Meks Flexible Shortcodes Security & Risk Analysis

The "meks-flexible-shortcodes" plugin version 1.3.8 exhibits a mixed security posture. While the code analysis reveals good practices such as 100% of SQL queries using prepared statements and 90% of output being properly escaped, significant concerns arise from the attack surface. The presence of an AJAX handler without authentication checks is a critical vulnerability. This directly exposes a potential entry point for malicious actors to execute arbitrary actions or access sensitive information.

The vulnerability history shows a concerning pattern of 3 known medium severity Cross-Site Scripting (XSS) vulnerabilities, with the most recent one being in June 2025. Although currently unpatched vulnerabilities are zero, the repeated occurrence of XSS indicates a persistent weakness in input sanitization or output escaping for certain data flows that were not fully captured by the static analysis. The lack of nonce checks on the identified AJAX handler further exacerbates this risk, making it easier for attackers to leverage the handler without needing user interaction.

In conclusion, while the plugin demonstrates strengths in database interaction and output encoding, the unprotected AJAX handler represents a major security flaw. Coupled with the historical prevalence of XSS, this plugin requires immediate attention. The presence of a single, unprotected entry point overshadows the otherwise good coding practices, making it a significant risk for any WordPress site.