Gallery Widget Security & Risk Analysis

The 'gallery-widget' plugin version 1.2.1 exhibits a mixed security posture. On the positive side, the static analysis shows no direct entry points without authentication checks, and all identified SQL queries utilize prepared statements, which is a strong indicator against SQL injection vulnerabilities arising from direct query construction. The absence of external HTTP requests and file operations further limits the plugin's ability to interact with the broader environment in potentially insecure ways. However, several concerning signals are present. The use of `create_function` is a significant red flag, as it can lead to code execution vulnerabilities if user-supplied input is ever used within its arguments, though the current taint analysis does not indicate any immediate exploitation of this. A substantial concern is the low percentage of properly escaped output (23%), which suggests a high likelihood of Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into pages where the widget is displayed. Furthermore, the complete absence of nonce checks and capability checks on its entry points means that any authenticated user could potentially trigger plugin actions without proper authorization validation.

The plugin's vulnerability history is particularly worrying. It has a known medium-severity CVE, which is currently unpatched. The fact that the last vulnerability was dated 2025-07-04 and is still unpatched indicates a lack of ongoing maintenance and a significant risk of exploitation. The historical pattern of SQL injection vulnerabilities, even if addressed in current queries, suggests that developers may not have a robust understanding of secure coding practices for database interactions. Overall, while the plugin has strengths in its handling of SQL and its limited attack surface, the combination of unescaped output, missing authorization checks, the dangerous `create_function`, and a currently unpatched CVE makes it a significant security risk.