Display post meta, term meta, comment meta, and user meta Security & Risk Analysis

The plugin "display-metadata" v1.0.0 exhibits a mixed security posture. On the positive side, the static analysis reveals a very small attack surface with no apparent direct entry points like AJAX handlers, REST API routes, or shortcodes that are unprotected. The code also demonstrates good practices by using prepared statements for all SQL queries and performing capability checks, which are crucial for access control. File operations and external HTTP requests are absent, reducing potential attack vectors. However, a significant concern is the low percentage (27%) of properly escaped output. This indicates a risk of Cross-Site Scripting (XSS) vulnerabilities where unsanitized user-supplied data could be rendered directly in the browser.

The vulnerability history is particularly concerning. The plugin has one known CVE, which is currently unpatched and classified as medium severity. The common vulnerability type listed is Cross-site Scripting, directly correlating with the findings from the output escaping analysis. The fact that this vulnerability is unpatched suggests a lack of ongoing maintenance or a failure to address known security flaws in a timely manner, making users susceptible to this exploit. While the current version might not have critical taint flows or unprotected entry points, the historical pattern of XSS vulnerabilities and the presence of an unpatched medium-severity flaw warrant caution.

In conclusion, while "display-metadata" v1.0.0 has strengths in its limited attack surface and secure SQL handling, the insufficient output escaping and the unpatched XSS vulnerability present a notable risk. Users should be aware that the plugin is susceptible to XSS attacks due to improper output handling and that a previously discovered vulnerability remains unaddressed. Continued use of this plugin without patching the known CVE is not recommended.