Peadig’s Google News XML Sitemap Generator Security & Risk Analysis

The "google-news-xml-sitemap-generator" v1.1 plugin presents a mixed security posture. On one hand, the static analysis indicates a very small attack surface, with no identified AJAX handlers, REST API routes, shortcodes, or cron events that could be directly exploited. The absence of dangerous functions and external HTTP requests is also a positive sign. However, the code analysis reveals significant concerns regarding data handling. All SQL queries are performed without prepared statements, and none of the detected output operations are properly escaped. This combination significantly increases the risk of SQL injection and cross-site scripting (XSS) vulnerabilities, especially if any of the data processed by these queries or outputs originates from user input. The plugin's vulnerability history is clean, with no known CVEs, which might suggest a history of good security practices or simply a lack of targeted research. Nevertheless, the identified code-level weaknesses in SQL and output handling require immediate attention, as they represent potential entry points for attackers, regardless of past vulnerability records.