Exchange Rates Widget Security & Risk Analysis

The exchange-rates-widget plugin version 1.4.1 exhibits a mixed security posture. On the positive side, the static analysis indicates good practices regarding SQL queries, which are exclusively handled by prepared statements, and a high percentage of output escaping. The absence of external HTTP requests and the limited attack surface also contribute to a generally favorable assessment. However, several concerns warrant attention. The plugin has a history of a medium severity Cross-Site Scripting (XSS) vulnerability, with the last recorded incident being quite recent (March 2024). While currently unpatched CVEs are zero, this history suggests potential for future undiscovered or re-emerging vulnerabilities, especially if input validation or output escaping practices degrade. A critical weakness is the complete lack of capability checks and nonce checks on its single entry point (a shortcode). This means any authenticated user, regardless of their role, could potentially trigger the shortcode's functionality, opening the door to privilege escalation or unintended actions if the shortcode's logic is not robustly secured against malicious input. The taint analysis shows no flows, which is good, but the lack of thorough checks on the shortcode's entry point is a significant oversight.