Kenta Blocks – Responsive Blocks and block templates library Security & Risk Analysis

The Kenta Blocks plugin v1.4.5 presents a mixed security profile. On one hand, the static analysis reveals strong adherence to several secure coding practices, including 100% prepared SQL statements and properly escaped output. The absence of direct file operations and external HTTP requests in the analyzed code is also positive. However, the static analysis also highlights a significant concern: zero nonce checks and zero capability checks on its entry points, despite the presence of four capability checks in total, suggesting potential areas where authorization might be overlooked or improperly implemented. Furthermore, the lack of any taint analysis results could indicate limited testing or an inability of the analysis tools to effectively trace data flows within this version.

The vulnerability history is a major area of concern. With two known CVEs, including a high and a medium severity vulnerability, the plugin has a history of critical security flaws. The common vulnerability types like Cross-site Scripting and Missing Authorization directly align with potential weaknesses identified in the static analysis. While there are currently no unpatched vulnerabilities, the recurring nature of these serious issues suggests a pattern of vulnerabilities being introduced and subsequently fixed. The most recent vulnerability being in June 2024 further underscores the ongoing security challenges.

In conclusion, while Kenta Blocks v1.4.5 demonstrates good practices in areas like SQL querying and output escaping, its security posture is significantly undermined by its vulnerability history and the apparent lack of robust authorization checks on its entry points. The past occurrences of critical vulnerabilities like XSS and Missing Authorization, coupled with the absence of nonce checks, demand cautious use and ongoing vigilance. Users should prioritize keeping the plugin updated and be aware of its historical security weaknesses.