Event Espresso – Custom Email Template Shortcode Security & Risk Analysis

The "email-shortcode" plugin version 1.0.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices by utilizing prepared statements for all SQL queries and avoiding file operations and external HTTP requests. The presence of nonce checks and a low number of total entry points are also encouraging signs. However, the static analysis reveals that 29% of output operations are not properly escaped, which presents a potential Cross-Site Scripting (XSS) risk. Furthermore, the absence of capability checks on any entry points means that if any were discovered, they could be accessed by any user. The vulnerability history is a significant concern, with one unpatched medium-severity CVE related to XSS. The fact that the last vulnerability was in the near future (2025) and is still unpatched strongly suggests that the plugin is not actively maintained or that the developer is not addressing known security flaws promptly. While the code itself has some strengths, the unpatched vulnerability and the potential for unescaped output create a notable risk that requires immediate attention.