Menu Per Pages Security & Risk Analysis

The "menu-per-pages" plugin v5.0 exhibits a generally strong security posture based on the provided static analysis. The absence of detected AJAX handlers, REST API routes, shortcodes, and cron events, particularly those without proper authentication or permission checks, significantly limits the attack surface. Furthermore, the code demonstrates good practices by exclusively using prepared statements for all SQL queries, mitigating the risk of SQL injection vulnerabilities. The lack of file operations and external HTTP requests further enhances its security. However, a significant concern arises from the output escaping. With three total outputs identified and none properly escaped, there is a high risk of cross-site scripting (XSS) vulnerabilities, allowing attackers to inject malicious scripts into the website. The vulnerability history is clean, with no recorded CVEs, which is a positive sign, suggesting the developers have been diligent in addressing past security issues or that the plugin hasn't historically been a target. Despite the clean history, the unescaped output remains a critical weakness that requires immediate attention.