Custom Post Type to Map Store Security & Risk Analysis

The "cpt-to-map-store" plugin v1.1.0 exhibits a mixed security posture. On one hand, the static analysis shows no identified entry points (AJAX, REST API, shortcodes, cron events) that are directly exposed without authentication or permission checks, which is a positive sign. Furthermore, all SQL queries are properly prepared, and there are no file operations or external HTTP requests, reducing common attack vectors. However, the presence of the `unserialize` function is a significant concern, as it can lead to Remote Code Execution (RCE) if an attacker can control the serialized data. The lack of nonce checks and capability checks further exacerbates this risk, as there are no mechanisms to verify user intent or authorization before potentially dangerous operations are executed.

The vulnerability history reveals a past medium severity CVE, specifically a Cross-Site Request Forgery (CSRF). The fact that this vulnerability is currently unpatched is a critical red flag, indicating an ongoing risk that has not been addressed by the developer. This pattern of past vulnerabilities, coupled with the current unpatched issue, suggests a potential lack of ongoing security maintenance and a tendency for vulnerabilities to remain unresolved, which is a concerning indicator for future security. While the attack surface appears limited and some good coding practices are present, the `unserialize` function in conjunction with missing security checks and an unpatched CVE presents a tangible risk to users of this plugin.