DICOM Support Security & Risk Analysis

The 'dicom-support' plugin v0.10.7 exhibits a mixed security posture. On the positive side, the static analysis reveals adherence to several good security practices, including 100% proper output escaping, 100% prepared statement usage for SQL queries, and no identified dangerous functions, file operations, or external HTTP requests. The attack surface is also minimal, with only one shortcode and no AJAX handlers or REST API routes found without authentication checks. Taint analysis also shows no critical or high severity flows, indicating that data is generally handled safely.

However, a significant concern arises from the vulnerability history. The plugin has a known medium severity CVE related to Cross-Site Scripting, which was last patched on March 24, 2025. While this specific vulnerability is marked as patched, the existence of an XSS vulnerability, even a medium one, suggests potential weaknesses in input sanitization or output encoding in certain contexts not fully captured by the static analysis. The absence of nonce checks and capability checks on any entry points is a notable omission, especially for the shortcode, as it leaves this entry point potentially vulnerable to unauthorized or unintended execution if malicious data is passed to it.

In conclusion, while the plugin demonstrates strong internal coding practices regarding SQL and output escaping, the historical XSS vulnerability and the lack of robust authentication checks on its single entry point are points of concern. Users should ensure they are on the latest patched version to mitigate known XSS risks and remain vigilant about any future updates that address potential authorization bypasses for the shortcode.