MK Google Directions Security & Risk Analysis

The plugin "google-distance-calculator" v3.1.1 exhibits a mixed security posture. Static analysis reveals good practices in several areas, including the absence of dangerous functions, 100% use of prepared statements for SQL queries, and all detected outputs being properly escaped. The attack surface is also minimal, with only one shortcode and no unprotected entry points. However, a significant concern arises from the lack of nonce and capability checks across all entry points, despite the static analysis reporting zero unprotected entry points. This suggests a potential reliance on external checks or an oversight in the analysis itself.

The vulnerability history indicates a past medium-severity Cross-Site Scripting (XSS) vulnerability. While there are no currently unpatched CVEs, the existence of a past XSS issue, even if resolved, warrants attention and reinforces the need for robust input validation and output escaping, which the code analysis suggests is present in its current form.

In conclusion, while the current code demonstrates strong practices regarding SQL and output handling, the absence of nonce and capability checks on its entry points is a notable weakness. The past XSS vulnerability serves as a reminder of potential risks. A balanced view suggests this plugin is generally well-coded but has areas that could be strengthened to further mitigate risks, particularly concerning authentication and authorization at its entry points.