Greenhouse Job Board Security & Risk Analysis

The "greenhouse-job-board" plugin v2.7.3 exhibits a mixed security posture. While it demonstrates good practices in SQL query handling with 100% prepared statements and has no reported dangerous functions or file operations, several concerning aspects emerge from the static analysis and vulnerability history. The complete lack of output escaping for all identified outputs is a significant vulnerability, exposing users to potential Cross-Site Scripting (XSS) attacks. Furthermore, the presence of external HTTP requests without clear indication of their security implications warrants caution.

The vulnerability history is particularly concerning, with one unpatched medium severity CVE related to XSS, which aligns with the output escaping issues identified in the static analysis. The fact that this vulnerability is dated in the future (2025) might indicate a placeholder or an error in the provided data, but it still signifies a known past exploit. The limited attack surface (one shortcode) is a positive, but its lack of protection, including absence of nonce and capability checks, means that the single entry point could be exploited.

In conclusion, despite some positive security practices, the "greenhouse-job-board" plugin has critical weaknesses, primarily concerning unescaped output and an unpatched XSS vulnerability. The lack of robust input validation and authorization checks on its limited attack surface amplifies these risks. Organizations using this plugin should prioritize addressing the XSS and output escaping issues.