capability checks or nonce checks, while not a large attack surface, becomes a potential entry point if the associated output is indeed vulnerable.