Include Mastodon Feed Security & Risk Analysis

The "include-mastodon-feed" plugin v2.1.0 exhibits a mixed security posture. On the positive side, it demonstrates good practices by avoiding dangerous functions, using prepared statements for all SQL queries, and generally performing good output escaping (83%). It also has no unpatched CVEs, which is encouraging. However, there are significant areas of concern. The plugin has a total of 2 entry points, with 1 being unprotected, specifically a REST API route without a permission callback. This unprotected endpoint represents a potential attack vector. The lack of any nonce checks and capability checks across the codebase further exacerbates this risk, as it implies that potentially sensitive operations or data exposure could occur without proper authorization. While taint analysis did not reveal any issues in this specific scan, the presence of 2 past medium severity Cross-Site Scripting (XSS) vulnerabilities, with the last one reported in early 2025, suggests a recurring pattern of input sanitization or output escaping deficiencies. The plugin also makes external HTTP requests, which, without clear sanitization and validation of the returned data, could pose a risk if the external resource is compromised or malicious. In conclusion, while the plugin has some solid security foundations, the unprotected REST API endpoint, absence of critical security checks like nonces and capability checks, and past XSS vulnerabilities necessitate caution and further investigation.