ConvertCalculator: Build Cost, Price, Quotation, ROI Interactive Calculators Security & Risk Analysis

The convertcalculator plugin v2.0.7 presents a mixed security posture. While it demonstrates good practices by using prepared statements for all SQL queries and having no observed dangerous functions, file operations, or external HTTP requests, significant concerns remain. The presence of an unprotected REST API route is a critical vulnerability, as it represents a direct entry point into the application that an attacker could exploit without authentication. The lack of nonce checks and capability checks across all entry points further exacerbates this risk, as it allows for potential unauthorized actions. Although the plugin has no currently unpatched CVEs, its history of two medium-severity Cross-Site Scripting (XSS) vulnerabilities, with the last one being recent, indicates a recurring weakness in input sanitization and output escaping, which is also reflected in the static analysis showing only 60% of outputs being properly escaped. This suggests a need for more robust sanitization and escaping mechanisms to prevent future XSS attacks.