PCF Contact Form Security & Risk Analysis

The PCF Contact Form plugin version 1.2.1 exhibits a mixed security posture. On the positive side, it has no recorded vulnerabilities (CVEs), no bundled libraries, no file operations, and no external HTTP requests, which are all good security indicators. Furthermore, all SQL queries utilize prepared statements, and there are no identified dangerous functions. However, the static analysis reveals concerning aspects. A significant portion of output (78%) is not properly escaped, posing a risk of Cross-Site Scripting (XSS) attacks, particularly given the presence of a shortcode which can be an entry point for user-supplied data. The taint analysis indicates two flows with unsanitized paths, though they are not flagged as critical or high severity. The complete absence of nonce checks and capability checks across all entry points, including the shortcode, is a major weakness, leaving the plugin vulnerable to various forms of injection and unauthorized actions if an attacker can control the input to the shortcode.