Nova Blocks by Pixelgrade Security & Risk Analysis

The static analysis of nova-blocks v2.1.14 reveals a mixed security posture. While the plugin demonstrates good practices in areas like SQL query preparation, the lack of entry points like AJAX handlers, REST API routes, and shortcodes is a positive sign for reducing the immediate attack surface. However, concerns arise from the 76% output escaping rate, leaving a significant portion of outputs potentially vulnerable to Cross-Site Scripting (XSS). The presence of a file operation, though not immediately flagged as problematic, warrants closer inspection to understand its context and potential for abuse.

The plugin's vulnerability history is a significant red flag, with three known medium-severity CVEs, all of which are now patched according to the data. The common vulnerability type being Cross-Site Scripting (XSS) aligns with the static analysis finding of imperfect output escaping. The fact that the last vulnerability was in 2026 (which is in the future, likely a data entry error and should be interpreted as a recent past date) suggests a pattern of past vulnerabilities, even if they are currently addressed. This history, combined with the output escaping issues, indicates a recurring need for diligent security auditing and patching within the plugin's development lifecycle.

In conclusion, while nova-blocks v2.1.14 has strengths in its limited attack surface and SQL hygiene, the imperfect output escaping and historical XSS vulnerabilities are substantial concerns. Users should be aware of the potential for XSS if any of the unescaped outputs can be triggered by malicious input. The plugin's developers need to ensure consistent and complete output sanitization to mitigate these risks effectively.