Easy Google Maps Security & Risk Analysis

The plugin 'google-maps-easy' v1.11.24 presents a mixed security posture. While the static analysis reveals a remarkably small attack surface with no apparent direct entry points like AJAX handlers, REST API routes, or shortcodes lacking authentication, several concerning code signals warrant attention. The presence of the `unserialize` function is a significant red flag, as it can lead to object injection vulnerabilities if not handled with extreme care and sanitization of user-supplied data. Furthermore, the code exhibits a moderate level of insecurity regarding SQL query preparedness and output escaping, with a substantial portion of SQL queries not utilizing prepared statements and a notable percentage of outputs not being properly escaped. These oversights, while not directly flagged as critical by taint analysis in this version, could potentially be exploited if coupled with other weaknesses.

The plugin's vulnerability history is a major concern. A total of 7 known CVEs, all of which are currently unpatched according to the data, indicate a pattern of security flaws. The prevalence of medium-severity vulnerabilities, particularly those related to XML External Entity (XXE) references, Cross-Site Request Forgery (CSRF), and Cross-Site Scripting (XSS), suggests recurring weaknesses in input validation and output sanitization that have been exploited in the past. The fact that the last vulnerability was recorded in April 2025 further underscores the ongoing nature of these issues. While the current version has no *currently* unpatched CVEs from the historical data, the persistent nature of past vulnerabilities and the identified code signals like `unserialize` and less-than-ideal SQL/output handling indicate potential for future exploitable issues.

In conclusion, 'google-maps-easy' v1.11.24 has a positive aspect in its limited attack surface. However, this is overshadowed by the significant risks posed by the `unserialize` function and the historical pattern of medium-severity vulnerabilities including XXE, CSRF, and XSS. The moderate percentage of non-prepared SQL statements and unescaped outputs further contribute to the overall risk. Users should exercise caution, especially considering the plugin's history of security flaws, and prioritize updates and vigilant monitoring.