Responsive Pricing Table Security & Risk Analysis

The static analysis of dk-pricr-responsive-pricing-table v5.1.13 reveals a mixed security posture. While the plugin demonstrates good practices in certain areas, like the absence of dangerous functions, file operations, and external HTTP requests, and all SQL queries utilize prepared statements, there are significant concerns. The output escaping is only 52% properly escaped, indicating a substantial risk of Cross-Site Scripting (XSS) vulnerabilities where user-supplied data might not be adequately neutralized before being displayed. The lack of taint analysis data is also a concern, as it prevents a deeper understanding of how data flows through the plugin and if there are any unsanitized paths, although the absence of critical/high severity flows is a positive sign.

The vulnerability history for this plugin is a major red flag. With a total of 5 known CVEs, all of which are medium severity and focused on basic XSS and input neutralization issues, it suggests a recurring pattern of insecure coding practices related to handling user-provided data. The fact that the last vulnerability was recorded in early 2026, even though the current version is 5.1.13, is highly unusual and may indicate issues with the timestamp data or potentially future vulnerabilities. The consistent history of XSS-related vulnerabilities, even if medium severity, highlights a fundamental weakness in how the plugin sanitizes and outputs data.

In conclusion, while the plugin implements some security best practices, the poor output escaping coupled with a history of numerous XSS vulnerabilities presents a significant risk. The plugin's attack surface is relatively small, and entry points are secured, but the lack of robust output sanitization is a critical flaw that could be exploited. Users should exercise extreme caution and ensure they are using the absolute latest patched version, though the provided data on patch status is confusing.