Vimeotheque – Vimeo WordPress Plugin & Video Gallery Security & Risk Analysis

The static analysis of codeflavors-vimeo-video-post-lite v2.3.6.1 indicates a relatively low attack surface, with no identified AJAX handlers, REST API routes, shortcodes, or cron events that are accessible without authentication. Furthermore, no dangerous functions, SQL queries susceptible to injection, or file operations were detected. The presence of a bundled TinyMCE library is noted, which is a common and generally safe component. However, a significant concern arises from the output escaping, where only 69% of outputs are properly escaped. This suggests a potential for cross-site scripting vulnerabilities if user-supplied data is not adequately sanitized before being displayed.

The vulnerability history is more concerning. The plugin has a history of three medium-severity vulnerabilities, including Cross-Site Request Forgery (CSRF), SQL Injection, and Cross-Site Scripting (XSS). While there are currently no unpatched CVEs, the recurring types of vulnerabilities indicate a pattern of weaknesses in input validation and output sanitization. The presence of these past vulnerabilities, even if patched, points to areas where the developers have historically struggled to implement robust security measures. The last vulnerability being in December 2025 is a typo and should be interpreted as the last known vulnerability date.

In conclusion, while the current version of the plugin exhibits a small attack surface and good practices regarding SQL queries, the insufficient output escaping in the static analysis and the history of XSS, CSRF, and SQL injection vulnerabilities raise significant security concerns. Users should be cautious due to the potential for XSS and the historical susceptibility to other critical web attack vectors. The absence of identified critical or high-severity taint flows is a positive sign, but it does not fully mitigate the risks highlighted by the output escaping percentage and past vulnerability patterns.