Events Calendar Plus Security & Risk Analysis

The "events-calendar-plus" v1.0.13 plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices in several areas, including a high percentage of properly escaped outputs and a substantial portion of SQL queries utilizing prepared statements. The absence of any recorded vulnerabilities (CVEs) and taint analysis indicating no critical or high severity issues suggests a generally well-maintained codebase. Furthermore, the plugin does not rely on bundled libraries, which can often become outdated and introduce vulnerabilities.

However, there are significant security concerns stemming from the attack surface. The plugin exposes three AJAX handlers that lack authentication checks. This is a critical weakness, as it allows any unauthenticated user to potentially interact with these handlers, leading to unintended actions or information disclosure if the handlers perform sensitive operations. The presence of unprotected entry points on this scale warrants careful attention. While the plugin does incorporate some capability checks and nonce checks, their absence on all AJAX handlers leaves a substantial gap.

In conclusion, while the plugin benefits from a clean vulnerability history and good coding practices in output escaping and SQL sanitization, the unprotected AJAX handlers represent a serious risk. This plugin would be considered moderately secure but with a significant, exploitable flaw that needs immediate remediation.