Maps from Yandex for Elementor Security & Risk Analysis

The mihdan-elementor-yandex-maps plugin, version 1.7.1, exhibits a generally strong security posture based on the provided static analysis. The absence of any dangerous functions, raw SQL queries, file operations, or external HTTP requests is a significant positive. Furthermore, all identified output operations are properly escaped, mitigating common cross-site scripting risks. The plugin also demonstrates a clean taint analysis with no unsanitized flows, which is a reassuring sign of secure coding practices in this area. The zero-count for AJAX handlers, REST API routes, shortcodes, and cron events suggests a minimal attack surface, especially with none of these being unprotected.

However, a notable concern arises from the vulnerability history, which indicates one known CVE. While this CVE is not currently unpatched, the presence of a past vulnerability, particularly one related to Cross-site Scripting, suggests that the plugin has had security weaknesses. The fact that the last vulnerability was recorded in 2025-09-29 is a temporal anomaly and should be treated with caution; assuming this date is accurate, it implies a recent historical vulnerability. The absence of capability checks and nonce checks is also a point of attention, although in the context of zero entry points, this might be less immediately critical. The plugin's reliance on Elementor likely means much of its security is inherited from the parent plugin, but direct checks within the plugin itself would further enhance its security.