Custom Field Template Security & Risk Analysis

The "custom-field-template" plugin v2.7.7 exhibits a mixed security posture. On the positive side, the plugin demonstrates good practices by using prepared statements for all SQL queries and incorporating nonce and capability checks. The attack surface, while present with AJAX handlers and shortcodes, is reported as having no unprotected entry points, which is a significant strength. However, the static analysis reveals concerning signals, particularly the presence of a dangerous `unserialize` function without explicit safeguards mentioned, and a worrying 45% of outputs are not properly escaped, suggesting a potential for Cross-Site Scripting vulnerabilities. The taint analysis also indicates flows with unsanitized paths, though no critical or high severity issues were identified here.

The plugin's vulnerability history is a major concern. With 12 known CVEs, a significant number of which are medium severity, and one high-severity unpatched vulnerability, this indicates a pattern of past security weaknesses. The common vulnerability types, including Exposure of Sensitive Information, XSS, Missing Authorization, Deserialization, and CSRF, suggest recurring issues in input validation, authorization, and secure handling of data. The most recent vulnerability recorded in late 2025 further underscores the ongoing nature of these security challenges. While the plugin has strengths in its query handling and some authentication measures, the historical prevalence of vulnerabilities and specific code signals like unescaped output and the use of `unserialize` necessitate caution.