Kalendář / Calendar Security & Risk Analysis

The static analysis of the 'kalendar-cz' v2.0 plugin reveals a concerning security posture, despite the absence of identified vulnerabilities in its history. The plugin exhibits several poor coding practices that significantly increase its risk profile. Notably, 100% of its SQL queries are executed without prepared statements, a critical oversight that exposes the plugin to SQL injection vulnerabilities. Furthermore, 100% of its outputs are not properly escaped, creating a high risk of Cross-Site Scripting (XSS) attacks. The presence of file operations without explicit mention of sanitization or authorization checks also warrants caution.

The plugin's attack surface appears minimal with zero identified entry points (AJAX handlers, REST API routes, shortcodes, cron events). However, this is overshadowed by the poor code quality observed in SQL execution and output handling. The complete lack of vulnerability history, while seemingly positive, could also indicate a lack of rigorous security auditing or a limited adoption, rather than a true absence of flaws. The plugin's strengths lie in its seemingly small attack surface and lack of external HTTP requests or bundled libraries. However, the significant weaknesses in secure coding practices for database interaction and output sanitization present substantial and immediate risks to any WordPress site using this plugin.