Events Calendar for Google Security & Risk Analysis

The 'events-calendar-for-google' plugin version 3.2.2 exhibits a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface. A substantial portion of its entry points, specifically 4 out of 5, are not protected by authentication checks. This makes them highly susceptible to unauthorized access and manipulation, especially given the presence of AJAX handlers without authorization.

The vulnerability history reveals a past high-severity CVE related to 'PHP Remote File Inclusion,' which is a critical vulnerability type. Although this vulnerability is currently patched and no unpatched CVEs are present, the nature of the past vulnerability is concerning. The lack of taint analysis data, while potentially indicating no critical flows were found, also means there might be undetected vulnerabilities. The presence of external HTTP requests and only one nonce check also warrants attention. Overall, the plugin has strengths in data handling but significant weaknesses in access control for its entry points, compounded by past critical vulnerability patterns.