Kursy walut (Exchange rates) Security & Risk Analysis

The security posture of the "kursy-walut-exchange-rates" plugin v1.0.9 appears to be mixed, with some positive indicators but significant areas of concern. The lack of any recorded vulnerabilities or CVEs, along with the absence of critical or high severity taint flows, suggests a relatively clean history and a lack of obvious critical flaws detected by static analysis. The plugin also doesn't appear to have a large attack surface with unprotected entry points, which is a positive sign. However, the static analysis reveals serious shortcomings in output escaping, with 0% of outputs being properly escaped. This is a critical weakness that could lead to Cross-Site Scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website. Additionally, the absence of nonce checks and capability checks on the identified entry point (shortcode) is concerning, as it means any authenticated user, or potentially even unauthenticated users if the shortcode is displayed publicly, could trigger its functionality without proper authorization or validation. While the use of prepared statements for most SQL queries is a good practice, the lack of comprehensive output escaping and authorization checks on its single entry point presents a tangible risk.