EH Mortgage Calculator – Loan & Amortization Calculator Security & Risk Analysis

The eh-mortgage-calculator plugin version 3.1.1 exhibits a generally strong security posture based on the provided static analysis. The absence of dangerous functions, SQL queries executed solely via prepared statements, and a high percentage of properly escaped output are all positive indicators. Furthermore, the plugin has no recorded vulnerabilities (CVEs), suggesting a history of secure development or diligent patching by users. The limited attack surface, consisting of a single shortcode with no explicitly identified unprotected entry points, is also a positive sign.

However, the analysis does highlight a potential area for improvement. The complete lack of nonce checks across all identified entry points is a concern. While the current attack surface is small, the absence of nonces means that if any of these entry points were to become exposed or if future functionality were added without proper checks, they could be susceptible to Cross-Site Request Forgery (CSRF) attacks. The capability check is present, which is good, but it doesn't entirely mitigate the risk of CSRF without nonces.

In conclusion, eh-mortgage-calculator v3.1.1 appears to be a relatively secure plugin with a clean history and good coding practices in many areas. The primary weakness lies in the absence of nonce checks. If the plugin's functionality remains limited and no new entry points are introduced, the risk may be contained. However, for long-term security and adherence to WordPress best practices, implementing nonce checks on the shortcode is highly recommended.