G Structured Data Security & Risk Analysis

The 'g-structured-data' plugin version 1.1.6 exhibits a generally positive security posture based on the provided static analysis. The absence of identified AJAX handlers, REST API routes, shortcodes, and cron events significantly limits the potential attack surface, which is a strong indicator of good security practices in design. Furthermore, the lack of critical or high-severity code signals such as dangerous functions, file operations, external HTTP requests, and the absence of taint analysis findings suggest a well-written codebase with minimal apparent vulnerabilities.

However, several areas warrant caution. The presence of a single SQL query that does not utilize prepared statements is a notable risk, as it could be susceptible to SQL injection if the input feeding this query is not rigorously sanitized. Additionally, a significant portion of output (59%) is not properly escaped, creating a risk of Cross-Site Scripting (XSS) vulnerabilities. The complete lack of nonce and capability checks across all entry points, while currently not exposed due to the limited attack surface, represents a fundamental security oversight that could become problematic if functionality is added or exposed in the future.

The plugin's vulnerability history of zero known CVEs is highly encouraging and suggests a history of robust security. This, combined with the clean taint analysis and absence of dangerous functions, paints a picture of a plugin that has historically been secure and well-maintained. Despite the identified risks in SQL usage and output escaping, the overall low risk profile, particularly given the limited attack surface and zero CVEs, suggests that while not perfect, the plugin is relatively safe for use. Addressing the unescaped output and the raw SQL query should be the priority to further enhance its security.