Gotham Block Extra Light Security & Risk Analysis

The "gotham-block-extra-light" v1.6.0 plugin presents a mixed security posture. On the positive side, the static analysis shows a very limited attack surface, with no unprotected AJAX handlers or REST API routes, and all SQL queries utilizing prepared statements. The presence of capability checks is also a good sign. However, concerns arise from the output escaping, where only 42% of outputs are properly escaped, indicating a potential for Cross-Site Scripting (XSS) vulnerabilities if user-supplied data is not handled carefully.

The vulnerability history is a significant area of concern. With two known medium-severity CVEs, specifically related to Cross-Site Scripting and Path Traversal, the plugin has a history of exploitable flaws. Although there are currently no unpatched vulnerabilities from this history, the past issues suggest a pattern of imperfect input sanitization and path handling, which aligns with the observed low percentage of properly escaped outputs. The recency of the last known vulnerability (2026-01-13) is concerning, though it might indicate an outdated vulnerability database entry rather than a current threat.

In conclusion, while the plugin demonstrates some good security practices like secure SQL usage and a small attack surface, the historical medium vulnerabilities and the high proportion of unescaped output introduce notable risks. Developers should prioritize addressing the output escaping issues to mitigate XSS risks and remain vigilant about any future vulnerabilities related to path handling.