Event Page Plugin Security & Risk Analysis

The event-page plugin v2.7.4 exhibits a mixed security posture. On one hand, it has a very small attack surface with no apparent AJAX handlers, REST API routes, shortcodes, or cron events exposed externally. This significantly limits potential entry points for attackers. However, the code analysis reveals several concerning signals. The presence of the `create_function` function is a significant red flag, as it can lead to code execution vulnerabilities if not handled with extreme caution and strict sanitization. Furthermore, none of the SQL queries are parameterized, making them highly susceptible to SQL injection attacks. The low percentage of properly escaped output indicates a high risk of cross-site scripting (XSS) vulnerabilities across various output points.

Taint analysis also highlights critical concerns, with two flows identified as having unsanitized paths, indicating potential for sensitive data exposure or unauthorized actions. While there is no known vulnerability history for this plugin, the internal code signals suggest that vulnerabilities could exist and may have gone unnoticed or unexploited due to the limited attack surface. The plugin demonstrates some security awareness with nonce and capability checks, but these are insufficient to mitigate the risks posed by dangerous functions, raw SQL queries, and poor output escaping.

In conclusion, despite a seemingly secure external attack surface, the internal code quality presents substantial security risks. The lack of prepared statements for all SQL queries and the low rate of output escaping are major weaknesses. The `create_function` usage and unsanitized taint flows are critical concerns that require immediate attention. Users should be wary of this plugin until these issues are addressed.